HIPAA Compliance Checklist - Tech Solutions for Businesses

by Nazar Kvartalnyi COO at Inoxoft

Study the requirements for HIPAA IT compliance within the Healthcare industry. Select technology pleasant proper to your software.

In keeping with HHS, business friends are directly chargeable for violating the HIPAA security Rule and Breach Notification Rule as well as certain provisions of the privacy Rule.

If an implementation specification is described as “required”, it ought to be fulfilled. Addressable conditions have to be implemented if it's far affordable and suitable to achieve this. Plus, the selection need to be documented.

Enterprise friends may additionally use any technology solution to align with HIPAA requirements. In deciding which security degree to use, groups have to take into account the following factors:

•           The dimensions, complexity, and skills of their organisation.

•           The technical infrastructure, hardware, and software program safety abilties.

•           The charges of security features.

Having analyzed our experience in healthcare development, we recommend the maximum suitable technical solutions to comply with HIPAA necessities.

Technical Safeguards

Access control

Access control means allow authorized users to get right of entry to the minimal important information had to carry out task capabilities.

Precise person identity (R). Assign unique IDs for indicating and tracking user identity.


1.         Use the worker name or its variant (e.g. jsmith).

2.         A hard and fast of random numbers and characters (it's miles extra tough for an unauthorized consumer to bet, but can also be extra difficult for authorized customers to bear in mind and control to understand).

Emergency get right of entry to manner (R). offer get admission to to essential ePHI at some point of emergency situations (whilst everyday environmental systems, including electric energy, were broken because of a natural or artifical disaster).

Tech.solution: If the organisation utilizes a cloud-based EHR, the catastrophe restoration plan addresses disruptions in access to an ISP or cloud-based EHR supplier to ensure the availability of the EHR for both remedy and billing services.

Automated Logoff (A). observe methods that terminate an electronic session after a predefined duration of state of no activity.


1.         Set a ten-minute duration of inactiveness after which the machine will routinely be locked. In case the tool is within the excessive-site visitors location, set up a timeout of two to three mins. system utilized in covered areas with controlled, limited get right of entry to, which includes a lab or an isolated office, could have longer timeout periods.

2.         Set off an operating machine screensaver that is password covered after a length of gadget inactiveness.

Encryption and Decryption (A). All amassed and stored ePHI ought to be encrypted and decrypted by means of the individual with the proper keys.


1.         store the touchy information in a cozy surroundings with the right bodily and network safety.

2.         choose record/folder level encryption and full disk encryption for storing exclusive information on cellular devices.

3.         Do now not shop the password to the PGP or S/MIME key for your system.

4.         Advocate your system traffic to go into the password and use cookies to keep the password from web page to page.

five.     If you shop ePHI in a MySQL database you have to make sure that the password to that database is not stored for your machine.

6.         Encrypt the information earlier than saving it within the database for additonal protection levels.

Audit Controls

Audit Controls means put into effect hardware, software, and/or procedural mechanisms that document and take a look at pastime in information systems that contain or use ePHI.


Integrity is to guard ePHI from incorrect alteration or destruction in an unauthorized manner by means of each technical and non-technical parties. as a consequence, team of workers contributors can also make incidental adjustments that improperly adjust or destroy ePHI. data also can be compromised with out human intervention that includes electronic media errors or failures.

Mechanism to Authenticate digital covered health statistics (A). implement electronic mechanisms to defend ePHI from alteration or destruction via a pandemic or other malicious code.

Tech.answer: Backup the records in the DB and keep it on an external cloud service. Block garage

individual or Entity Authentication

character or Entity Authentication. affirm that a person or entity searching for get right of entry to to ePHI is that they declare to be.


1.         Require some thing regarded simplest to that person, which include a password or PIN.

o          The password need to be the longest feasible (between six and 10+ characters) including a aggregate of numbers, unique characters, and a aggregate of upper and decrease case letters.

o          It have to be changed at the least every six months or each time the password will become recognised to the opposite character. And current or previous passwords could not be reused.

o          It is possible to put into effect functionality with a purpose to manipulate the password expiration. This good judgment will prevent customers from logging in with an expired password and pressure them to trade it.

2.         Require the use of a physical tool inclusive of a token, or smartphone callback function.

3.         Require something unique to the man or woman together with a biometric (e.g. fingerprints, voice patterns, facial patterns or iris styles).

four. Use two-factor authentication:

o          By way of SMS/push notification, someone the use of a username and password to log right into a database additionally has to insert a PIN code to verify their identification.

o          The request of a fingerprint scan (biometric) with the similarly coming into of a password.

o          Combine with Google Authenticator or comparable service.

For iOS

For Android

Transmission protection

Transmission security. prevent unauthorized get entry to to ePHI that is being transmitted over an electronic communications network.

Integrity Controls (A). make certain that ePHI is not improperly changed at some stage in transmission (it applies to all character health records that is maintained or transmitted).


1.         Use community communication protocols.

2.         cozy your web-answer with an SSL, PGP or AES encryption.

SSL certificate

Do no longer use FTP to transfer patient statistics to/from payers and other scientific organizations. pick SFTP as a substitute.

Encryption (A). communique containing PHI (either in the frame or as an attachment) that goes beyond an inner firewalled server ought to be encrypted. It have to also be taken into consideration that emails containing PHI are part of a affected person´s medical file and ought to, therefore, be encrypted and sponsored up. this is applicable to any shape of digital conversation - e-mail, SMS, immediately message, etc. The encryption requirements follow to each part of the IT system, along with servers like Amazon Cloud or Microsoft Azure.

Tech.answer: NIST recommends the usage of superior Encryption fashionable (AES) 128, 192 or 256-bit encryption, OpenPGP, and S/MIME.

Physical Safeguards

Facility get right of entry to Controls

Facility get admission to Controls. limit physical access to the electronic information device, at the same time as making sure that properly legal get admission to is authorized.

Contingency operations (A). permit facility get right of entry to to the bodily workplace and stored information even at some stage in an emergency.

Facility safety Plan (A). define and record using bodily get entry to manage to guard system that stores ePHI from unauthorized get entry to and robbery.

get right of entry to manipulate and Validation techniques (A). control and validate a person's access to centers based on their role or function, which includes vacationer manipulate, and manipulate of get entry to to software program applications for checking out and revision.

Tech.solution: Log all of the server movements.

maintenance records (A). document repairs and modifications to the bodily additives of a facility which might be associated with safety (for instance, hardware, walls, doorways, and locks).

Tech.answer: In a small office, documentation may also honestly be a logbook that notes the date, reason for restore or amendment and who legal it.

In a large employer, numerous upkeep and modifications of physical protection additives can also need to be documented in greater element and maintained in a database.

Computer Use

Workstation Use stand for the restriction of the use of workstations which have access to ePHI. Specify the protecting surrounding of a pc. adjust how features are to be performed on the workstations that may get admission to ePHI.


1.         computerized logoff

2.         Use and usually update antivirus software program.

3.         Configure web filtering

device and Media Controls

tool and Media Controls. control how ePHI is transferred/removed/disposed from the cell devices if the person leaves the organization or the gadget is re-used, bought, and so forth.

Disposal (R). The data can be completely disposed of whilst needed. yet, you will must recollect all of the places in which statistics can be archived, and you will want to ensure that all of these backups will expire and disappear.

Tech.answer: Block storage

Media Re-use (R). get rid of ePHI from digital media earlier than the media are made to be had for reuse.

Tech.solution: manual removal of affected person statistics in electronic storage media along with memory gadgets in computers (tough drives) and any detachable/portable virtual memory media, which includes backup tape, optical disk, or smart card.

duty (A). preserve a file of the moves of hardware and electronic media and any man or woman responsible consequently.

information Backup and garage (A). The HIPAA policies do no longer dictate in which ePHI might also or might not be maintained. therefore, BAs aren't prohibited from storing PHI outdoor of america (though there are other laws that could restrict the exercise of storing PHI offshore; for example, some state Medicaid programs prohibit the offshoring of Medicaid statistics).

ePHI this is accrued, saved and used inside your solution has to be backed up. The reserved reproduction have to be stored in a at ease environment and according to the best practices, it should have numerous backups which can be saved in distinctive places.

also, the copy need to be quite simply retrievable if the hardware or digital media is damaged.


1.         automatic facts backup.

2.         e mail archiving.

Notebook Protection

Computing device safety is to implement bodily safeguards for all workstations that access ePHI, to restrict get entry to to legal customers.

Administrative Safeguards

Administrative Safeguards fall out of the world of software improvement, but, there are mandatory recommendations for any business that works with health data. Administrative protection tasks contain:

•           appoint protection officers who will often perform the risk assessment.

•           Introduce threat control rules and processes.

•           educate employees on figuring out ability cyber assaults and document all training.

•           restriction third-party access to ePHI.

•           increase a contingenсy plan to protect the integrity of ePHI, remember statistics backups and processes to restore misplaced records in case of emergency.

HIPAA privateness regulations

HIPAA privacy policies. HIPAA privateness guidelines talk over with the use and disclosure of PHI and practice to any healthcare organizations and their enterprise pals. consistent with the rules, BA might not use, get entry to, or expose PHI without the patient's consent, except for functions of remedy, fee or sure health care operation; positive public protection and government features, which include: reporting of abuse and neglect, responding to authorities investigations, or disclosures to avoid a severe and approaching hazard to the character. but, earlier than making disclosures for such functions, BA have to talk over with CE.

Tech.answer: The app shall have a phase (tab, button or equal) or active link to its privacy policy, and owner represents that commercially affordable efforts are used to notify customers of any fabric changes to its privateness policy. restricted information set.

HIPAA Breach Notification rules

HIPAA Breach Notification rules. Require BAs to promptly notify the branch of fitness and Human services of small safety breaches within 60 days after the breach is discovered. larger breaches (affecting 500+ patients) should additionally be mentioned to the media. Plus, BAs should notify their CE, which in flip must notify the people.

Breach notifications must include the following information:

•           the nature of the ePHI concerned, consisting of the sorts of private identifiers exposed.

•           The unauthorized character who used the ePHI or to whom the disclosure changed into made (if recognised).

•           whether or not the ePHI changed into without a doubt acquired or considered (if recognized).

•           The volume to which the risk of harm has been mitigated.

In all cases, patients should be notified and knowledgeable of steps they are able to take to mitigate capacity harm.

Tech.answer: prepare a mass mailing plan for this contingency.

maintain Required Documentation

keep Required Documentation. maintain the files required by the safety Rule for six years from the record’s last powerful date. make certain which you have written schooling requirements as well as written penalties that employees are informed of in the case of a violation.

Originally published at

Sponsor Ads

About Nazar Kvartalnyi Innovator   COO at Inoxoft

20 connections, 1 recommendations, 88 honor points.
Joined APSense since, April 29th, 2020, From Lviv, Ukraine.

Created on Jun 19th 2020 01:26. Viewed 695 times.


No comment, be the first to comment.
Please sign in before you comment.