The Technical Safeguards Requirement in HIPAA focuses on storing electronic ePHI, also called Protected Health Information. The Security Rule focuses on security requirements. The technical safeguards requirements centers on the technology aspect. Business associates, healthcare providers, and covered entities are required to complete audits to prove they are complying with regulations. This means new customers are assured their security is safe. Becoming HIPAA compliant means assessing mitigation controls and security risks.
Assessment Checklist: HIPAA Technical Safeguards Risk
HIPAA was Enacted in the Late 1990s to Assist People Changing Jobs
In 1996, HIPAA was created to protect people’s health information as they moved from job to job. It was the U.S. Department of Health and Human Services (HHS) additionally passed another privacy rule. This was done in 2003. The rule, Protected Health, and Information (PHI) was passed to cover information regarding a person’s health status, health care payment and provision of healthcare.
The HIPAA Security Rule focused on electronically stored ePHI in 2005. The updated required three new compliance safeguards. The first was administrative safeguards for procedures and policies to show compliance. The second, physical safeguards, includes controlling data storage access. The last type focused on technical compliance. The technical safeguards must include PHI communications that are electronically transmitted via open networks.
Who is Considered a Healthcare Provider?
HIPAA defines healthcare providers as those who are determined to be the Secretary to be capable of providing health care services. These professionals include doctors of osteopathy and medicine who are authorized to practice surgery as determined by the state where they are practicing medicine. If an individual or business engages the practice of medicine or treatment of sick people, they must follow HIPAA.
What does HIPAA consider a Covered Entity?
According to HIPAA, covered entities include healthcare providers, healthcare clearinghouse and health plans that electronically transmit health information.
What Does HIPAA Consider a Business Associate?
The term “business associate” has allowed HIPAA to include more individuals and businesses in following its regulations. The law defines any business associate as an entity or individual involved in the disclose or use of protected health information while providing services to a covered entity. This also means those who are using or disclosing the information on behalf of the covered entity must also comply with HIPAA rules and regulations.
This is pretty much a broad definition that includes every company and individual from third-party administrators helping process healthcare claims to certified public accountants protecting health information. If an individual or company view any information that identifies someone as a patient, the covered entity or health care provider must ensure the business associate is HIPAA compliant.
What Can I Become HIPAA Compliant?
Risk assessment is the first step to becoming HIPAA compliant. The risk assessment determines technical safeguards, administrative safeguards, and physical safeguards. the areas of greatest vulnerability. According to the Office of the National Coordinator for Health Information Technology, the Security Risk Assessment Tool was created to help organizations identify what areas in their system was the most at risk. This tool has 156 questions separated into three categories: administrative safeguards, technical safeguards, and physical safeguards.
What to Know about the Technical Safeguards?
According to HIPAA Security Rules, business associates and covered entities are required to protect ePHI by having controls that create a secure IT environment. Any time ePHI is unsecured, it creates a legal problem according to HIPAA laws. It also puts at risk the integrity, availability, and confidentiality of patient information.
Technical Safeguards Plan and Policy Involve:
- Share access control policy about scope purpose, roles, management commitment, responsibilities, compliance, and coordination between organizational entities with workforce members.
- Establish all technical procedures and policies for electronic information systems that maintain authorized access for ePHI.
- Inform workforce members about the implementation of access control policies connected to access controls.
Risk Assessment Involves:
- Creating information systems within your environment. These inventory of information systems must include applications, software, applications and electronic devices.
- Determine all risks connected to having remote access to patient data.
- Review the responsibilities and roles involved in information risk.
- Identify the electronic devices and information system components with data capabilities.
- Review business associate roles and risks to ePHI.
- Review all the risks to ePHI by having particular business associates and their roles.
- Measure and assess malicious or intentional disclosure risk coming from all reception or information transmission.
- Review all important audit events such as storing, creating and transmitting ePHI for timing for risk-based categorizations.
- Measure and assess any malicious or unintentional information modification or access when preparing to receive or transmit patient data. Review authentication requirements to ensure scalability, practicality, and security when balancing ease of ePHI access and protected information systems that adequately mitigate risk.
- Review all authentication requirements to make sure practicality, scalability and security are correct when balancing the protection and access to ePHI and information systems. These are the information systems and ePHI access that have a mitigated risk.
User Authorization/Segregation of Duties Involve:
- For segregation support of duties, have each workforce member separate service duties and providers regarding ePHI access authorizations.
- For the creation, storage and process of ePHI within all information systems, review all user activities regarding each activity.
- Enforce RBAC to use the least privilege/principle of minimum necessary accident for ePHI.
- Enforce RBAC policies based on the needs and duties of workforce members and service providers.
Authorization and Identification Involve:
- Create an identification for each worker that is unique for each workforce member. This authorization policy should address purpose, roles, purpose, responsibilities, management commitment, compliance, and organizational entity coordination.
- Create an identification for every workforce member within a group for accountability purposes.
- Create and implement a registration process that includes supervisory authorization for each new identifier.
- Assign a different, unique number and/or name to identify and track user activities.
- Stop any type of reuse of information system account identifiers.
- Include auto log-off capabilities with electronic devices and identify information system components.
- Incorporate electronic procedures that automatically limit activity time and limit activity time.
- Use session locks for user requests and inactivity.
- Create rules for users to continue sessions after inactivity. To re-establish access, users must be able to complete the correct authentication procedures such as passwords and biometrics.
- Create any short-term emergency accounts that allow users emergency access.
- Establish an automatic deactivation or removal of any emergency account once all business operation returns to normal.
Have a Contingency Plan and Policy
It is important to establish and implement procedures for obtaining ePHI during an emergency. Define circumstances and emergency that could trigger a contingency plan. These circumstances include environmental and natural threats. Also, identify all individuals responsible for activating any emergency access methods. It is vital to establish an alternative storage site with all the required permit storage necessary. This area should be able to retrieve the exact ePHI copies. The alternative storage site must have security safeguards that are comparable to the onsite security safeguards.
