HIPAA is a federal law in the US that includes vital information for the healthcare industry on patient data security and privacy. This article will present a comprehensive HIPAA checklist for administrative, technical, and physical safeguards and organization and policy requirements.
In the previous blog on our data protection laws collection, we covered California’s take on data privacy laws, explaining why it is crucial to comply with them if you’re an enterprise that deals in the U.S.
Now, it is time to go specific. Today we’ll focus on the health and healthcare industry, which, according to IBM’s study together with the Ponemon Institute, has the highest cost per data record breached.
HIPAA ensures patient data security
HIPAA ensures patient data security
The Health Insurance Portability and Accountability Act (HIPAA) is the legislation in charge of protecting healthcare information. . This federal law was created in 1996 and provides guidelines on how healthcare providers, clearinghouses, and insurers must treat patient data in a secure manner. Under HIPAA, the patient’s health information (PHI) must be protected as it is stored or transmitted. It doesn't matter if the information was provided in written form, electronically, or verbally. . Tough right?
Moreover, the US healthcare industry has been pushing high-security standards with electronic healthcare transactions, code sets, and unique health identifiers, among other things. And yet, data breaches in healthcare continue to increase every year and cost trillions of dollars.
According to Healthcare IT News, the average overall cost of a healthcare security breach rose from $9.2 million in 2021, to $10.1 million in 2022, a 9.4% increase.
What happens if you don’t comply with HIPAA?
Most of the time, the complexity of the law can confuse organizations and cause weak executions. Because of that, it’s crucial to lay down HIPAA’s main requirements as clearly as possible. Especially considering that the law includes financial and criminal penalties for those who violate or fail to comply.
Certainly, when it comes to penalties, HIPAA is serious business. Violation fines range from $100 to $50,000 per violation (up to $1.5M a year per violation) and up to 10 years of imprisonment for those responsible, depending on the case.
HIPAA’s core rule is the Privacy Rule. This part of the legislation specifies that all identifiable health information is to be protected. This includes:
- All of a patient’s health record history, physical or mental.
- All health care or financial health care information related to the patient.
- All personal details that could help identify the patient, like their name or address.
However, there is no restriction regarding the use of de-identified information or anonymized data. If a string of information cannot be traced back to a patient, it will not be covered by HIPAA. See this summary to understand better the rules behind data disclosure and each specific case that allows it/restricts it.
Patient rights given by the Privacy Rule
The Privacy Rule gives people rights over their personal health information and limits who can access and review that information. It gives patients the following rights:
- Request Medical Records — Individuals may ask for copies of their records in the format of their choice (electronic or paper) so that they can examine the content.
- Correct Medical Records — Should any errors be detected in their medical information, individuals have the right to request corrections, then confirm that those changes have been made.
- Use and Disclosure of Medical Information — An individual’s medical information must be disclosed when needed for patient care. This means that the PHI follows the individual wherever they seek care and is not the proprietary property of any organization that might have initially generated that data.
- Receive Notifications — Make decisions about whether or not your data can be used and shared with notifications for data use purposes such as a marketing campaign, and get a report when it is shared.
- File a Complaint — Individuals are entitled to complain to their provider or insurer if they believe their data is not being protected. They also may file a complaint with HHS.
If you want to better instruct patients on handling these rights, use this HIPAA infographic that describes an individual’s rights to their PHI.
Security requirements for Health entities
Let’s move to the second portion of the legislation: the Security Rule. This rule details the administrative, technical, and physical security requirements your entity must meet when protecting e-PHI (electronically protected health information).
The United States Department of Health and Human Services' quick obligations summary gives a snappy look into an entity’s obligations:
- Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain, or transmit.
- Identify and protect against reasonably anticipated threats to the security or integrity of the information.
- Protect against reasonably anticipated, impermissible uses or disclosures.
- Ensure compliance by their workforce.
Contextual risk analysis
Unfortunately, the amount of requirements specified by HIPAA is not a quick summary. Do not fret! One of HIPAA’s strengths is that it’s contextual and flexible.
HIPAA adapts to each entity’s context. That’s why it requires an implemented and continuous risk analysis process. This will help you as an entity determine the likelihood of potential risks to e-PHI and select proper countermeasures according to the HHS’s suggestions. There are required safeguards (mandatory) and addressable ones (subject to an entity’s context).
This means the HHS takes your entity’s size, resources, and capabilities into consideration. Still, it is the entity’s responsibility to document its risk analysis process, taking note of the identified risks and the reasons behind the selection of the chosen implementations.
HIPAA checklist for administrative safeguard
These include internal procedures involving the management of administrative and human resources in favor of PHI’s security. We’ve prepared a checklist to give a better look at all Required and Addressable security standards below.
Use this table to evaluate those requirements not met by your entity, and utilize HHS’s detailed breakdown of each one of these as a guideline for implementing the right solution to the required standard.
Standards
Implementations: (R) = Required, (A) = Addressable
Security Management Process
• Risk Analysis (R)
• Risk Management (R)
• Sanction Policy (R)
• Information System Activity Review (R)
Workforce Security
• Assigned Security Responsible (R)
• Authorization/Supervision (A)
• Workforce Clearance Procedures (A)
• Termination Procedures (A)
Information Access Management
• Isolating Health Care Clearinghouse functions (R)
• Access Authorization (A)
• Access Security (A)
Awareness and Training
• Security Reminders (A)
• Protection From Malicious Software (A)
• Log-in Monitoring (A)
• Password Management (A)
Security Incident Procedures
• Response and Reporting (R)
Contingency Plan
• Data Backup Plan (R)
• Disaster Recovery Plan (R)
• Emergency Mode Operation Plan (R)
• Testing and Revision Procedures (A)
• Applications and Data Criticality Analysis (A)
Evaluation
• Constant Security Reassessments (R)
Business Associate Contracts and Other Arrangements
• Contract or Arrangements (R)
HIPAA checklist for physical safeguard requirements
These requirements cover measures taken to secure and protect physical access to e-PHI from environmental hazards, unwanted intrusions, and other threats. This extends from the office and, if the information is available there, can extend to the workforce's home or other locations where e-PHI is accessible.
Once again, the table displays physical security standards and their Required or Addressable implementations. To understand these implementations and how to execute them for HIPAA, read the HHS's summary on Physical Safeguards.
Standards
Implementations: (R) = Required, (A) = Addressable
Facility Access Controls
• Contingency Operations (A)
• Facility Security Plan (A)
• Access Control and Validation Procedures (A)
• Maintenance Records (A)
Workstation Use
• Workstation Usage Policies and Procedures (R)
Workstation Security
• Workstation Access Security Measures (R)
Device and Media Control
• Disposal (R)
• Media Re-use (R)
• Accountability (A)
• Data Backup and Storage (A)
HIPAA checklist for technical safeguard requirements
The following suggested implementations tackle technical security measures that need to be taken to protect e-PHI and control its access points.
Use the following HIPAA Checklist to verify the measures your entity has already taken. If necessary, visit the HHS's summary on technical safeguards for further detail about each implementation mentioned.
Standards
Implementations: (R) = Required, (A) = Addressable
Access Control
• Unique User Identification (R)
• Emergency Access Procedure (R)
• Automatic Logoff (A)
• Encryption and Decryption (A)
Audit Controls
• Implement software/hardware/procedural systems that examine activity in information systems with PIH (R)
Integrity
• Mechanism to Authenticate Electronic Protected Health Information (A)
Person or Entity Authentication
• System to verify the identity of the user who requests access (R)
Transmission Security
• Integrity Controls (A)
• Encryption (A)
HIPAA checklist for organization and policies requirements
There is a group of requirements associated with the documentation and contractual binds behind HIPAA compliance that must also be addressed.
These can be found in the following summary, detailing how your entity must relate with other entities that handle PHI and how the compliance choices must be documented.
Standards
Implementations: (R) = Required, (A) = Addressable
Business associate contracts or other arrangements
• Business Associate Contracts (R)
• Other Arrangements (R)
Requirements for Group Health Plans
• Implementation Specifications (R)
Policies and Procedures
• Written Security Policies and Procedures (R)
Documentation
• Time Limit (R)
• Availability (R)
• Updates (R)
Takeaways
First of all, HIPAA, contrary to the European General Data Protection Regulation (which we also covered in our data laws series), is tailored for the healthcare industry of the United States.
Furthermore, due to the sensibility of the data it protects, it is one of the best industry data protection and privacy legislation in the US, and also one of the most difficult ones to comply with!
We advise you to review your case with former legal advice, management, AND experienced IT associates to help audit the entity’s current state and implement proper policies that adjust to HIPAA’s needs.