In our previous blog post, How does my organization become HIPAA compliant?, we reviewed the four rules that healthcare organizations and their business associates must follow in order to be considered HIPAA compliant. The second round of HIPAA compliance audits by the Department of Health and Human Services (HHS) Office of Civil Rights (OCR) is scheduled to begin in 2016 and may include more enforcement actions. Therefore, we’re sharing a three-part “checklist” with steps to help you safeguard electronic protected health information (ePHI) in accordance with the HIPAA Security Rule. While this information can help decipher complex and often confusing HIPAA requirements, they don’t replace proper due diligence from your legal counsel and/or Chief Information Security Officer. Read on to learn more about the HIPAA Security Rule – Administrative Safeguards.
HIPAA Security Rule – Administrative Safeguards
The Administrative Safeguards compromise more than half of the HIPAA Security requirements. HIPAA has a total of nine administrative safeguard standards that organizations must meet to ensure that appropriate measures to protect ePHi are adequately implemented, managed and updated.
2.1 – Security Management
Organizations are required to implement policies that detect, prevent and contain any potential security violations. Make sure your organization does the following:
- Conduct a comprehensive risk assessment to ensure that ePHI remains confidential and available at all times
- Institute policies for sanctioning employees who fail to comply with proper security procedures
- Implement a process for reviewing systems activity where ePHI is stored. This includes audit logs, access logs and any security incident reports
2.2 – Assigned Security Responsibility
Knowledge is power when it comes to implementing a defensible security program. Assign someone within your company to learn the HIPAA compliance requirements and direct the development and implementation of security procedures.
2.3 – Workforce Security
Activities by internal employees – whether accidental or intentional – are the leading cause of security breaches. The HIPAA workforce security standard is designed to ensure that organizations have documented criteria and procedures in place for granting access to ePHI including:
- Clearly defined policies for authorizing and supervising employees and/or subcontractors who work with ePHI
- Established procedures for granting or denying access to ePHI
- A documented plan for terminating an employer’s or subcontractors’ access to ePHI
2.4 – Information Access Management
It’s essential that you can illustrate clearly defined information access policies including:
- Procedures that prevent a subsidiary or parent organization from accessing ePHI without proper authorization
- Clear policies in place that outline how, when and where access to ePHI can be granted
- Procedures for consistently documenting and reviewing a user’s access to ePHI
2.5 – Security and awareness training
Since HIPAA isn’t a “one and done” initiative, it’s critical to reinforce proper security policies and procedures with your employees, subcontractors, partners and vendors through the following activities:
- Publish regular security updates and reminders to your workforce
- Establish policies that ensure workstations, servers and digital systems are adequately protected from malicious software. Ensure that security updates and patches are implemented in a timely manner
- Implement monitoring procedures for user logins and suspicious activity
- Enforce strict policies for creating, modifying and protecting secure passwords
2.6 – Security Incident Procedures
Have procedures in place for responding to security incidents, mitigating their effects and documenting them.
2.7 – Contingency Plan
In case of an emergency such as a natural disaster or system malfunction, your organization must have a codified contingency plans to ensure that ePHI remains safe and accessible to authorized personnel at all times. Make sure your contingency plan includes the following:
- A data backup plan in place for retrieving exact copies of lost or damaged ePHI
- Documented and tested data restoration procedures
- Procedures in place that ensure processes critical to the security of ePHI remain operational in the event of an emergency
- Documented periodic testing and revisions of contingency plans
- An assessment to determine the date and applications that are critical to the contingency plan
2.8 – Evaluation
Schedule periodic evaluations of your established policies and procedures to ensure they continue to adequately safeguard ePHI.
2.9 – Business Associate Agreements
A Business Associate Agreement must be in place when engaging with anyone who handles ePHI on your organization’s behalf. Using the sample BAA provided by the Department of Health and Human Services ensures that it is HIPAA-compliant.
HIPAA compliance can be complicated. HOSTING can help. Our team of certified information security and compliance experts help customers understand their exposure as well as their regulatory and compliance obligations. Our proprietary, HIPAA Compliance as a ServiceTM from HOSTING, enables organizations to measure, monitor and manage their risk. View our complimentary, on-demand webinar, Using Data Security to Address HIPAA and HITECH Requirements, for expert insights on safeguarding ePHI.