HIPAA Security Compliance in IT
IT security is a moving target. With cybercriminals using new ransomware and hacking tools to attempt to steal your data every day, security safeguards
need to be in place to stay HIPAA compliant. We have created a safeguards checklist to help your organization stay HIPAA compliant.
When breaking down the technical safeguards for IT security within HIPAA compliance, five standards need to be followed under the Security Rule:
Access Control – The ability or the means necessary to read, write, modify, or communicate data/information or otherwise use any system resource.
Audit Controls – Hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information (ePHI).
Integrity – The property that data or information have not been altered or destroyed in an unauthorized manner.
Authentication – Procedures to verify that a person or entity seeking access to ePHI is the one claimed.
Transmission Security – Technical security measures to guard against unauthorized access to ePHI that is being transmitted over an electronic communications network.
Each of the five standards have nine sub-standards that also need to be checked off. Some sub-standards are required, while others are suggested:
Access Control – Unique User Identification (required): Assign a unique name and/or number for identifying and tracking user identity.
Access Control – Emergency Access Procedure (required): Establish (and implement as needed) procedures for obtaining necessary ePHI during an emergency.
Access Control – Automatic Logoff (addressable): Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.
Access Control – Encryption and Decryption (addressable): Implement a mechanism to encrypt and decrypt ePHI.
Audit Controls (required): Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI.
Integrity – Mechanism to Authenticate ePHI (addressable): Implement electronic mechanisms to corroborate that ePHI has not been altered or destroyed in an unauthorized manner.
Authentication (required): Implement procedures to verify that a person or entity seeking access to ePHI is the one claimed.
Transmission Security – Integrity Controls (addressable): Implement security measures to ensure that electronically transmitted ePHI is not improperly modified without detection until disposed of.
Transmission Security – Encryption (addressable): Implement a mechanism to encrypt ePHI whenever deemed appropriate.
There are many layers to HIPAA compliance, and various options for managing risk to the security of sensitive health information. If you would like to know more about how Yeo & Yeo Technology can help your business become compliant, contact us today.