HIPAA compliance is tough, let’s agree on this. At the same time, let’s also agree that it’s not impossible. It all boils down to understanding the requirements and building your technology, your policies, your practices and your employee/management attitude around it.
As the first step towards HIPAA compliant software development, you need to understand the detailed specifications and safeguards that fall under the HIPAA guidelines. In our previous attempt, we have presented to you a checklist on technical and physical safeguards.
This part is an effort towards providing you with HIPAA compliance checklist around the remaining two safeguards– administrative and organizational.
Checklist of HIPAA Administrative safeguards
We’ve covered the technical and physical safeguards portions of the HIPAA compliance guidelines. We’ll now focus on the administrative safeguards that provide the foundation for these other safeguard strategies. These measures are designed to not only establish the actual services and systems that make up your company’s safeguards, but also to manage the behavior of your workforce relative to protecting PHI. This compliance checklist is extensive and comprise more than 50% of HIPAA security safeguard requirements.
1. Security Management Process
Your organization must have end-to-end solutions to address security violations. There are four implementation specifications that prevent, detect, contain, and correct such violations.
- Risk Analysis (Required) – Your company must identify security risks and calculate both the probability of and the magnitude of such risks. Such risks can include the flow of PHI through your organization and the associated security concerns resulting from the flow of information.
- Risk Management (Required) – Once the risks are identified, your organization must then ensure systems are in place to avoid or minimize exposure to identified risks. This process includes implementing communications overviewing risks to the leadership hierarchy and the entire organization.
- Sanction Policy (Required) – Your organization must have consequences in place for those who fail to comply with established procedures and put PHI at risk. These consequences must be significant enough to deter noncompliance and clearly communicated to your staff via employee handbooks and other forms of documentation.
- Information System Activity Review (Required) – The entirety of your organization’s security related to PHI must be regularly reviewed. This includes access logs, usage reports, and incident tracking documentation.
2. Assigned security responsibility
One of the simplest yet vital standards, this portion of the HIPAA compliance checklist requires your organization to designate a security official responsible for policy creation and enforcement of HIPAA standards.
3. Workforce security
HIPAA guidelines state that a covered organization must develop an organizational model within the workforce that breaks down what PHI can be accessed according to position responsibilities. This standard requires three addressable implementation specifications.
- Authorization / supervision (Addressable) – Job descriptions must establish the level of access to PHI each position in the hierarchy requires in order to accomplish job tasks. They must also establish which positions have the authority to grant or modify PHI access.
- Workforce clearance procedure (Addressable) – There must be an established vetting process to ensure individuals operating in roles with certain levels of access to PHI are able to acquire the necessary clearances to do so.
- Termination procedures – Procedures must be established to remove access from PHI when employment is terminated or in cases where access must be removed as per a change of clearance level.
4. Information access management
This operational standard requires your organization to provide access to PHI in compliance with the HIPAA Privacy Rule, which allows access to PHI only in situations where it’s necessary and appropriate to do so. HIPAA compliance checklist includes three implementation specifications.
- Isolating health care clearinghouse functions (Required) – In cases where your department handles PHI but your company as a whole has no legitimate need to access PHI, it’s necessary to establish security measures to protect the information. This can be accomplished through the separation of systems or other security measures.
- Access authorization (Addressable) – The policies and procedures outlined as required by the Workforce Security standard apply in the case of information access management by defining who can access the information and the procedures to about doing so.
- Access establishment and modification (Addressable) – As with the termination procedures, this set of standards requires methods for the granting and modification of access to PHI, as well as the documentation of such changes.
5. Security awareness and training
HIPAA compliance checklist under this heading is aimed to promote buy-in and awareness of the staff. This can include training and distributed communications when changes are made to the systems or policies. There are four implementation specifications that must be met.
- Security reminders (Addressable) – Any changes to policy or procedures as well as reminders of current policies should be printed or distributed in electronic form.
- Protection from malicious software (Addressable) – Systems used to access or store PHI must have antivirus software in use at all times in order to protect the systems from malicious software.
- Log-In monitoring (Addressable) – Systems must be in place to track and report log-in errors and unsuccessful attempts.
- Password management (Addressable) – Similarly, your systems must include training and education on proper password protection and creation, including a rotating reminder cycle to change passwords.
6. Security incident procedures
Response and reporting – As part of the identification and mitigation process, your company must clearly identify how to respond to various incidents, be able to preserve evidence related to any situation that might lead to a security incident, and allow those involved in the mitigation process to evaluate security incidents for ongoing risk management.
7. Contingency plan
The contingency plan requirements establish your organization’s strategies and procedures that must be followed in the event of an emergency or event that puts PHI security at risk. There are five implementation specifications.
- Data backup plan (Required) – It defines what PHI must be backed up and ensures all sources of patient data are covered. Establishes safe storage strategies and a schedule for updates.
- Disaster recovery plan (Required) – This requirement ensures that in the event of data loss, there is a plan for recovery.
- Emergency mode operation plan (Required) – In the event that an emergency situation occurs, the operating procedures required by this specification allow critical business processes to continue in order to secure and protect PHI.
- Testing and revision procedures (Addressable) – Your organization must periodically test its contingency plans in order to ensure all personnel are capable of carrying out their respective duties and that the plans are viable.
- Applications and data criticality analysis (Addressable) – This specification requires that the backup plan for your organization include a prioritization of applicable software and hardware in use at your firm. The prioritization list must identify which systems and in what order they must be recovered in the event of an emergency.
Your organization is required to test whether your security program adequately protects PHI. This can be accomplished through ongoing periodic monitoring and the execution of evaluation plans, which must include reviews of both the technical and non-technical aspects of your security program. There are no implementation specifications, but the HIPAA compliance checklist attached to this safeguard suggests that your organization:
- Determine how often such evaluations should take place.
- Plan whether the audits will be internal or external.
- Establish whether the processes fully document all performance metrics and changes to the plan.
- Decide whether the evaluations are supporting the reported performance metrics from other testing within your program.
9. Business associate contracts and other arrangements
The final standard that falls under administrative safeguards, this section outlines permissions and standards that must be followed in order to allow your organization’s business partners and associates the necessary access to create, receive, manage, and transmit PHI on your organization’s behalf. Such permissions are granted with the caveat that liability falls on your organization, and therefore it is vital that any organization your company allows to manage PHI provides your organization with detailed assurances that all requirements will be followed. There is a single implementation specification requirement.
Written contract or other arrangement (Required) – Your organization must obtain in written contractual form the agreement and assurances of any business associate that they will protect and maintain PHI within the same guidelines that your organization operates as a HIPAA-covered entity.
Checklist of HIPAA Organizational policies, procedures and documentation requirement safeguards
The organizational safeguards are not located in the Security Standards Matrix in Appendix A with the other standards, but are required for overall HIPAA compliance. This group of safeguards encompass relationships with business associates and the various internal operational requirements required by HIPAA compliance guidelines.
1. Business associate contracts or other arrangements
This standard outlines what is required of the contractual relationship in order for a business associate to access, manipulate, and transmit PHI data. It further defines the nature of and relationship between business associates. The standard outlines what constitutes non-compliance per HIPAA guidelines, which includes knowingly allowing business associates to mishandle PHI. There are two implementation specifications for this standard.
- Business associate contracts (Required) – It outlines the requirements and contractual obligations necessary to establish a viable relationship allowing the use of and access to PHI. This could be in conjunction with or separate from an existing Privacy Rule agreement.
- Other Arrangements (Required) – Refers to government entities who are engaged in a contractual arrangement for the use of PHI and provides two avenues of compliance:
- The covered entity enters into a Memorandum of Understanding (MOU) with the business associate. The MOU then acts as a contract as outlined previously.
- Through existing laws that allows the relationship to bypass other statutory restrictions.
2. Requirements for group health plans
The standard requires that plan documents for group healthcare include directions for the plan sponsor on how to appropriately secure PHI created, stored, or transmitted as a result of the plan. HIPAA compliance guidelines require four implementation specifications.
- The covered entity must implement the administrative, physical, and technical safeguards required by the act in order to fully reach compliance and be able to manage the health plan properly.
- Ensure sufficient separation of information through adequate security protocols in order to meet the Privacy Rule requirements.
- Any agent or subcontractor must agree to implement sufficient security measures to protect PHI
- The group must be made aware of any security incident that occurs.
3. Policies and procedures
In a very basic sense, this standard requires that companies which can be affected by HIPAA data breaches implement reasonable and appropriate standards to meet the basic requirements of the Security Standard rules as laid out previously in this article. This standard refers to the flexibility provisions that give impacted organizations the ability to meet the requirements of HIPAA in a way that doesn’t impair normal business practices. The mission and culture of your organization should be a major component of the policies and procedures piece required by HIPAA, and should be consistently updated as the organization grows and changes.
As previously discussed in other sections, your organization is required by HIPAA compliance guidelines to maintain documentation outlining policies and procedures, as well as documentation showing changes made to your organization’s policies. There are three implementation specifications that must be met.
- Time Limit (Required) – Organizations affected by HIPAA must retain records for 6 years from date of creation or from the date when the document was last in use, whichever is later.
- Availability (Required) – Records and documentation must be made available to any person responsible for carrying out the tasks related to the contents of said documents.
- Updates (Required) – Documents must be updated on a regular schedule, or as needed in order to reflect current status of security plans.
HIPAA compliance checklist, decoded
No doubt HIPAA is an extensive and convoluted set of rules which those looking to operate in the healthcare field must navigate successfully in order to avoid sanctions and fines.
Now that we’ve walked you through all four sets of safeguards, you and your team are better equipped to create a HIPAA compliance checklist that will help you to meet the needs of your clients while maintaining the security of their data.
If you are planning to get a custom software solution developed, make sure your team is giving due adherence to HIPAA guidelines or hire a software consultant like Kays Harbor who can help you build the right software solution for your needs. Don’t forget to request your free consultation session today.