HIPAA technical safeguards risk assessment checklist for 2018
In the HIPAA Security Rule, the Technical Safeguards focus on storing the electronic Protected Health Information (ePHI). The Security Rule provides all the Technical Safeguards’’ security requirements. Therefore, all covered entities, business associates, and healthcare provides ought to prove their regulatory compliance by undergoing audits. It’ll assure their clients of their security posture.
The Risk Assessment Checklist
HIPAA is meant to protect information as people move from one job to another. It was enacted in 1996. The privacy rule was passed in 2003 by the US Department of Health and Human Services. They defined PHI as information held by entities with concerns about one’s health status, and their payment or provision of healthcare. HIPAA became focused on the ePHI in 2005. It brought about three types of compliance safeguards. Which includes:
• Physical safeguards – Controls access to data storage areas
• Technical safeguards – Incorporates the communication channels through which PHI is transmitted
• Administrative safeguards – The policies and procedure that show compliance
Healthcare providers include a doctor of osteopathy or medicine who is authorized to practice medicine or surgery.
On the other hand, covered entities include healthcare clearinghouses, health plans and healthcare providers who transmit any healthcare information electronically.
For the business associates, they’re either persons or businesses who use or disclose protected health information while providing a service to or on behalf of a covered entity.
How to Get Compliant
You have to go through risk assessment first. It’ll highlight the locations of the greatest vulnerability. Thus being able to have the necessary mitigation measures. There are 156 questions which help you identify the most significant risks within your entity.
The Technical Safeguards
All covered entities and business associates are required by the HIPAA Security Rule to protect ePHI. This can be achieved by creating secure IT environments. Below is a detailed guide as to how you should accomplish the set safeguards.
1. Risk Assessment
To assess all the risks available within a covered entity or business associate you should:
• Create an inventory of all information systems within your environment
• Review responsibilities and roles for information risk
• Determine the risk associated with remote access
• Review business associate roles and risks to ePHI
• Identify information system components and electronic devices with data capabilities
• Review key audit events to create risk-based categorization for audit timings
• Assess and measure intentional or malicious disclosure risk arising out of information reception or transmission
• Review authentication requirements
• Assess and measure unintentional or malicious information access or modification
By exercising these measures, you’re guaranteed to know which areas might be exposed. Besides, you’ll have an easier time coming up with the required risk mitigation measures.
2. Technical Safeguards Plan and Policy
Here, you ascertain that ePHI is secure by only allowing access to the eligible members. Therefore, you should:
• Establish technical policies and procedures for electronic information systems maintaining ePHI
• Share access control policy with workforce members
• Share the procedures that enable implementation of access control policy with workforce members
Through this, you’re certain that everyone can understand their role and how to safeguard ePHI.
3. User Authorization and Segregation of Duties
Under this step, every user will understand what’s required of them. Below is all that you should do.
• Reviews user activities for storage, creation, and processing of ePHI within information systems
• Separate workforce member duties and service provider duties
• Use the principle of least privilege when accessing ePHI
• Enforce role-based access control (RBAC) policies on workforce members and service providers duties and needs
So doing will ensure that both workforce members and service providers comprehend what they need to do when accessing ePHI. As well as the necessary safety measures to observe.
4. Identification and Authorization
This’ll help track the activity of anyone who accesses ePHI. To have these measures in motion, you ought to:
• Share with workforce members identification and authorization policy
• Create unique identification for each member within a group account
• Assign a unique name and number to track and identify user activity
• Establish and implement the registration process
• Prohibit reuse of information system account identifiers
• Identify information system components and electronic devices
• Implement electronic procedures that limit activity time and terminate session automatically
• Enforce session locks for inactivity or user request
• Establish rules for continuing session lock
• Incorporate authentication measures
• Establish short-term emergency accounts allowing emergency access
• Create automatic removal or deactivation of the emergency accounts
By doing this, everyone who accesses any information will be logged into the system. Thus being able to monitor which information was accessed and when.
5. Contingency Plan and Policy
Besides being able to monitor the system, you need to ascertain that in case of emergencies, all information can be freely accessed. Therefore, you should:
• Establish and implement procedures for obtaining ePHI during an emergency
• Cleary define emergency and circumstances triggering a contingency plan
• Identify individuals responsible for activating the emergency access method
• Ensure RBAC policy defines workforce and service provider roles
• Establish an alternate storage site for ePHI copies
• Ensure the storage site provides information security safeguards as your own
• Identify roles and responsibilities for ePHI access and critical information systems needed
• Incorporate into a contingency plan the essential activities and associated requirements
• Establish a predetermined time and period and implement restoration capability of information systems
This’ll ascertain that in case of emergencies; you have the necessary measures in place as well as ensuring the safety of ePHI.
6. Systems and Communications Protection
The systems storing PHI data should be hack-proof. Below are the necessary measures to undertake.
• Implement encryption and decryption mechanism for ePHI
• Implement cryptographic mechanisms to prevent unauthorized ePHI disclosers
• Implement cryptographic mechanisms to detect information changes
• Share with workforce members the systems and communications policy
Data encryption is therefore essential to ascertaining that ePHI is secure.
7. Information Integrity
Here, your main goal should be focusing towards ensuring that there are measures against tampering of ePHI.
• Implement policies and procedures to protect ePHI from improper alteration
• Implement technical security measures to protect the ePHI transmission
• Implement security measures to ensure improper modifications when transmitting ePHI
• Implement “Identification and Authorization” and “Systems and Communication” protections
• Establish and implement electronic mechanisms to ensure that ePHI isn’t altered
• Use integrity verification tools
• Implement procedures to verify the identity of persons seeking ePHI access
• Share with workforce members an integration integrity policy
Through this, you can ensure that no one can corrupt ePHI or make any unsanctioned modifications.
8. Internal and External Audit Requirements
Getting to learn about the audit requirements helps you prepare and ensure that your measures are as per the set requirements
• Identify key audit events
• Identify and periodically review key audit events
• Determine audit scope and frequency
• Share with workforce members an audit and accountability policy
• Implement hardware, software and procedural mechanisms that record and examine information system activities
• Configure information systems and components
• Ensure the records contain relevant information
• Collect identity information for individuals
• Periodically review and analyze information audit records for indications of inappropriate activity
• Provide audit reduction and report generation capability
• Conduct backups for related ePHI documentation
• Test continuity and emergency operations
• Test RBAC policies
• Allocate audit storage capability
Ensuring that you follow everything stated, you’ll never have to worry about the security of ePHI.