HIPAA Security Rule explained in layman IT terms
Our HIPAA Risk Assessment and gap analysis is exclusively focused on compliance with the HIPAA security rule which covers many aspects of your IT infrastructure and security policies from multiple perspectives. Here’s a plain-English explanation of what these “rules” relate to, and what we look at when we conduct HIPAA risk assessments for our clients.
Administrative Safeguards (HIPAA § 164.308)
We check you have implemented appropriate and enforceable policies and procedures to prevent, detect, contain, and correct security violations. This includes: ensuring only appropriate members have access to ePHI, and that unauthorized staff, cannot obtain access; you have procedures for creating, updating and safeguarding passwords and monitoring all login attempts for any device at any location; ensuring you have implemented measures to guard against viruses and malware; verifying you have you have implemented security awareness training programs for all staff; verifying you have disaster recovery mechanisms for recovering from system failures for equipment containing ePHI.
Physical Safeguards (HIPAA § 164.310)
We check that you have policies and procedures to limit physical access to information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed. e.g. is your office admin or security guard prevented from having direct access to a physical server containing ePHI? This may include everything from having procedures to log repairs to doors, locks windows etc. to enforcing key-card access to restricted areas or deploying video cameras in areas where unauthorized access to ePHI might be at risk, of access or theft for example if the area were temporarily unattended, in an emergency. It also includes ensuring you have procedures to purge ePHI data from devices and portable media (CD, thumbdrives, etc) before disposing of or reusing equipment and storage media, and tracking the whereabouts and custody of every device.
Technical Safeguards (HIPAA § 164.312)
We verify you have implemented access control policies at all levels (i.e. who can access what digital resources), from server root access to basic login IDs, and can identify precisely who did what based on unique traceable electronic identities, and that you can authenticate the user is who they say they are, by using proven mechanisms such as two-factor authentication. This includes ensuring that not just users, but other programs have only the minimum access rights they absolutely need. It also includes preventing unauthorized access to programs and systems, ensuring that screens and sessions time out after a predetermined period. You might think this is all taken care of by the HIPAA-compliant EHR systems you use, and for the most part they are. But these aren’t the only software you use…and one way or another ePHI inevitably find its way into other systems, including general purpose office tools that were never design with such stringent security protocols as EHR systems. It also covers checking that transmitted data is properly encrypted and that you have ways to verify that transmitted data is not altered without your knowledge and that there is an indisputable (better word) audit trail.
