The NIST (National Institute of Standards and Technology) provides an introductory resource guide for implementing HIPAA (Health Insurance Portability and Accountability Act) Security Rule, including handy tables that breakdown the safeguards that covered entities and business associates need to abide by if they handle PHI, or ePHI (electronic protected health information).
This multi-part series on HIPAA safeguards and compliance includes a detailed description of key activities and questions you can ask yourself as a checklist to ensure you meet the standards. The safeguards include:
- Administrative Safeguards, Security Management Process (164.308(a)(1))
- Assigned Security Responsibility, Identifying a Security Official (164.308(a)(2))
- Workforce Security, Implementing Workplace Policies and Procedures(164.308(a)(3))
- Information Access Management, Implementing Policies and Procedures for Access Authorization (164.308(a)(4))
- Security Awareness and Training, Implementing Security Awareness and Training (164.308(a)(5))
The first part in this series describes the Administrative Safeguards that include implementing company policies and procedures related to security controls to meet HIPAA compliance.
Administrative Safeguards (164.308(a)(1))
- Identify Information Systems with PHI
- Action: Identify information systems, hardware and software used to collect, store, process or transmit PHI. Review your business functions to verify ownership and control of your information system components.
- Ask yourself: Do you take regular inventory of your hardware and software (including removable media and remote access devices)? Is your system configuration documented? And have you identified your information type/use and how sensitive your information is?
- Conduct A Risk Assessment
- Action: Conduct a thorough assessment of any potential risks and vulnerabilities of PHI, and follow a standard risk assessment methodology (see Appendix E: Risk Assessment Guidelines, Page E-1).
- Ask yourself: What are the current and planned controls? Is your facility or your data hosting facility in a region prone to natural disasters? Has hardware and software been checked for enabled security settings?
- Implement a Risk Management Program
- Action: Implement security measures to comply with 164.306(a).
- Ask yourself: Do your current safeguards protect the confidentiality, integrity and availability of PHI, including anticipated threats or hazards to the security/integrity of PHI? Have you checked this compliance against your policies and procedures?
- Acquire IT Systems and Services
- Action: Implement technology, hardware, software and services as needed to protect PHI – match your IT solution to your environment and take into consideration how sensitive the data is, your security policies, procedures and standards, and the resources you have available for operation, maintenance and training.
- Ask yourself: How will the new security controls work within your existing IT infrastructure? Have you done a cost-benefit analysis of investment vs. identified security risks? Has a staff training strategy been developed?
- Create and Deploy Policies & Procedures
- Action: Implement new risk mitigation controls by department, including management, operational and technical. When creating your policies, establish roles and responsibilities per control for certain individuals or departments.
- Ask yourself: Do you have a documented plan for system security and a formal contingency plan? What’s your employee communication plan? And are the policies and procedures reviewed and updated when major changes take place in your company or as needed?
- Develop and Implement a Sanction Policy
- Action: Create a policy that addresses any employee offenses that compromise the HIPAA regulations and safety/privacy of PHI, including reprimands, termination, etc.
- Ask yourself: Is there a documented and formal process in place addressing PHI and system misuse, abuse and fraud? Have employees been alerted about policies regarding sanctions for the misuse and disclosure of PHI?
- Develop and Deploy the Information System Activity Review Process
- Action: Implement procedures to review records of system activity, like audit logs, access reports and security incident tracking reports.
- Ask yourself: How often will reviews occur and results analyzed, and who will be responsible for it? Where will audit information reside?
- Develop Appropriate Standard Operating Procedures
- Action: Figure out what kind of audit data and monitoring you need to derive exception reports.
- Ask yourself: How will exception reports or logs be reviewed, and where will monitoring reports be filed and maintained?
- Implement the Information System Activity Review and Audit Process
- Action: Activate review process and begin auditing/logging activity.
- Ask yourself: What needs to be implemented to assess the effectiveness of the review process? What’s the review process revision plan when needed?