Any organization that has access to electronic Protected Health Information (ePHI) is required to comply with HIPAA (Health Insurance Portability and Accountability Act of 1996).
Given that HIPAA applies to a wide range of covered entities and business associates, the requirements can be somewhat vague, which makes it difficult to know where to start. To help with this, below are 15 key questions that need to be answered, in order to satisfy the HIPAA compliance requirements.
1- Are you carrying out regular HIPAA risk assessments?
You will need to identify and document all possible cases where ePHI might be at risk. For example, if you have a large number of open shares, or large volumes of modifications or copy events taking place to files containing ePHI, you could be at risk.
2- Do you have a HIPAA risk management policy in place?
You will need to document how frequently your risk assessment should be carried out, including the steps you have taken to minimize the risk of an ePHI breach. The policy should also include details about the penalties associated with failing to comply.
3- Do you have a HIPAA incident response plan (IRP) in place?
An IRP is required to provide IT staff members with a standard set of procedures to follow in the event of a security incident such as a breach of HIPAA regulations. Every member of staff should be aware of their responsibilities and what to do.
4- Are you regularly testing your IRP?
Naturally, if you have an IRP in place, you will need to test it to ensure that it is effective. You will also need to update the plan as the threat landscape evolves, which will be more often than you think.
5- Are you restricting third-party access to PHI?
You will need to ensure that you have a Business Associate Agreement (BAA) with any contractors or vendors who have access to ePHI. This is required under HIPAA regulations to ensure that the responsibility of HIPAA compliance isn’t handed off to third parties. You cannot pass the buck.
6- Are you carrying out regular HIPAA security awareness training?
Given that most data breaches are, in some way or another, caused by employees, regular (at least once a year) cyber security training is a must. Employees will need to be trained to identify phishing emails and malicious websites/applications. They must also have at least a basic understanding of the relevant compliance requirements, and be aware of the consequences, should they fail to comply.
7- Are you documenting/reporting all HIPAA-related security incidents?
In addition to the breach notification rule, service providers and their business associates should report all security incidents, regardless of whether a breach has occurred or not. This is not only good practice, it could save you significant fines if you do eventually experience a HIPAA-related breach.
8- Do you have an access control policy in place?
You will need to assign access controls according to the “principal of least privilege”, to ensure that access to ePHI is only granted to those who genuinely need it. This helps prevent excessive permissions and reduces the risk of your users abusing their privilege to gain access to sensitive data.
9- Do you know where your ePHI resides?
In order to analyze user behavior and assign the correct permission to files, you need to know whether the data within the files relates to HIPAA. There are a number of data classification tools on the market, which can automatically discover and classify ePHI.
10- Are you monitoring access to ePHI?
You need to be monitoring the behavior of users who have access to PHI, in order to spot anomalies. There are a number of real-time change auditing and monitoring solutions that can automatically detect, alert and respond to changes made to your ePHI. Most sophisticated solutions can detect unauthorized access to privileged accounts, multiple failed login attempts, bulk file encryption, inactive user accounts, and a lot more. They also provide a wealth of customizable reports, which can be presented to the supervisory authorities on request.
11- Are you encrypting sensitive data both at rest and in transit?
All ePHI must be encrypted both at rest and in transit. You will either need to use an automated encryption tool or use a third-party encryption service. If you choose a third-party service, you will need to make sure they have a BAA.
12- Are you using automatic logoffs on all devices that have access to PHI?
Any device that contains ePHI should be configured to automatically log-off if no user activity has been detected within a given timeframe.
13- Do you have a workstation policy in place?
A workstation policy defines how physical devices, such as computer monitors, are positioned in order to prevent unauthorized personnel from snooping while the user is either working or away from their desk.
14- Do you have a BYOD policy in place?
A BYOD (Bring Your Own Device) policy consists of three main components: A way to manage the devices that connect to your network, a policy that defines how these devices can and can’t be used, and an agreement which employees are required to sign to confirm that they understand their responsibilities.
15- Do you have a policy that defines the physical safeguards for protecting ePHI?
In addition to safeguarding ePHI through encryption, real-time auditing and cyber security training, covered entities must ensure that their physical premises are also secure. The policy should outline the physical safeguards that are in place, including detailed information about locks, alarms, CCTV cameras, and so on.
If you need help getting the answers to these questions, or you are ready to take a look at a Data Security Platform designed to help meet HIPAA compliance, schedule a demo with one of our engineers today.