The Health Insurance Portability and Accountability Act (HIPAA) requires organizations with access to patients’ protected health information (PHI) to follow certain regulations. If your organization doesn’t have HIPAA compliance certification, you risk having a data breach and fines up to $50,000 per violation.

What Is HIPAA Compliance?

What Is HIPAA Compliance?

HIPAA compliance means your organization’s policies and procedures meet HIPAA requirements, amendments, and related legislation. HIPAA compliance requirements are vague to apply to all types of covered entities and business associates that work with PHI. These covered entities and business associates must:

  • Have technical, physical, and administrative safeguards in place.
  • Comply with the HIPAA Privacy Rule.
  • Follow the HIPAA Breach Notification Rule if there is a PHI breach.

HIPAA Security Rule

The HIPAA Security Rule lists the standards to shield electronic protected health information (e-PHI), which is anything stored, accessed, created, and processed electronically. It applies to everyone that could read, write, or modify e-PHI. It has three parts, which are outlined below.

Technical Safeguards

Technical safeguards apply to the technology used to protect and provide access to e-PHI. e-PHI must be encrypted when it is communicated beyond the organization’s internal firewalled servers to make it unusable if stolen. Meeting Technical Safeguards includes:

  • Employing activity logs and audit controls.
  • Using a mechanism to authenticate e-PHI.
  • Implementing decryption and encryption tools.

Physical Safeguards

Physical safeguards address the physical access to e-PHI in storage. e-PHI should be stored on:

  • Physical servers at a HIPAA-covered entity.
  • The cloud.
  • A remote data center.

There are also requirements for workstations and mobile devices. Organizations must:

  • Inventory hardware and record its movements.
  • Address how workstations and mobile devices that can access e-PHI should be used.
  • Control access to e-PHI storage facilities.

Administrative Safeguards

Administrative safeguards are the policies and procedures that connect the Security Rule and Privacy Rule. Organizations should designate a Privacy Officer and a Security Officer to protect e-PHI. Administrative safeguards include:

  • Developing and testing a contingency plan.
  • Introducing a risk management policy.
  • Restricting third-party access to e-PHI.
HIPAA Compliance Checklist

HIPAA Compliance Checklist

If your organization has access to PHI, follow this HIPAA compliance checklist:

  • Get professional help.
  • Do annual risk assessments.
  • Conduct frequent penetration testing and vulnerability scans.
  • Ensure application security.
  • Conduct employee education on compliance and security annually.
  • Review business associate agreements (BAAs) annually.

Setting up Remote Workspaces for HIPAA Compliance

HIPAA-compliant home office setups are crucial to maintaining compliance outside the office. Ensure your staff is following HIPAA at home by:

  • Training your staff on phishing attempts.
  • Establishing virtual private networks (VPNs) and running software updates.
  • Increasing your security team’s efforts around remote work.

Contact Agio Today

Agio helps healthcare organizations stay compliant with HIPAA compliance assessments. To learn more, contact us today.

See also  Strategy tips for private equity firms