What does it take to be compliant with the HIPAA Security Rule?

One of the questions that I get asked a lot is;  What does it take to be compliant with the HIPAA Security Rule?

And when I start to answer the question, inevitably the person’s eyes glaze over.  So to prevent your eyes from glazing over I will give the simple answer: A lot.

OK, that might be too simple so I will give a list of things that need to be done to be compliant.  Before I get started I want to point out that the Security Rule has items that are required and items that are addressable. For this article I am going to list the items that a medical practice SHOULD do regardless of whether they are required or addressable.

1. Write detailed Policies and Procedures that address each one of the below items.
2. Perform a Risk Assessment on systems that contain electronic protected health informaton (ePHI).
3. Implement the suggested security recommendations that are identified in the Risk Assessment.
4. Create a Sanction Policy that addresses what to do if someone is in violation of your Policies and Procedures.
5. Assign the Security Officer rule to an individual.
6. Develop a procedure to ensure that access to ePHI is only given to employees that need access to perform their job.
7. Make sure that employee access to ePHI is limited to the information needed to perform their job.  (i.e. make sure they don’t have too much access)
8. Make sure employee access to ePHI is terminated when they no longer need access.  This can be when they are terminated or when they switch to another job within the practice.  Create an employee termination procedure.
9. Train your employees on the best practices to secure ePHI.
10. Issue security reminders to employees after the training.  Items include best practices, malware alerts, security warnings, etc.
11. Implement anti-virus / anti-malware on all systems.  Ensure that the anti-malware is automatically updated and kept current.
12. Implement a procedure to report, document and respond to security incidents that effect ePHI.
13. Implement a data backup procedure that ensures ePHI is properly backed up.  This can be to a backup tape, off-site backup, etc.  Ensure that your tape backups or off-site backups are encrypted.
14. Implement a disaster recovery plan to ensure access to ePHI in the event something happens to your systems.  This includes a fire, flood, power outage, hardware crash, etc.
15. Implement a procedure to operate in an emergency mode if there is a disaster.  Make sure you have a plan to use your disaster recovery plan and make sure you don’t lose ePHI during the disaster.
16. Implement a procedure to regularly review your HIPAA Security Policies and Procedures.  During the review make appropriate changes to strengthen your protection of ePHI.  At a minimum do this annually and definitely after your have a security incident.
17. Locate your systems that contain ePHI in a secure room.  In other words, make sure your server room is locked and restrict access to it.  This includes unauthorized employees, patients, visitors, maintenance workers, etc.
18. Keep track of all people that enter the server room including IT staff, maintenance workers, etc.
19. Create and distribute a Computer Use Policy that let’s employees know what is acceptable use of the practice’s computers.  This addresses email, restricted websites, posting information on social networks, conducting illegal activity, etc.
20. Implement procedures that ensure that all servers, desktops, laptops and mobile devices are secure.  This includes applying security patches, vendor updates, etc.
21. Implement procedures to protect ePHI stored on portable devices.  This includes smartphones, laptops, USB drives, tape backups, etc.  MAKE SURE YOU ENCRYPT ALL OF THESE DEVICES.
22. Implement procedures to ensure you delete all ePHI on devices when you are discarding, recycling, donating, returning them.  This includes laptops, desktops, servers, smartphones, USB drives, copy machines, x-ray machines, tape backups, etc.  NOTE:  Deleting the information is not enough.  Use special software that ensures the data is permanently deleted and can not be restored.
23. Implement procedures to track portable devices that that contain ePHI.  Track them so you know where they are, who has them and if they are lost or stolen.
24. Ensure that each employee that accesses ePHI is assigned a unique username and password.
25. Ensure that employees do not share usernames and passwords.
26. Ensure that passwords are complex and not easily guessed.  (i.e. minimum of 8 characters, lower and upper case letters, numbers and special symbols – MsMi1@yo).
27. Implement a procedure that forces employees to change their passwords on a regular basis (i.e. every 90 days).
28. Implement a procedure that locks a user account after a certain number of failed password attempts (i.e. a user account will be locked and must be reset if the account is accessed with an incorrect password 5 times).
29. Develop a procedure that in the event of an emergency, there is a way to access systems with ePHI to provide patient treatment.  In other words, make sure that the lack of knowing certain passwords does not affect patient treatment.
30. Implement a procedure that locks workstation screens after a predetermined time (i.e. after 15 minutes of inactivity, a workstation automatically locks and can not be accessed.  This is applicable if an employee walks away from their desk).
31. Implement a procedure that automatically logs people off of systems that contain ePHI after a predetermined time.  (see above).
32. Ensure that all systems that contain ePHI are located securely behind a Firewall.
33. Ensure that any remote access solution is secure and encrypted.
34. Ensure that any wireless access to the network is secure and encrypted.
35. Implement procedures that ensure all systems with ePHI have auditing turned on (i.e. record the username, date, time, action, etc when accessing ePHI.  Think system log files).  Make sure your employees know that all actions involving ePHI are recorded and logged.
36. Implement procedures to review all system log files on a regular basis.  You are looking for events or notifications that there has been an attempt or an actual breach of ePHI.
37. Make sure all smartphones have startup passwords and are encrypted.
38. Implement procedures that ensure all email that contains ePHI are encrypted.  Implement email encyption.
39. Implement procedures that all laptops and smartphones  are encrypted.  Implement full disk laptop encryption.  Implement encryption on smartphones (yes I realized that I have mentioned this at least 3 times – it is that important!!)
40. Implement procedures that ensure any transmission of ePHI is encrypted.  That includes email, FTP, etc.
41. Ensure that all Business Associates (BA) sign a BA agreement.  Ensure that BAs understand their role in protecting ePHI.

As you can see, there are a lot of steps needed to be compliant with the HIPAA Security Rule.  Keep in mind that compliance is an on-going process.  You can implement some of the steps as you work towards compliance with the ultimate goal of implementing all of them.

Cross posted at Entegration Blog

Image: nuchylee / FreeDigitalPhotos.net