HIPAA Compliance Checklist

Posted on June 22, 2012

Posted by Gerben Meijer in Cloud Security 0 Comments

Worried about compliance issues? Concerned you might miss a step? Learn what needs to be done in order for your organization to stay HIPAA compliant in the cloud with Tech Target’s HIPAA compliance checklist featured below:

Risk Analysis: (R) Perform and document a risk analysis to see where PHI is being used and stored and to determine what all possible ways HIPAA could be violated are
Risk Management: (R) Implement measures sufficient to reduce these risks to an appropriate level.
Sanction Policy: (R) Implement sanction policies for employees who fail to comply.
Information Systems Activity Reviews: (R) Regularly review system activity, logs, audit trails, etc.
Officers: (R) Designate HIPAA Security and Privacy Officers
Employee Oversight: (A) Implement procedures to authorize and supervise employees who work with PHI, and for granting and removing PHI access to employees. Ensure that an employee’s access to PHI ends with termination of employment.
Multiple Organizations: (R) Ensure that PHI is not accessed by parent or partner organizations or subcontractors that are not authorized for access.
ePHI Access: (A) Implement procedures for granting access to ePHI and which document access to ePHI or to services and systems which grant access to ePHI.
Security Reminders: (A) Periodically send updates and reminders of security and privacy policies to employees.
Protection against Malware: (A) Have procedures for guarding against, detecting, and reporting malicious software.
Login Monitoring: (A) Institute monitoring of logins to systems and reporting of discrepancies.
Password Management: (A) Ensure there are procedures for creating, changing, and protecting passwords.
Response and Reporting: (R) Identify, document, and respond to security incidents.
Contingency Plans: (R) Ensure there are accessible backups of ePHI and that there are procedures for restore any lost data.
Contingency Plans Updates and Analysis: (A) Have procedures for periodic testing and revision of contingency plans. Assess the relative criticality of specific applications and data in support of other contingency plan components.
Emergency Mode: (R) Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode.
Evaluations: (R) Perform periodic evaluations to see if any changes in your business or the law require changes to your HIPAA compliance procedures.
Business Associate Agreements: (R) Have contracts with business partners who will have access to your PHI to ensure that they will be compliant.

HIPAA Physical Requirements

Contingency Operations: (A) Establish (and implement as needed) procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency.
Facility Security: (A) Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft.
Access Control and Validation: (A) Implement procedures to control and validate a person’s access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision.
Maintenance Records: (A) Implement policies and procedures to document repairs and modifications to the physical components of a facility which are related to security
Workstations: (R) Implement policies governing what software can/must be run and how it should be configured on systems that provide access ePHI. Safeguard all workstations providing access to ePHI and restrict access to authorized users.
Devices and Media Disposal and Re-use: (R) Create procedures for the secure final disposal of media that contain ePHI and for the reuse of devices and media that could have been used for ePHI.
Media Movement: (A) Record movements of hardware and media associated with ePHI storage. Create a retrievable, exact copy of electronic protected health information, when needed, before movement of equipment.

HIPAA Technical Requirements

Unique User Identification: (R) Assign a unique name and/or number for identifying and tracking user identity.
Emergency Access: (R) Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency.
Automatic Logoff: (A) Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.
Encryption and Decryption: (A) Implement a mechanism to encrypt and decrypt electronic protected health information when deemed appropriate.
Audit Controls: (R) Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.
ePHI Integrity: (A) Implement policies and procedures to Protect electronic protected health information from improper alteration or destruction.
Authentication: (R) Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.
Transmission Security: (A) Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.

Interested in learning more about HIPAA Cloud Compliance? Check out some of our other articles to find out how you can stay compliant while using cloud computing.

DISCOVER

Download the 27 tips for buying Cloud Infrastructure eBook