Sample Checklist of Technical Safeguards for HIPAA Compliance

An IT professional can use the following technological security measures to protect electronically protected health information (ePHI):

1. Access control:
   • Use role-based access control (RBAC) to restrict user access to ePHI in accordance with their work duties.
   • Require all users to use secure passwords.
   • Configure your account to automatically lock out after several failed login attempts.
   • Review and adjust user access rights on a regular basis.
2.  Authentication:
   • For access to systems storing ePHI, use multi-factor authentication (MFA).
   • Employ safe authentication methods like Kerberos or LDAP.
3.  Encryption:
   • when storing and sending ePHI, both at rest and while in transit.
   • Use powerful encryption techniques like AES-256.
   • Update encryption keys frequently.
4.  Network security:
   • Secure the network perimeter by deploying firewalls and intrusion detection and prevention systems (IDPS).
   • Frequently update IDPS signatures and firewall rules.
   • Segment the network to keep private areas totally apart from the commonly used network segments e.g. keeping servers in a separate locked room, away from the network.
   • Use VPNs to access ePHI from a distance.
5.  Monitoring and auditing:
   • Enable and set up logging on the computers and programs that handle ePHI.
   • Examine logs on a regular basis for shady activity.
   • To centralize and automate log analysis and implement a security information and event management (SIEM) system.
6. Patch management:
   • Maintain the most recent patches and upgrades for operating systems, programs, and security tools. Follow this link, to know how software patch management can help you in saving costs.
   • Regularly check systems for known vulnerabilities and install any updates that are required.
7.  Malware protection:
   • Install antivirus and anti-malware software on all computers and electronic gadgets.
   • Update malware signatures frequently and run regular scans.
   • Use email filtering to stop phishing and spam attacks.
8.  Secure communication:
   • transmit ePHI over the network by using secure communication protocols like – Transport Layer Security (TLS) or Secure Sockets Layer (SSL).
   • Protect ePHI in email communication by using secure email solutions;
9.  Mobile device security:
   • Use a mobile device management (MDM) tool to impose security guidelines on mobile devices that access ePHI.
   • Demand password and encryption protection for mobile devices.
   • Add the ability to remotely wipe lost or stolen devices.
10. Backup and disaster recovery:
    • Regularly back up your electronic health information (ePHI) and store those backups securely, either offsite or in the cloud.
    • Regularly test backup and restore processes.
    • Create a thorough plan for disaster recovery.

Although not comprehensive, this checklist gives IT professionals a strong foundation on which to protect ePHI in accordance with HIPAA regulations. Depending on the unique conditions and risk considerations of each company, additional protections can be required. It’s always advisable for these healthcare facilities to get Security Risk Assessment done. For a healthcare facility, MSPs like DP Tech Group can help them be HIPAA compliant – effectively and efficiently.

Tags: ePHI ePHI identifiers HIPAA MDM SRA