HIPAA compliance is a critical issue for any healthcare (and sometimes non-healthcare) organization. In order to ensure that your organization is HIPAA compliant, you need to implement certain IT procedures and protocols. This HIPAA IT Compliance Checklist will help you do just that.
The first step in becoming HIPAA compliant is understanding the requirements of HIPAA. The next step is implementing the necessary IT procedures and protocols to meet those requirements.
This checklist includes specific steps you need to take to protect patient data, safeguard electronic health information (EHI), and ensure secure communications.
The HIPAA IT Compliance Checklist
Here is a checklist of steps you can take to ensure your business is HIPAA compliant.
- Understand the requirements of HIPAA.
- Implement the necessary IT procedures and protocols to meet those requirements.
- Protect patient data.
- Safeguard electronic health information (EHI).
- Ensure secure communications.
- Train your workforce on HIPAA rules and regulations.
- Have procedures in place to manage workforce members who access or use EHI.
- Have an incident response plan in place to address data breaches, security incidents, and other emergencies.
- Implement technical safeguards to protect the confidentiality, integrity, and availability of EHI. Technical safeguards include access control, audit control, integrity controls, transmission security, and individual identification.
- Perform regular risk assessments to identify potential risks and vulnerabilities to the confidentiality, integrity, and availability of EHI.
- Have procedures in place to report incidents to the Office for Civil Rights (OCR).
- Comply with state and federal laws, as well as HIPAA IT compliance regulations.
Here are a few additional items to keep in mind:
- Keep records of electronic PHI offsite. This should go without saying for anybody who stores data anywhere other than at their workplace, yet it is especially essential when it comes to patient information. Furthermore, HIPAA demands that backup copies of electronic PHI be kept in a distinct location than the origin. Not to mention that under HIPAA’s suggested security criteria, backup electronic PHI data must be encrypted.
- Back up all patient information. HIPAA requires that all covered entities maintain records-management procedures for requesting or producing exact copies of electronic PHI.
- Make sure you know what the definitions mean. The HIPAA is chock-full of words and phrases that have precise meanings. It’s always a good idea to double-check your understanding of these terms and phrases and read the law carefully so that you remain in compliance. “Protected health information,” for example, refers to individuals’ medical records and personal health information.
- Make sure your backup service is HIPAA-compliant. You’ll want a backup service that will allow you to comply with HIPAA regulations by providing secure physical, technical, and administrative safeguards to ensure the integrity and availability of your electronic PHI.
- Enter into a “Business Associate” agreement with your backup service. Anyone who creates, obtains, or maintains PHI on behalf of the covered entity must enter into a Business Associate Agreement. Because your backup provider will be handling and maintaining your PHI, they would be classed as a “Business Associate,” thus they would need to sign a Business Associate Agreement. Before you commit, check with your backup service to see whether this is an option.)
Following these tips will help you build a strong HIPAA IT compliance program and ensure that your organization is compliant with the HIPAA Privacy Rule, the HIPAA Security Rule, and other HIPAA IT compliance regulations.
Additionally, it’s important to know and understand the SHIELD Act as it applies to those in New York.
What Is The Shield Act?
New York State implemented the Stop Hacks and Enhance Electronic Data Security Act (SHIELD Act). This protects and regulates New York State residents’ data security and “private information.”
Any person or firm that has computerized data from a New York State resident must implement and maintain reasonable safeguards to safeguard the security, confidentiality, and integrity of that information.
This act is aimed at restricting the collection and use of personal health information and applies to covered entities as well as business associates who must adhere to HIPAA privacy and security regulations. You will have fulfilled the data security standards and recommendations under the SHIELD Act if you are considered a HIPAA-covered entity or comply with HIPAA.
This does not, however, imply that you are free from the SHIELD Act’s restrictions. The collaboration between HIPAA and the SHIELD Act aims to guarantee that patient information is safe following a data breach.
The SHIELD Act does not apply to health information, but it does cover “private data.” Under the SHIELD Act, when a breach of HIPAA is reported to the Secretary of Health and Human Services and individuals affected by the incident, the breaching entity must inform the New York State Attorney General within 5 business days.
However, under this scenario, no notification is required. This is because HIPAA already requires such notification.
What Is HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that establishes national standards for protecting electronic health information. HIPAA requires covered entities (CEs) to take steps to safeguard the confidentiality, integrity, and availability of EHI.
Covered entities include healthcare providers, health plans, and clearinghouses.
The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) enforces HIPAA. OCR can impose civil and criminal penalties on covered entities that violate HIPAA rules.
What Are the Key Components of HIPAA IT Compliance?
There are three key components of HIPAA IT compliance:
- administrative safeguards
- physical safeguards
- technical safeguards
Physical safeguards are physical measures that CEs put in place to protect EHI. They include facility security, workstation security, and device and media controls.
Technical safeguards are technical measures that CEs put in place to protect EHI. They include access control, audit control, integrity controls, transmission security, and individual identification.
Who Needs To Be HIPAA Compliant?
Who is regulated — i.e., considered a covered entity — by the law?
Your organization is considered a covered entity if it:
- Provides direct healthcare to patients and processes or transmits any medical information electronically
- Administers or provides a health coverage plan
- Acts as a healthcare clearinghouse — i.e., processes electronic information received from another source
HIPAA doesn’t affect only the healthcare industry. HIPAA rules actually apply to any entity that directly handles protected health information.
Some common examples of “primary” HIPAA-covered entities include healthcare providers such as hospitals and doctors, health insurance providers, and clearinghouses.
However, problems arise when organizations conclude that because they do not explicitly fall into one of the covered entity categories as defined by HIPAA, they do not need to concern themselves with HIPAA compliance.
Actually, the definition of a “covered entity” or Business Associate (BA) is fairly broad, and the rules apply to a wide range of organizations from many different industries.
For example, many organizations are affected by HIPAA by virtue of the protected health information (PHI) they hold in the form of an employee group health plan. This issue was highlighted in The 2015 Protected Health Information Data Breach Report by Verizon, which linked roughly 20 different industries, in addition to healthcare, to a PHI data breach.
What exactly defines a Business Associate under HIPAA? A Business Associate (BA) is defined as “an organization or individual working in association with, or providing services to a covered entity that handles PHI”.
Some common BA examples include:
- Data storage or document destruction companies
- Data transmission companies or vendors who routinely access PHI
- Third-party administrators
- Billing entities
- IT contractors
- Personal health record vendors
- Lawyers and Accountants
- Malpractice insurers
When does information not constitute PHI?
While private patients’ health information should be protected at all costs, there are occurrences when PHI may be made available to the public.
HHS states that in recognition of the potential utility of health information, even when it is not individually identifiable, a section of the HIPAA Privacy Rule allows entities to use information that is not individually identifiable by following the de-identification standard and implementation specifications in section §164.514(a)-(b).
Essentially, these provisions allow an entity to disclose health information providing it does not form a basis to make an individual personally identifiable. The National Center of Health Statistics is a good example of a data source that publishes de-identified health information.
Covered entity responsibilities under HIPAA
If your organization handles private health information, the requirements are straightforward:
- You must maintain the integrity and privacy of records in your custody.
- You must anticipate and take positive measures against security threats and potential information breaches.
- You must make sure your employees are aware of what constitutes unauthorized disclosure or impermissible use of the records.
Can A HIPAA-Covered Business Use Cloud Services?
This is a common question since, in the past, the cloud has seemed like a less secure option.
However, with the right Cloud Service Provider (CSP), you can use cloud services while still being HIPAA-compliant. In fact, many healthcare organizations are using cloud services to store and share PHI.
When choosing a CSP, it’s important to make sure they’re HIPAA-compliant. This means they must have the proper physical, technical, and administrative safeguards in place to protect PHI. They should also have a Business Associate Agreement (BAA) in place.
If a CSP stores only encrypted ePHI and has no decryption key, does it still qualify as a HIPAA business associate?
Yes, because the CSP handles and maintains ePHI on behalf of a covered entity or another BA. A CSP’s failure to have an encryption key for the encrypted data it receives and manages does not relieve it of HIPAA Rule’s responsibilities.
Even if the entity that maintains ePHI as a proxy for a covered entity (or another business associate) isn’t allowed to view it, it is still a BA.
As a result, even if the CSP doesn’t have a decryption key and is, therefore, unable to see information, it remains a business associate because it maintains encrypted ePHI on behalf of a covered entity (or another business associate).
For convenience, this content employs the phrase “no-view services” to describe a situation in which the cloud service provider stores encrypted ePHI on behalf of a covered entity (or another business associate) and does not have access to the decryption key.
Can a CSP be considered as a “conduit” like the postal service, and, therefore, not a BA that must comply with the HIPAA Rules?
It is usually not the case. Even if a CSP cannot decrypt ePHI because it is encrypted and the CSP does not have the decryption key, it may be considered a business associate if it provides cloud services to a covered entity or business associate that include generating, receiving, or maintaining ePHI.
What if a HIPAA-covered entity (CE) or business associate (BA) uses a CSP to maintain electronically protected health information without first executing a business associate agreement (BAA) with that CSP?
If a covered entity (or business associate) uses a CSP to maintain (i.e., process or store) ePHI without first entering into a business associate agreement with the CSP, the CE (or BA) is in violation of the HIPAA Rules 45 C.F.R §§164.308(b)(1) and §164.502(e).
The OCR has entered into a resolution agreement and corrective action plan with a covered entity that the OCR determined used a cloud-based server to store the ePHI of over 3,000 individuals without entering into a BAA with the CSP.
Any CSP that becomes aware that it is maintaining ePHI must come into compliance with the HIPAA Rules or securely return the ePHI to the customer; or, if agreed to by the customer, securely destroy the ePHI. Once the CSP securely returns or destroys the ePHI (subject to arrangement with the customer), it is no longer a BA. It is recommended that CSPs document these actions.
And, while a CSP maintains ePHI, the HIPAA Rules prohibit the CSP from using or disclosing the data in a manner that is inconsistent with the Rules.
If a CSP experiences a security incident involving a HIPAA-covered entity’s or business associate’s ePHI, is it required to report the incident to the CE or BA?
Yes, in all cases. The Security Rule at 45 CFR § 164.308(a)(6)(ii) requires BA’s to identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the business associate; as well as document security incidents and their outcomes.
At Globalquest, we offer HIPAA-compliant cloud services. We have the proper physical, technical, and administrative safeguards in place to protect your PHI. We also have a BAA in place. Contact us today to learn more about our HIPAA-compliant cloud services.
Is Your Business HIPAA Compliant?
At Globalquest, we work with our clients to educate, plan, execute, and maintain information technology. We also understand the New York SHIELD Act and HIPAA compliance. We can assist you in developing a system that protects your customers’ personal information while also maintaining continuity for your company and staying HIPAA compliant.
We are here to help businesses improve their operations through efficiency savings, increased productivity, improved security, and lowered risk. For additional information, please contact us today!