HIPAA Compliance Checklist for 2021

Approach HIPAA with confidence and avoid penalties with this concise guide.

In a previous article we discussed the high-level requirement of the healthcare insurance portability and accountability act (HIPAA), including its basic administrative, technical, and physical safeguards.

But compliance is a complex and evolving challenge. With the mobile and telehealth trends making technology’s role in the healthcare industry more prominent than ever, it’s important that organizations are prepared to manage the details of compliance in a clear and systematic way.

We’ve designed this checklist to provide an overview of the technical controls that all healthcare providers will need to implement to avoid the reputational damage and expense of non-compliance.

How to Understand HIPAA’s Technical Controls

As an IT services provider, most questions we get about HIPAA and HITECH compliance are centered around what’s known as the technical safeguards. These are the policies and procedures that healthcare providers use to protect electronic personal health information(ePHI) as it travels across a network.

There are several major category of technical control:

1. Access and Authentication Control
Restricting access to protected health information (PHI) is a critically important balancing act. On one hand, doctors and nurses must be able to access healthcare records immediately to provide quality healthcare outcomes. On the other hand, access controls are a critical aspect of data security and must be applied vigorously throughout your organization.

Here are the steps you should take to meet HIPAA’s access and authentication requirements:

• Assign a unique username or identification number to track each user’s activity
• Enforce automatic log-off policies to terminate idle network sessions
• Prevent staff from using credentials across multiple systems
• Review and update access controls to enforce “least privilege”
• Develop procedures for accessing ePHI during an emergency

While authentication is often confused for access control, in reality it’s a unique category that’s focused on what steps users and entities need to take before they can access ePHI. For many organization, authentication can be addressed in one single step.

• Implement appropriate multi-factor authentication, such as PIN codes, smart cards, biometric protection, on each system to enforce identity management policies.

The largest HIPAA fine in history, paid by Anthem in 2018, was for access control failure and other violations.

2. Audit Controls
This category is another major feature of HIPAA’s technical requirements. Both covered entities and business associates must be able to appropriately review and audit security trails. The audit controls you implement should provide procedural mechanisms to record and examine activity in any hardware or software system that processes or contains ePHI. This ensures that any unauthorized access can be traced back to a single user account.

To achieve comprehensive audit control, you’ll need to cover each of these three areas:

• Application audit trails that log user activity for key applications, including data access timestamps, change logs, and record deletions
• System level audit trails that track log-in attempts, including system information about the device
• User audit trails to track user activity as it pertains to ePHI and relevant applications, such as user commands, their access to ePHI resources, and log-in attempts

3. Integrity Controls
Integrity is a core feature of the CIA triad of cybersecurity. Integrity, along with confidentiality and availability, are considered important guidelines for developing a strong overall security posture.

Data integrity is an important feature of HIPAA and HITECH as well, meaning that all healthcare organizations must take steps to ensure that ePHI is not, “altered or destroyed in an unauthorized manner,” which could lead to health consequences for patients.

While the HIPAA text is light on technical prescriptions, here are common steps organizations take to ensure the trustworthiness of data throughout its entire lifecycle:

• Deploy a system to track unauthorized changes in ePHI, such as file integrity monitoring solutions
• Configure protections to continually monitor key system files and detect if an intruder has penetrated the network
• Create policies for faxing or printing PHI, including notifying the recipient beforehand

Remember that although we’re talking mainly technical dimensions, you should also safeguard your data from real-world data integrity issues as well, such as staff members or business associates altering or destroying paper healthcare records.

4. Transmission Security
Data in motion must be protected in the same way that you protect data at rest. This includes applying strong encryption consistently for all ePHI as it travels between your servers, workstations, mobile devices, cloud services, as well as the technology systems of business associates. 

Effective Process Must Complement Technical Safeguards

Technical controls are just one piece of the HIPAA compliance puzzle. All controls must be augmented with effective administrative processes to avoid falling out of compliance.

This often starts with a rigorous audit of an organizations’ ePHI and then creating an inventory of where that data is received, stored, and maintained. HIPAA guidelines require providers to group data according to its level of sensitivity, which helps create a more consistent system for keeping it safe.

Under HIPAA, there are four layers of protected data:

Restricted
This information is protected by state or federal regulation, such as intellectual property or research data. If improperly disclosed, an organization with improperly secured restricted data face criminal charges or large fines.

Confidential
This is data could cause significant damage or personal distress if improperly disclosed. It includes social security numbers, cardholder data, and personal healthcare information.

Internal
Company memos or other internal communications should be restricted to staff members and appropriate parties

Public
This type of data can be accessed redistributed by anyone by anyone, but it should still be protected from unauthorized alteration.

Once you have a clear sense where protected ePHI exists and how it flows through your network, you can customize the technical safeguards mentioned above to ensure resources are allocated to provide the necessary levels of security, without leading to budget overruns.

To learn about creating a good technology policy, read more here.

Dealing with the Ambiguity of HIPAA

HIPAA is based on concepts of flexibility, scalability, and neutrality, which means there are no specific requirements that you need to implement to be compliant. It’s an open-ended concept, which leaves significant room for your organization to determine what’s most appropriate.

If your organization is struggling with HIPAA compliance and would like the support of a team of seasoned compliance experts, we’re here to help! Contact our HIPAA experts any time with your questions at [email protected] or 1 877 877 1840.

We look forward to speaking with you!