For a minute, what a HIPAA fine from the Office for Civil Rights (OCR) in the amount of $50,000 (or more) would do to your business. Now, think about OCR’s corrective action plan that must be implemented due to the breach, including updates on computer equipment, firewall security measures, additional staff training, and regular gap assessments to show OCR you are meeting HIPAA compliance. In the event of a breach, add on the costs for notification mailings to clients, public notices if necessary, and the reputational damage to your company.
The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information (ePHI) that is created, received, used, or maintained by a healthcare provider or their business associate. Appropriate administrative, physical, and technical safeguards must be in place to ensure the confidentiality, integrity, and security of ePHI.
In order to be HIPAA compliant and avoid the fines that will surely come with a security incident or worse – a HIPAA breach – your organization is required to follow HIPAA guidelines.
Below is a HIPAA checklist that your organization should follow in order to stay in compliance. It represents a few essential components necessary to ensure your network is secure and protects ePHI while also complying with the HIPAA Security Rule and the HITECH Act. The following checklist will assist you with some of your HIPAA compliance goals.
ACCESS CONTROLS / UNIQUE USER IDENTIFICATION / AUTOMATIC LOG-OFF
- Unique username and (complex) password for all logins
- Role based / least privileged access controls
- Multi-factor authentication for increased defense to access systems
- Restrict access as to time, scope, function and application
- Automatic log-off after 5-15 minutes of inactivity
- Detailed audit of data to identify changes and enable corrections
- Strict control of remote access to limit support-related data corruption
- Privileges set for all applications and systems containing ePHI
- User activity and system logging reviewed regularly
- Session recording for systems and applications containing ePHI
- Review of active users in all systems regularly (quarterly)
- Encryption configured for email transmissions containing ePHI
- Encryption enabled for all portable devices
- Remote connections set up with a minimum of AES 256-bit modes / SHA-256