Required HIPAA Controls
These HIPAA controls are firm. The government does not allow any way to avoid them.
RequiredHIPAA Risk Analysis
The very first requirement in the HIPAA Security Rule. HIPAA doesn’t say much but the Office for Civil Rights (OCR) offers guidance for smaller practices and the National Institute of Standards and Technology (NIST) has a free 95-page guide.
Beware… the Meaningful Use Office of the National Coordinator (ONC) says, “It is possible for small practices to do risk analysis themselves using self-help tools. However, doing a thorough and professional risk analysis that will stand up to a compliance review will require expert knowledge that could be obtained through services of an experienced outside professional.”
Most HIPAA fines are based on a missing, old, or incomplete Risk Analysis. If you want to pass an audit think twice about doing this yourself.
RequiredHIPAA Risk Management
Many practices stop at the Risk Analysis and put it on the shelf in case of an audit. The HIPAA Security Rule requires you to document the actions you are going to take to reduce your risks or deal with them.
RequiredHealthcare Data Disaster Plan
“Establish (and implement as needed) procedures to restore any loss of data.” Think less than more. While common sense says every medical organization and business should have a plan to survive a disaster, the HIPAA Security Rule only cares about access to patient data. Document how you will recover access to your data and you will comply with the HIPAA Security Rule. Document how you will communicate with your staff, work from an alternate site, and operate after a disaster, and your organization will survive. It is important to have a back up plan for both on and off premise.
RequiredBusiness Associate Agreements
The HIPAA Security Rule in 2005 did not give the HIPAA enforcers power to penalize Business Associates for breaches. This all changed with the HIPAA Omnibus Final Rule in 2013. Business Associate Agreements with new wording are required. Covered Entities are liable for the compliance of their Business Associates, and their Business Associates’ subcontractors. Don’t stop with the paperwork. Since you are liable, you should validate that your vendors and their vendors comply with HIPAA.
While everyone thinks their patient data is housed exclusively in their EHR system, it is all over the place—server folders, laptops, desktop computer hard drives, portable drives, and smartphones. The HIPAA Security Rule requires that access logs be created and stored for six years. To do this your network must be a Domain, not a Workgroup.
Addressable, Not Optional, HIPAA Controls
If you don’t think these are reasonable for your organization, you must identify a suitable alternative and document the reasons for your decision. Ignoring Addressable controls is a HIPAA Security Rule violation and is likely to cause a reportable data breach.
AddressableHIPAA Data Encryption
Encryption = No Data Breach. With all the reported data breaches why this isn’t Required by the HIPAA Security Rule is beyond me. Encrypting data is not expensive and a device with encrypted data that is lost or stolen is not reportable. Recently Advocate Health Care in Chicago had four computers stolen and breached 4 million records. An Omnicell technician had his laptop stolen and breached 68,000 records. Would you rather pay millions of dollars to notify patients and pay fines or a lot less to encrypt your devices? Don’t stop at laptops—encrypt everything from thumb drives to servers.
RequiredUnique User Identification
No shared logins and passwords are allowed by the HIPAA Security Rule — none. All systems that provide access to electronic Protected Health Information (ePHI) must be able to track users and what files they create, access, and modify. This includes IT staff and outsourced IT providers that access systems housing patient information.
“This is so inconvenient!”
“It slows our doctors down!”
“It’s such a pain to keep logging in!”