Transcription
HIPAA Compliance Checklist:Security, Privacy, and Breach Notification Rules
Table of Contents2An Introduction to the Security, Privacy, and Breach Notification Rules3Security Checklist7Privacy Rule Checklist11 Breach Notification Checklist13 Ready for HIPAA Compliance?ACT
An Introduction to the Security, Privacy, andBreach Notification RulesThe Health Insurance Portability and Accountability Act (HIPAA) sets a national standard for theprotection of consumers’ Protected Health Information (PHI) and electronic Protected HealthInformation (ePHI) by mandating risk management best practices and physical, administrative, andtechnical safeguards. HIPAA was established to provide greater transparency for individuals whoseinformation may be at risk, and the Department of Health and Human Services’ Office for Civil Rights(OCR) enforces compliance with the HIPAA Privacy, Security, and Breach Notification Rules.The goal of the Security Rule is to create security for ePHI by ensuring the confidentiality, integrity,and availability of ePHI, protecting against threats, protecting against unpermitted disclosures, andensuring workforce compliance. When learning the basics of the Security Rule, it is vital to learnabout the three types of safeguards: administrative, technical, and physical. As you will see in thischecklist, administrative safeguards cover personnel, training, access, and process while technicalsafeguards cover access, audits, integrity, and transmission. Physical safeguards cover facilityaccess, workstations, and devices.The Privacy Rule regulates things like appropriate use and disclosure of PHI, patient access to PHI,and patient rights. The Privacy Rule is crucial for HIPAA because without it, healthcare organizationscould disclose and distribute protected health information without the consent of the individual. If thissensitive data were to end up in the wrong hands, it could negatively impact the individual. There arefive main areas of the Privacy Rule according to 45 CFR Part 160 and Subparts A and E of Part 164.A Privacy Rule assessment evaluates policy and procedure documentation relating to these areas,which include Notice of Privacy Practices, patient rights, minimum necessarystandards, administrative requirements, and uses and disclosures.The Breach Notification Rule requires covered entities and business associates to providenotification following a breach of unprotected PHI or ePHI. Covered entities have three parties thatthey need to notify of a breach: patients, HHS, and potentially the media. When you have a breach,you will always need to notify affected patients and HSS – no exceptions. If over 500 individuals havebeen affected, your covered entity will need to alert the media. Business associates always need tonotify their covered entity of a breach. In order to properly comply with the BreachNotification Rule, there are several aspects of the breach your organization needs to communicate tothe affected parties: what happened, what kind of PHI was disclosed in the breach, what patientsshould do to mitigate harm, what you are doing to investigate and mitigate future harm, and how theycan contact you.This checklist will walk you through the requirements of the HIPAA Security, Privacy, and BreachNotification Rules to give you an understanding of what could be assessed. We will outline therequirements of each rule, a description of the requirement, and what policies and procedures yourorganization needs to have to comply with the requirement.2An Introduction to the Security, Privacy, and Breach Notification Rules
Security ChecklistAdministrative SafeguardRequirementsDescriptionPolicies and ProceduresSecurity Management ProcessPolicies and procedures to prevent,detect, contain, and correctsecurity violations Information SecurityPolicy Manual Incident Reporting Business Associate Agreements Training Curriculum Internal Auditing Policy Compliance Manual Employee SanctionsRisk AnalysisConduct a risk analysis of ePHIsystems to identify threats,vulnerabilities, impact of risk,likelihood of occurrence, andexisting risk mitigation controls Risk Analysis Risk ManagementRisk ManagementPolicies and procedures to reducerisks and vulnerabilities to anappropriate level by prioritizing andimplementing risk managementcontrols Risk ManagementAssigned Security Responsibilitydevelop and implement policiesand procedures Information Security PolicyManual Compliance ManualWorkforce Security –Appropriate AccessPolicies and procedures to governinitial and ongoing access to PHI;reviews of access for continuedappropriateness Information Security PolicyManual (Logical Access) Human Resources PoliciesWorkforce Security –Terminating AccessPolicies and procedures toterminate employee access to PHI Information Security PolicyManual (Logical Access) Human Resources Policies3Security Checklist
Workforce Security –Security Awareness TrainingTrain all employees on securityawareness upon hire andcontinually Information Security PolicyManual (Information SecurityPolicy Acknowledgment andTraining) HIPAA TrainingIncident Response ProceduresDesignate appropriate individualsand procedures for securityincidents, including response,mitigation, documentation, andcorrective actions Information Security PolicyManual Incident Response ProcedureNetwork Security – MaliciousSoftware ProtectionPolicies and procedures to protectagainst, identify and reportmalicious software Information Security PolicyManual (Network Security)Business ContinuityPolicies, procedures and training toaddress interruptions to businessactivity Business Continuity Plan Disaster and Recovery PlanBusiness Associate ContractsAgreements with businessassociates to ensure proper Business Associate Agreement Vendor Questionnaires Information Security PolicyManual (Vendor Management)4Security Checklist
Physical SafeguardRequirementsDescriptionPolicies and ProceduresFacility Access ControlsPolicies and procedures to grant,monitor, and terminate access tophysical facilities Information Security PolicyManual (Physical Security) Human Resources ProceduresFacility – Emergency PlanningPolicies and procedures to restoredata in the event of emergency Business Continuity Plan Disaster and Recovery PlanFacility Procedures –Unauthorized AccessPolicies and procedures foridentifying and responding tounauthorized access to physicalfacilities Information Security PolicyManual (Physical Security)Policies and procedures to monitorand document repairs and changesto physical physicality that impactsecurity Information Security PolicyManual (Inventory) Risk AssessmentWorkstation SecurityPolicies and procedures to controlaccess to, changes to, and use ofemployee workstations Information Security PolicyManual (WorkstationManagement)Device and Media ControlsPolicies and procedures to addressuse of, storage, transmission,reuse, tracking, and destruction ofremovable media that store ePHI Information Security PolicyManual (Acceptable Use,Inventory) Remote Work PoliciesFacility5Security Checklist
Technical SafeguardRequirementsDescriptionPolicies and ProceduresUnique Name for User IdentityPolicies and procedures to assign Information Security (LogicalAccess)to track usageComputer Session InactivityPolicies and procedures toterminate electronic sessions basedon a predetermined time of inactivity Information Security (WorkstationManagement)Transmission of ePHIPolicies, procedures, audit controls,hardware, and software to encrypt,monitor, and record the transmissionof ePHI Information Security (Cryptology) Information Security (PHITransmission)6Security Checklist
Privacy Rule ChecklistRequirementsDescriptionPolicies and ProceduresPHI Uses and Disclosures forTreatment, Payment, or OperationsPatient authorization for thedisclosure of PHI for treatment,payment, and healthcare operationsis implied Standard Disclosure of PHI Notice of Privacy PracticesPHI Uses and Disclosures thatRequire AuthorizationPatient authorization is required todisclose psychotherapy notes, PHIfor marketing, the sale of PHI;elements of valid authorization Notice of Privacy Practices Patient AuthorizationPHI Uses and DisclosuresRequiring Notice and Opportunityto ObjectCertain disclosures require priorpatient notice and opportunity toobject: disclosures to family, facilitydirectories, emergencies, andothers Notice of Privacy Practices Patient AuthorizationsPHI Uses and Disclosures WithoutAuthorizationCertain disclosures do not requireprior patient notice: court orders,law enforcement investigations,public health activities, and others Notice of Privacy PracticesPHI Uses and Disclosures: FundRaisingDisclosure of patient PHI for fundraising purposes requiresauthorization in most cases Notice of Privacy Practices Patient AuthorizationsPHI Uses and Disclosures:ResearchDisclosure of patient PHI forresearch purposes requiresauthorization in most cases Notice of Privacy Practices Patient AuthorizationsPHI Uses and Disclosures:Personal Representatives andFamilyDisclosure of patient PHI to patientfamily members/representatives isgenerally permitted, with exceptions Notice of Privacy Practices Patient AuthorizationsPHI Uses and Disclosures: AfterDeathPatient privacy rights to PHIdisclosure continue 50 years afterdeath Notice of Privacy Practices Patient Authorizations7Privacy Rule Checklist
PHI Uses and Disclosures:Prior to PHI disclosure, entities mustverify the identify and authority ofthe requesting party Patient Authorizations Standard Disclosure of PHIPHI Uses and Disclosures:De-IdentificationPrivacy Rule restrictions related toPHI disclosures do not apply to PHI Uses and Disclosures:Safeguards for PHI CommunicationEntities should ensure that channelsof communication are appropriatefor transmission of PHI Standard Disclosure of PHIPHI Uses and Disclosures:Minimum Necessary StandardPHI disclosures and requestsshould be limited to the minimumPHI necessary for the treatment,payment, or operational requirement Standard Disclosures of PHI Minimum Necessary PolicyMinimum Necessary Standard:Workforce AccessMinimum Necessary Standard:Routine DisclosuresEmployee access should berestricted to the minimumnecessary, defined by entity policiesof minimum necessary for routinedisclosures of PHI Minimum Necessary Policy Standard Disclosures of PHI Minimum Necessary PolicyMinimum Necessary Standard:Non-Routine DisclosuresEntities should establish criteria forindividual disclosures and review ofsuch disclosures Minimum Necessary Policy Individual Disclosures of PHIPatient Rights:Disclosure RestrictionsPatients may request certainrestrictions on PHI disclosure anduse; entity agreement to restrictionsis not comprehensive Notice of Privacy Practices Patient Authorizations Disclosure Restriction FormPatient Rights:Alternative CommunicationPatients may request alternativelocations and means ofcommunication Notice of Privacy Practices Patient Authorizations Standard Disclosures of PHI
Patient Rights: Access to PHIPatients may inspect and requestcopies of PHI Notice of Privacy Practices Standard Disclosures of PHI Access to PHI FormPatient Rights: PHI AmendmentsPatients may request amendmentsof health records Notice of Privacy Practices Amendment of PatientInformation PHI Amendment Request FormPatient Rights:Accounting of DisclosuresPatients may request an accountof disclosures of PHI made by theentity Notice of Privacy Practices Standard Disclosure of PHI Accounting of Disclosures LogNotice of Privacy Practices:AvailabilityCovered entities must provide theNotice to patients, in physicallocations and on websites Notice of Privacy PracticesNotice of Privacy Practices:AcknowledgmentCovered entities must make good Notice of Privacy PracticesAcknowledgementacknowledgement of the NoticeBusiness AssociatesCovered entities may disclosePHI to business associates if thebusiness associate providessafeguards PHI (contracts,monitoring, enforcement) Business Associate Agreements Business Associate OversightCovered entities must designate a implement policies and proceduresCovered entities must designate acontact person to receivecomplaints and provide informationregarding the Notice of PrivacyPractices9Privacy Rule Checklist
Employee TrainingCovered entities must provideadequate training to employees onPrivacy Rule policies andprocedures Privacy Rule Policies andProcedures TrainingComplaintsCovered entities must provideopportunities for and responses tocomplaints; complaints andresolution must be documented Privacy Rule Complaints Complaint FormMitigation of Improper DisclosuresEntities must take steps to mitigate Standard Disclosures of PHI PHI Disclosure MitigationdisclosureSanctionsCovered entities must sanctionemployees for violations of PrivacyRule policies and procedures Employee SanctionsRecord RetentionDocuments must be retainedaccording to the period of retentionrequired by law Record Retention Policy Record Destruction LogNon-retaliationEntities must refrain from retaliatingpatients who exercise HIPAA rights Patient RightsNon-waiverEntities may not condition treatmentof patients upon the patient’s waiverof HIPAA rights Patient RightsCorrective ActionsEntities must correct violationswithin 30 days of occurrence Corrective Actions
RequirementsDescriptionPolicies and ProceduresIdentifying BreachCovered entities and businessassociates must identify whether anunauthorized PHI disclosure hasoccurred; certain exceptions apply Patient NoticeCovered entities and businessassociates must notify patients ofan unauthorized PHI disclosure inthe required timeframe, with therequired content, and by therequired method(s) Covered entities and businessassociates must notify HHS ofunauthorized PHI disclosures withinthe required timeframe (greater orless than 500 patients impacted) Covered entities and businessassociates must notify the media ofunauthorized PHI disclosures withinthe required timeframe if more than Covered entities must notifybusiness associates ofunauthorized PHI disclosures withinthe required timeframe HHS NoticeMedia NoticeBusiness Associate Notice11Patient NoticeHHS NoticeMedia NoticeBusiness Associate Notice
Law Enforcement DelaysCovered entities and businessassociatesrequired parties of unauthorized PHIdisclosure if law enforcement states criminal investigation or damagenational security; timeframe of delaybased on written and oral requestsby law enforcementInvestigationCovered entities and businessassociates must investigateunauthorized disclosures MitigationCovered entities and businessassociates must limit the damaging Contact PersonCovered entities and businessassociates must designate anindividual for patients, media,business associates, and HHS tocontact regarding unauthorizeddisclosures
Ready for HIPAA Compliance?Are you a covered entity or business associate who uses PHI to provide services to the public?HIPAA compliance affirms the security of your services and gives your organization the ability toprovide clients and regulators with evidence from an auditor who has actually seen your internalcontrols in place and operating. Protecting an asset as valuable as PHI can be a challengingresponsibility, but when you partner with ACT Cybersecurity, it does not have to be. We offerassessments on compliance with the HIPAA Security Rule and Privacy Rule, as well as risk analyses,gap analyses, policy development, business associate compliance management, and consultingservices. Your organization will also benefit from working with ACT Cybersecurity’s InformationSecurity Specialists, who are senior-level experts, holding certifications like HCISPP, CISSP, andCISA.Our audit delivery tool, the Online Audit Manager, streamlines the audit process, helps reduce thecomplexity of compliance efforts, and gives our clients the ability to combine multiple auditframeworks into one audit. We have spent over a decade honing this process so that clients cancomplete one audit process while receiving multiple reports.Connect with us today to understand the time it takes to complete a HIPAA audit, the cost ofreceiving a HIPAA report, and take part in a free demo of the Social Engineering Phishing Test.13
4 Security Checklist Workfor ce Security Security Awareness Tr aining Train all employees on security awareness upon hire and continually Information Security Policy Manual (Information Security Policy Acknowledgment and Training) HIPAA Tr aining Incident Response Pr ocedur es Designate app ropriate individuals
