The Health Insurance Portability and Accountability Act (or simply HIPAA) enacted August 21st, 1996, outlines a series of guidelines to be followed by any company handling Protected Health Information (or PHI). Here is a comprehensive checklist of HIPAA compliance measures. Of course your unique situation may be different and any uncertainties should be addressed by a professional.
- Risk Analysis: It is the duty of the administrative personnel to perform and document a risk analysis to see where PHI is being used and stored and to determine what all possible ways HIPAA could be violated.
- Risk Management: Implement measures sufficient to reduce these risks to an appropriate level.
- Sanction Policy: Employees who fail to comply should have sanction policies implemented.
- Information Systems Activity Reviews: Review system activity, audit trails, and logs thoroughly and regularly.
- Employee Oversight: Procedures to authorize and supervise employees who handle PHI should be implemented.
- Multiple Organizations: Be sure that PHI is not being accessed by parent or partner organizations without strict authorization to do so.
- ePHI Access: Put in place procedures for granting access to ePHI and which documents to access, along with which systems or services to grant them to.
- Security Reminders: Send reminders and updates regarding security and privacy protocol to employees on a regular basis.
- Protection Against Malware: Have a system in place for detecting, protection against, and reporting any malicious software.
- Login Monitoring: Put in place a system of monitoring login attempts on any systems containing PHI.
- Password Management: Ensure there are procedures in place for the creation of, changing, and protection of sensitive passwords.
- Response and Reporting: Security incidents should be identified, documented, and responded to immediately.\
- Contingency Plans: It should be ensured that there are accessible backups and restores of all ePHI and that procedures exist for restoring lost data.
- Contingency Plans Updates and Analysis: Procedures should exist for the periodic testing and revision of contingency plans.
- Emergency Mode: Be sure to establish procedures to enable to continuation of business processes involving the protection of secured ePHI.
- Evaluations: Periodic evaluations should be performed to check for any changes in your business or the law governing PHI.
- Business Associate Agreements: Have contracts with business partners who will have access to PHI saying they will also be compliant with the information.
- Contingency Operations: Procedures allowing facility access to support the restoration of lost data due to disasters should be implemented.
- Facility Security: Policies and procedures should be in place to safeguard the facility and equipment from theft, tampering, and unauthorized accessing.
- Access Control and Validation: Procedures for the control and validation of a person’s access based on their role or function in the company should be implemented.
- Maintenance Records: Policies and procedures documenting any repairs or modifications to the physical aspects of a facility containing PHI should be in place.
- Workstations: Policies governing what software can/must be run and how it is configured on systems which provide access to ePHI should be implemented. All work areas should be protected against unauthorized access of these software programs.
- Devices and Media Disposal and Re-Use: Procedures securing the final disposal of media containing ePHI and reuse of devices or media which could have held ePHI should be implemented.
- Media Movement: All movements of hardware and media associated with ePHI storage should be thoroughly documented.
- Unique User Identification: A unique name and number for identifying purposes should be assigned to track user identity and use.
- Automatic Logoff: A procedure which terminates a session after a predetermined amount of time has passed should be implemented.
- Encryption and Decryption: A mechanism to encrypt/decrypt electronically protected information should be implemented.
- Audit Controls: Hardware, software, and procedural mechanisms which record activity should be implemented on any machine containing secure data.
- ePHI Integrity: Procedures and policies for protecting ePHI from improper altering or destruction should be implemented.
- Authentication: Procedures to verify the identity of a person seeking to access ePHI should be implemented.
- Transmission Security: Technical security measures which guard against unauthorized access to ePHI while being transmitted over a network should be implemented.
Your business's situation may be different, and when it comes to HIPAA compliance it is best to check with a professional. For additional assistance regarding these compliance measures, feel free to contact us.