This is a user generated content for MyStory, a YourStory initiative to enable its community to contribute and have their voices heard. The views and writings here reflect that of the author and not of YourStory.

HIPAA technical safeguards risk assessment checklist for 2018

Healthcare facilities and personnel collect a vast amount of confidential information patients. Ensuring this data is secure and protected is paramount to your company for avoiding fines and penalties that can stymie growth.  

HIPAA technical safeguards risk assessment checklist  for 2018

Thursday June 28, 2018,

6 min Read


In the HIPAA Security Rule, the Technical Safeguards focus on storing the electronic Protected Health Information (ePHI). The Security Rule provides all the Technical Safeguards’’ security requirements. Therefore, all covered entities, business associates, and healthcare provides ought to prove their regulatory compliance by undergoing audits. It’ll assure their clients of their security posture.

The Risk Assessment Checklist

HIPAA is meant to protect information as people move from one job to another. It was enacted in 1996. The privacy rule was passed in 2003 by the US Department of Health and Human Services. They defined PHI as information held by entities with concerns about one’s health status, and their payment or provision of healthcare. HIPAA became focused on the ePHI in 2005. It brought about three types of compliance safeguards. Which includes:

• Physical safeguards – Controls access to data storage areas

• Technical safeguards – Incorporates the communication channels through which PHI is transmitted

• Administrative safeguards – The policies and procedure that show compliance

Healthcare providers include a doctor of osteopathy or medicine who is authorized to practice medicine or surgery.

On the other hand, covered entities include healthcare clearinghouses, health plans and healthcare providers who transmit any healthcare information electronically.

For the business associates, they’re either persons or businesses who use or disclose protected health information while providing a service to or on behalf of a covered entity.

How to Get Compliant

You have to go through risk assessment first. It’ll highlight the locations of the greatest vulnerability. Thus being able to have the necessary mitigation measures. There are 156 questions which help you identify the most significant risks within your entity.

The Technical Safeguards

All covered entities and business associates are required by the HIPAA Security Rule to protect ePHI. This can be achieved by creating secure IT environments. Below is a detailed guide as to how you should accomplish the set safeguards.

1. Risk Assessment

To assess all the risks available within a covered entity or business associate you should:

• Create an inventory of all information systems within your environment

• Review responsibilities and roles for information risk

• Determine the risk associated with remote access

• Review business associate roles and risks to ePHI

• Identify information system components and electronic devices with data capabilities

• Review key audit events to create risk-based categorization for audit timings

• Assess and measure intentional or malicious disclosure risk arising out of information reception or transmission

• Review authentication requirements

• Assess and measure unintentional or malicious information access or modification

By exercising these measures, you’re guaranteed to know which areas might be exposed. Besides, you’ll have an easier time coming up with the required risk mitigation measures.

2. Technical Safeguards Plan and Policy

Here, you ascertain that ePHI is secure by only allowing access to the eligible members. Therefore, you should:

• Establish technical policies and procedures for electronic information systems maintaining ePHI

• Share access control policy with workforce members

• Share the procedures that enable implementation of access control policy with workforce members

Through this, you’re certain that everyone can understand their role and how to safeguard ePHI.

3. User Authorization and Segregation of Duties

Under this step, every user will understand what’s required of them. Below is all that you should do.

• Reviews user activities for storage, creation, and processing of ePHI within information systems

• Separate workforce member duties and service provider duties

• Use the principle of least privilege when accessing ePHI

• Enforce role-based access control (RBAC) policies on workforce members and service providers duties and needs

So doing will ensure that both workforce members and service providers comprehend what they need to do when accessing ePHI. As well as the necessary safety measures to observe.

4. Identification and Authorization

This’ll help track the activity of anyone who accesses ePHI. To have these measures in motion, you ought to:

• Share with workforce members identification and authorization policy

• Create unique identification for each member within a group account

• Assign a unique name and number to track and identify user activity

• Establish and implement the registration process

• Prohibit reuse of information system account identifiers

• Identify information system components and electronic devices

• Implement electronic procedures that limit activity time and terminate session automatically

• Enforce session locks for inactivity or user request

• Establish rules for continuing session lock

• Incorporate authentication measures

• Establish short-term emergency accounts allowing emergency access

• Create automatic removal or deactivation of the emergency accounts

By doing this, everyone who accesses any information will be logged into the system. Thus being able to monitor which information was accessed and when.

5. Contingency Plan and Policy

Besides being able to monitor the system, you need to ascertain that in case of emergencies, all information can be freely accessed. Therefore, you should:

• Establish and implement procedures for obtaining ePHI during an emergency

• Cleary define emergency and circumstances triggering a contingency plan

• Identify individuals responsible for activating the emergency access method

• Ensure RBAC policy defines workforce and service provider roles

• Establish an alternate storage site for ePHI copies

• Ensure the storage site provides information security safeguards as your own

• Identify roles and responsibilities for ePHI access and critical information systems needed

• Incorporate into a contingency plan the essential activities and associated requirements

• Establish a predetermined time and period and implement restoration capability of information systems

This’ll ascertain that in case of emergencies; you have the necessary measures in place as well as ensuring the safety of ePHI.

6. Systems and Communications Protection

The systems storing PHI data should be hack-proof. Below are the necessary measures to undertake.

• Implement encryption and decryption mechanism for ePHI

• Implement cryptographic mechanisms to prevent unauthorized ePHI disclosers

• Implement cryptographic mechanisms to detect information changes

• Share with workforce members the systems and communications policy

Data encryption is therefore essential to ascertaining that ePHI is secure.

7. Information Integrity

Here, your main goal should be focusing towards ensuring that there are measures against tampering of ePHI.

• Implement policies and procedures to protect ePHI from improper alteration

• Implement technical security measures to protect the ePHI transmission

• Implement security measures to ensure improper modifications when transmitting ePHI

• Implement “Identification and Authorization” and “Systems and Communication” protections

• Establish and implement electronic mechanisms to ensure that ePHI isn’t altered

• Use integrity verification tools

• Implement procedures to verify the identity of persons seeking ePHI access

• Share with workforce members an integration integrity policy

Through this, you can ensure that no one can corrupt ePHI or make any unsanctioned modifications.


8. Internal and External Audit Requirements

Getting to learn about the audit requirements helps you prepare and ensure that your measures are as per the set requirements

• Identify key audit events

• Identify and periodically review key audit events

• Determine audit scope and frequency

• Share with workforce members an audit and accountability policy

• Implement hardware, software and procedural mechanisms that record and examine information system activities

• Configure information systems and components

• Ensure the records contain relevant information

• Collect identity information for individuals

• Periodically review and analyze information audit records for indications of inappropriate activity

• Provide audit reduction and report generation capability

• Conduct backups for related ePHI documentation

• Test continuity and emergency operations

• Test RBAC policies

• Allocate audit storage capability

Ensuring that you follow everything stated, you’ll never have to worry about the security of ePHI.

Montage of TechSparks Mumbai Sponsors
Share on