A HIPAA Security Rule Risk Assessment Checklist For 2018

A HIPAA Security Rule Risk Assessment Checklist For 2018

HIPAA is the acronym of Health Insurance Portability and Accountability Act of 1996. The HIPPA Security Rule main focus is on storage of electronic Protected Health Information. As a healthcare provider, covered entity and/o business associate you are required to undergo an audit to prove your regulatory compliance so as to assure your new customers of their security. Your first step to HIPAA compliance is security risk assessment and mitigation controls.

Who is a health provider?

According to HIPAA any person or organization that engages in or practicing medicine and help in treating sick people is a health provider. For example, a doctor of medicine who is authorized to practice medicine or surgery by the state in which he or she operates in, or any person who is determined by the Secretary to be capable of providing health care services.

According to HIPAA, health plans, healthcare clearinghouses and any healthcare provider who transmits health information electronically is a covered entity.

Business associate refers to any person or entity that involves use of or disclosure of protected health information on behalf of a covered entity. It simply means any person who sees any information as that refers to a patient must be compliant with HIPAA.

Requirements for Compliance with HIPAA.

For you to ensure you are compliant with HIPAA, you are required to undergo a risk assessment this will help in identifying and determining your vulnerability locations. You undertake this risk assessment through the Security Risk Tool that was created by the National Coordinator for Health Information Technology. You are required to undertake a 156 questions assessment that will help you to identify your most significant risks.

The security tool categorizes these questions into three classes namely

  1. Administrative safeguards
  2. Technical safeguards
  3. Physical safeguards

Administrative safeguards requirements

Administrative safeguards requirement requires you to develop, document and implement policies and procedures to assess and manage ePHI risk.

You are initially supposed to consider the following questions to develop appropriate safeguards;

Risk Assessment : 

  • You are supposed to create an inventory of all information systems, electronic devices and mobile media.
  • You should identify threats, vulnerabilities in technology processes, workforce and vendors to determine the possibility of data breach and estimate the potential harm.
  • You are required to develop and implement a risk assessment policy that identifies essential activities addressing purpose, scope, roles, responsibilities, management commitment, organizational coordination, compliance and facilitation procedures that outlines risk assessment controls.
  • You should share documented risk assessment policy with workforce members responsible for mitigating threats and vulnerabilities.
  • You should review unauthorized and inappropriate access to ePHI that can comprise data confidentiality, integrity, and availability and potential unauthorized disclosure, loss and theft.
Be able to identify threats. 

Security Plan and Policy : 

  • You are required to create a security plan with a continuity plan, emergency access plan, disaster recovery plan and vendor management plan.
  • You are to develop, document and share with workforce members a security planning policy and training that addresses purpose, scope, roles, responsibilities, management commitment, organizational coordination, compliance and procedures that outlines security implementation and controls associated with it.
  •  You are to create appropriate sanctions for individuals who do not comply with information security policies and documentation of sanctions executed.
  • You are to create audit, system monitoring procedures to ensure no inappropriate access to information.
  • You should establish periodical review and documentation and update if affected by operational and environmental changes.
  • You are supposed to establish senior-level executive security official to develop and implement policies and procedures to protect against business associate and covered entity risk.
  • You are supposed to ensure the one responsible for security is educated and experienced in system review capabilities, vulnerabilities and mitigation practices to support management security purchases.

In use authorization duties you are supposed to ensure the following : 

  • Workforce and service provider roles and duties are defined to access ePHI in a way
  • Workforce member has access to control policy that defines the purpose, scope, roles, responsibilities, management commitment, coordination expectations and compliance requirements.
  • Minimum access principles to ePHI.
  • Only role-based access based on job description and responsibilities
  • Develop restriction processes that restrict access to ePHI containing media digital and non-digital.
  • Supervision of locations of ePHI and workforce members who can access it.
  • You create a procedure that allows IT department to create, enable, disable and remove accounts based on user groups and account privileges for user accounts.
  • You should have a list of authorized personnel that identifies their access level to facilities, information systems that contain ePHI.
  • You have established processes that monitor security roles and responsibilities of third-party providers with access to ePHI.
  • You have established role-based screening criteria and risk designations document
  • Should establish screening policies for individuals before granting access.
  • You should develop and implement access termination policies for your workforce members.
  • You should have procedures for retrieving all security-related information system related property upon workforce member access need changes.
  • You should review current, ongoing and physical access authorizations
The use of authorization duties

In security awareness policy you are required to ensure the following : 

  • You should develop, document and share with the workforce members’ security awareness policy and training that addresses purpose, scope, roles, responsibilities, management commitment, organizational coordination, compliance and procedure to ensure they understand security awareness.
  • You should periodically review the awareness training to ensure it aligns with the current systems and threats.
  • You should ensure the workforce members are trained and updated in an event of role change or in response to system changes.
  • You are to ensure the security awareness covers cyber-attack, unauthorized access and or opening malicious email attachments that teach them about spear phishing attacks.
  • All training materials for the workforce and associated members should be retained.
  • Ensure you are always monitoring information systems for possible attacks, unauthorized connections.
  • You should monitor physical information system to detect any possible security incidents.
  • Always ensure you share security information with your workforce members.
  • You should develop procedures for guarding against detecting and reporting malicious software.
  • You should develop automated mechanisms and tools that help track security incidents and periodically collect and analyze information.
  • You should establish authorization policies and procedures that outline password requirements, protection, changes, privacy requirement and safeguarding.

Having done all that, you are required to develop an incident response plan in an event it occurs. Your incident response plan should ensure you do the following;

  • Have an established training that aligns with workforce member role and responsibilities.
  • Have established mechanisms to identify and respond to suspected or known security incident to include both mitigation and documentation requirement steps.
  • You should share the incident policy with your workforce members.
  • You should provide incident response training to information system users consistent with response policy.

In contingency plan ensure the following : 

  • You have developed a contingency planning policy
  • Ensure that the policy incorporates the variety of emergencies such as fire, vandalism natural disaster to name but a few.
  •  You should ensure you have system restoration procedure.
  • You are regularly updating your contingency policy.
  • Always ensure you have a backup for your system where you can retrieve exact copies of ePHI.
  • Always test continuity and emergency operations

Having done all that, you are supposed to develop a third-party monitoring policy that entails the following : 

  • One that establish, review, document and modify third-party access.
  • One that assures covered entities that their information is safeguarded.
  • Always you document all third-party assurances through written contracts
  • Always you ensure you review contracts to ensure they align to ePHI disclosure procedures.
  • Ensure you have a running third-party monitoring process that reviews security roles and responsibilities

Having done all that you have to finally develop an Information Retention Policy that will address the following issues : 

  • You have to ensure you retain the information as required by federal laws, executive orders, directives, policies, regulations, standards and operational requirements.
  • You should ensure you retain the full lifecycle to include but not limited to disposal of information systems
  • You should have records retention for six years maximum from the creation date.
  • You should provide an audit reduction and report generation capability.
  • Ensure all your role-based authorization records are retained.

Author Bio

Ken Lynch – Reciprocity

Ken Lynch is an enterprise software startup veteran, who has always been fascinated about what drives workers to work and how to make work more engaging. Ken founded Reciprocity to pursue just that. He has propelled Reciprocity’s success with this mission-based goal of engaging employees with the governance, risk, and compliance goals of their company in order to create more socially minded corporate citizens. Ken earned his BS in Computer Science and Electrical Engineering from MIT.  Learn more at ReciprocityLabs.com.