HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

HIPAA Security Rule Checklist

HIPAA Security Rule Checklist

What is a HIPAA Security Rule Checklist?

A HIPAA Security Rule checklist is an essential tool that healthcare organizations should use during a risk analysis to ensure compliance with the specific regulations of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule.

The Security Rule requires the implementation of appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of protected health information (PHI) both in transit and at rest.

  • The Administrative Safeguards require that a security officer is designated to identify and analyze potential risks to the integrity of PHI. They must also select and implement security measures to reduce risks and vulnerabilities to a reasonable level and are responsible for information access management and workforce training.
  • The Physical Safeguards relate to the physical security of data and access to where it is stored. This includes protecting physical computer systems, servers and buildings from fire and other natural and environmental hazards, as well as from intrusion and hacking. The physical safeguards also cover workstation and device security.
  • The Technical Safeguards primarily concern the security measures that guard against unauthorized access to PHI that is being transmitted over an electronic network. There are three sets of “controls” that must be implemented to comply with the technical safeguards of the HIPAA Security Rule checklist – access controls, audit controls and integrity controls.

More about the Administrative Security Rule Safeguards

The most important consideration of the administrative Security Rule safeguards is the ongoing risk analysis. Regular reviews must be conducted to ensure the effectiveness of the security measures put in place and that authorized users are adhering to the policies designed to maintain the effectiveness of the security measures.

This includes any scenario in which personnel are allowed to use their own personal mobile devices. Research has shown that 87% of doctors (Manhattan Research/Physician Channel Adoption Study) and 67% of nurses (American Nurse Today study) use Smartphones in the workplace to “support their workflow”.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

A HIPAA Security Rule checklist should take the use of personal mobile devices into account when identifying risks and vulnerabilities, and compiling appropriate use policies. Any changes to working practices, technological advances and revised legislation should also be considered when these factors may reduce the effectiveness of implemented security measures.

More about the Physical Security Rule Safeguards

Although the physical Security Rule safeguards would comprise the smallest part of a HIPAA Security Rule checklist, they are no less important than any other. They primarily concern the security of and physical access to facilities in which computer equipment is stored and the validation of personnel entering these facilities.

In respect of workstation and device security, policies and procedures must be implemented to specify the proper use of and access to workstations and mobile devices. This includes the implementation of an automatic log-off feature, so the PHI cannot be accessed by unauthorized personnel when a workstation or mobile device is left unattended.

Healthcare organizations and other entities covered by the HIPAA Security Rule must also have in place policies and procedures regarding the transfer, removal, and disposal of PHI, the disposal of computer hardware and the re-use of electronic media. It should not be overlooked that the physical Security Rule safeguards apply to data that may no longer be required or in use.

More about the Technical Security Rule Safeguards

It was mentioned above that there are three sets of “controls” within the technical Security Rule safeguards. The access controls relate to the identity verification processes that should be implemented to ensure a person accessing PHI is who he or she say they are, whereas the audit controls ensure that access to PHI is recorded.

The integrity controls concern PHI “at rest” – i.e. any electronically stored patient HIPAA identifiers. Mechanisms should be put in place to ensure that PHI is not improperly altered or destroyed. For many healthcare organizations, this involves having a system in place that securely archives PHI in a format that is read-only.

The integrity of PHI “in transit” – i.e. used in communications – is also covered in the technical Security Rule safeguards. The Security Rule states “A covered entity must implement technical security measures that guard against unauthorized access to PHI that is being transmitted over an electronic network”.

How Secure Messaging Ticks the Boxes on a HIPAA Security Rule Checklist

A cloud-based, secure messaging solution ticks the boxes on a HIPAA Security Rule checklist – particularly in scenarios in which medical professionals are allowed to use their personal mobile devices in the workplace. Secure messaging solutions work by enabling access to PHI via secure messaging apps that can be downloaded onto any desktop computer or mobile device.

Authorized users have to authenticate their identities by using a centrally-issued user name and PIN number. This unique username allows that monitoring of an individual´s activity on the secure messaging solution and the automatic preparation of audit reports. The secure messaging apps enable the unfettered communication of PHI between authorized users; but, as the apps only connect with a healthcare organization´s private network, PHI cannot be send outside of the network to unauthorized personnel.

Other safeguards – such as automatic log off – exist to safeguard against the accidental or deliberate unauthorized disclosure of PHI, while security officers have to ability to remotely wipe and PIN-lock any device that is lost, stolen or otherwise disposed of. All communications via a secure messaging solution are automatically archived in an uneditable and unerasable format, and PHI is encrypted both at rest and in transit so that it is undecipherable if a system is hacked or a communication is intercepted.

The Benefits of Secure Messaging in a Healthcare Environment

In addition to helping healthcare organizations comply with the requirements of the HIPAA Security Rule, there are a number of benefits associated with secure messaging in a healthcare environment. Secure messaging has been shown to increase message accountability and reduce phone tag. This frees up time for medical professionals to deliver a higher standard of care to patients.

The secure messaging apps also support group messaging and multi-party conversations. This facility fosters collaboration and accelerates the communications cycle to reduce the length of time it takes to process hospital admissions and patient discharges. As images, test results and x-rays can be attached to secure messages, the solution is a much more effective way to request physician consults or escalate patient concerns.

A secure messaging solution can also be integrated with an answering service or EMR. A study into secure messaging/EMR integration found that complications from procedures and tests that compromised patient safety were reduced by 25 percent, medication errors caused by miscommunication decreased by 30 percent and the hospitals surveyed recorded 27 percent fewer patient safety incidents overall.

A HIPAA Security Rule Checklist is Not Just about Compliance

Although it was mentioned at the beginning of this article that a HIPAA Security Rule checklist is a tool that healthcare organizations should use to ensure compliance with the HIPAA Security Rule, it has many more functions that that. A HIPAA Security Rule checklist can identify weaknesses in a healthcare organization´s channel of communication channel. Once these weaknesses are addressed, healthcare organizations can become more efficient, more productive and more profitable.