Key Components of a HIPAA Security Checklist for Healthcare Providers

The HIPAA Security Rule deals with electronic Protected Health Information (ePHI), which is effectively a subset of what the HIPAA Privacy Rule covers, whereas the HIPAA Privacy Rule deals with Protected Health Information (PHI) in general.

The HIPAA Security Rule only takes up about 8 pages of actual regulatory text, which is good news.

The HIPAA Security Regulation is rather technical in nature, which is terrible news. This regulation effectively codifies a number of information technology best practices and standards.

Below is the complete HIPAA security checklist, so check it out.

1. Decide whether the Privacy Rule applies to you.

Any kind of PHI is protected under the HIPAA Privacy Regulation (verbal, electronic, or written).

Even though business associates aren’t directly covered by most Privacy Rule standards, you still need to establish some of the necessary policies and security measures for your covered firm, such as guidelines for PHI use and disclosure and patient rights with regard to their PHI.

You must, as a general rule, adhere to the fundamental privacy laws: you may not use, access, or disclose PHI without the person’s legal, HIPAA-compliant authorization (barring exceptions).

2. Protect the right types of patient data

Understanding what constitutes PHI, where it comes from, where it is housed, and who has access to it inside your business will help you determine if you are protecting the correct kind of data.

Also, you need to be aware of the kinds of patient data that your company transfers and uses. Even though your BAA would cover it, it’s best to make sure the specifics are written out and the necessary individuals in your firm are informed of it.

Also, knowing what kinds of patient data you need to secure is a smart place to start when putting appropriate security and privacy measures in place.

3. Understand the causes of HIPAA violations

HIPAA infractions can take many different forms. Understanding its causes and the precautions you might take to prevent them is therefore crucial.

The most well-known causes of HIPAA violations—external data breaches or hacking by malicious actors—aren’t always to blame.

HIPAA infractions are frequently the result of internal errors brought on by security lapses or, occasionally, by simple carelessness.

HIPAA violations may result from things like unattended workstations, disclosing patient information after the permission has expired, or having insufficient ePHI access controls.

The most frequent reasons for noncompliance include sending PHI to the incorrect person, discussing PHI in public (including on social media), and using non-compliant services including email, websites, and clouds.