An organization, which has access to electronic Protected Health Information, needs to have a checklist that is compliant with HIPAA. The purpose of the checklist is to ensure that the organization complies with the regulations of the HIPAA while covering the privacy and security of patient data. Failure for complying with the regulations results in substantial fines which might be issued along with criminal charges and civil action being filed.
The checklist is divided into segments for each of the applicable rules. It points out that there is no hierarchy in the regulations of HIPAA. To understand the requirements properly, it is recommended to take HIPAA compliance training at comprehensive level. Even though the privacy and security measures are referred to as being addressable, it, however, does not mean that they are optional. Each of the criteria in the compliance checklist needs to be adhered to if the organization is to achieve full compliance of HIPAA.
Technical safeguards
The technical safeguards speak about the technology which is used to protect the ePHI while providing full access to the data. The only stipulation is that the ePHI must be encrypted according to the standards of NIST when it travels beyond the internal firewalled servers of an organization. This is so that any breach of the data renders the data as being unreadable and unusable. Thus, organizations are also free to select the mechanisms which are most appropriate to the following.
Implementation of a means of access control
This does not only mean the assigning of a centrally-controlled username which is unique along with a PIN code for each and every user, but it also means the establishment of procedures which govern the release and the disclosure of ePHI in the case of an emergency.
Introduction of a mechanism which authenticates ePHI
This mechanism is essential which complies with the regulations of HIPAA as it confirms whether there has been any alteration in ePHI or has it been destroyed in an unauthorized manner. This can be achieved by creating different HIPAA security policies and procedures.
Implementation of tools for encryption and decryption
This guideline further relates to the devices which are used by authorized users. This must have the functionality for encrypting messages while they are sent beyond a firewalled server that is an internal one. Further, it decrypts the messages as and when they are received and are a part of HIPAA compliance training.
Introduction of activity audit controls
The audit controls are required under the safeguards of technical terms in order to register the attempted access to the safeguards. It also records what has been done with the data once being accessed.
Facilitation of automatic logoff
This helps in logging off the authorized personnel off the device that is being used in order to access or to communicate an ePHI. This helps in the prevention of unauthorized access.
Physical safeguards
It focuses on the physical access to ePHI along with HIPAA security policies to protect the physical location.
It can be stored in a data center, on the servers or in the cloud. Here, access controls of the facility should be implemented. It should also specify the policies, which are related to the use of a workstation.
Administrative safeguards
These safeguards refer to the policies which help in bringing the privacy rule and security rule together. It includes the conducting of risk assessments. It also includes the introduction of a policy related to risk management.