HIPAA Security Rule Checklist
A HIPAA Security Rule checklist helps covered entities, business associates, and other organizations subject to HIPAA compliance to fulfil the requirements of the Security Standards for the Protection of Electronic Protected Health Information (better known as the HIPAA Security Rule). Complying with the Security Rule Standards can reduce the likelihood of HIPAA violations and data breaches attributable to human error and bad actors.
Introduction to the HIPAA Security Rule
The HIPAA Security Rule in Part 164 Subpart C of the HIPAA Administrative Simplification Requirements consists of regulations, standards, and implementation specifications that have the objective of ensuring the confidentiality, integrity, and availability of electronic Protected Health Information (ePHI) created, collected, maintained, or transmitted by covered entities, business associates, and other organizations subject to HIPAA compliance.
All organizations subject to HIPAA must comply with the “applicable” Security Rule regulations, standards, and implementation specifications. However, because the Security Rule is technology neutral, organizations are allowed a “flexibility of approach” with regards to what security measures are implemented. The flexibility of approach also extends to how organizations fulfil the requirements of “addressable” implementation specifications.
What is a HIPAA Security Rule Checklist?
A HIPAA Security Rule checklist is a summary of the main regulations, standards, and implementation specifications likely to be applicable to most organizations. The reason for the checklist being a summary is that, due to the different types of organizations required to comply with the Security Rule and the flexibility of approach allowed by the Security Rule, there is no one-size-fits all HIPAA Security Rule checklist that will match every organization’s requirements.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Organizations should use this HIPAA Security Rule checklist as the foundation of their own checklists – paying careful attention when developing a checklist to the General Requirement (§164.306(a)) that organizations not only have to protect against any reasonably anticipated threats to the security and integrity of ePHI, but also protect against any reasonably anticipated uses or disclosures of ePHI not permitted or required by the Privacy Rule.
Who This HIPAA Security Rule Checklist Is For
This HIPAA Security Rule checklist is for any member of the workforce with a responsibility for HIPAA compliance. This could be the HIPAA Security Officer or a member of the Compliance Team depending on the size of the organization, or – if elements of compliance are delegated to other teams – this HIPAA Security Rule Checklist could be a valuable guide for a member of an IT, HR, Legal, or Security Team.
With regards to the types of organization this HIPAA Security Rule checklist should help, it has been designed not only to be relevant to HIPAA covered entities and business associates, but also to subcontractors of business associates, vendors of personal health devices, and organizations that do not qualify as covered entities under HIPAA, but may do so under a state law – for example, the Texas Medical Records Privacy Act.
10 Important Elements of Security Rule Compliance
While it is important to review and understand every Security Rule regulation, standard, and implementation specification, there are ten important elements of Security Rule compliance that will apply to most organizations.
1. Read the Security Standard General Rules
The Security Standard General Rules include the conditions that apply when exercising the flexibility of approach and determining when an addressable implementation specification is not reasonable or appropriate. It is important not to bypass this section because the standards and implementation specifications within it are relevant to the remainder of the checklist.
2. Conduct a Thorough Risk Assessment
In order to ensure the confidentiality, integrity, and availability of ePHI, it is necessary to know how and where ePHI is created, collected, maintained, and transmitted. For this reason, it is important to identify any unsanctioned software and apps used by members of the workforce (“Shadow IT”) and any systems or devices they connect to.
3. Control and Monitor All Access to ePHI
Depending on the outcome of the risk assessment, you will be in a better place to determine what access controls are required to ensure only authorized members of the workforce have access to ePHI. However, it will still be necessary to monitor access in order to identify when passwords are shared impermissibly or when login credentials are compromised.
4. Develop Training Program and Sanctions Policy
The Security Rule requires all organizations to implement a security awareness training program for all members of the workforce regardless of their access to ePHI. Organizations are also required to develop and enforce a sanctions policy for any violation of a security policy or procedure, regardless of whether the violation results in a data breach.
5. Implement Procedures for Reporting Security Incidents
The Security Rule requires organizations to implement policies and procedures to manage security incidents; but, in order for this standard to be effective, it is important organizations are made aware of security incidents as quickly as possible. For this reason, it is advisable to implement procedures for reporting security incidents as quickly as possible.
6. Disaster Recovery and Emergency Mode Operation
Most healthcare providers have to implement measures for disaster recovery and emergency mode operation as a condition of participating in Medicare. However, as downstream disasters can affect healthcare providers’ operations, it is essential that all organizations develop, test, and revise disaster recovery and emergency mode operation plans.
7. Business Associate and Subcontractor Agreements
The reason for including business associate and subcontractor agreements in this HIPAA Security Rule checklist is to remind organizations to refer to §164.504(e) of the Privacy Rule, which includes important information about conducting due diligence on business associates and subcontractors before releasing ePHI to a third party.
8. Configure Software to Comply with the Security Rule
Most modern software solutions include the capabilities such as (for example) data integrity controls, encryption, and automatic logoff. However, the software is not always configured by default to comply with the Security Rule. The settings of all software used to create, collect, maintain, or transmit ePHI should be reviewed to ensure it is used compliantly.
9. Address Threats to Facility, Device, and Media Security
It is a best practice to maintain an inventory of devices and media used to create, collect, maintain, and transmit ePHI; and, in addition to ensuring that the devices and media are protected from unauthorized access, the facilities in which they are located should also be protected from unauthorized access to prevent tampering and theft.
10. Schedule a Review of the HIPAA Security Rule Checklist
The final implementation standard in the Security Rule requires organizations to maintain documentation, review it periodically, and update it as required in response to environmental or operational changes. Due to the changes expected in 2024, organizations are advised to schedule a review of the HIPAA Security Rule checklist for within twelve months.
Expected Changes to Security Rule Standards in 2024
In December 2023, the Department of Health and Human Services published a Healthcare Sector Cybersecurity Strategy – a concept paper that proposes measures to secure the healthcare industry from cyber threats in line with President Biden’s National Cybersecurity Strategy. One of the measures proposed in the concept paper is to update the Security Rule to include new cybersecurity requirements.
Due to the length of time it takes for proposed Rules and changes to existing Rules to evolve into Final Rules, it is unlikely the new cybersecurity requirements will take effect in 2024. However, there are several other Rule changes in the pipeline that are likely to impact Security Rule compliance in 2024. These include (but are not limited to):
- The publication of “recognized security practices” that will be considered when determining the amount of a civil monetary penalty for violating HIPAA.
- The requirement to include disclosures of ePHI for treatment, payment, and healthcare operations in an accounting of disclosures (see 42 USC §17935(c)).
- The application of HIPAA violation penalties to impermissible disclosures of Substance Use Disorder Patient Records currently protected by 42 CFR Part 2.
- A new category of “attested” uses and disclosures to prevent reproductive health care data being used or disclosed for a “non-health” purpose.
Organizations that encounter challenges in preparing for these expected changes – or that have difficulty developing a HIPAA Security Rule checklist – are advised to seek professional compliance advice.
