Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (20)
Similar to Hipaa security compliance checklist for developers & business associates
Similar to Hipaa security compliance checklist for developers & business associates (20)
Recently uploaded
Recently uploaded (20)
Hipaa security compliance checklist for developers & business associates
- 2. What is HIPAA? • HIPAA is short for the Health Insurance Portability and Accountability Act. HIPAA sets the standard for protecting sensitive patient data. • The law states that Covered Entities and their Business Associates need to protect the privacy and security of protected health information (PHI).
- 3. HIPAA Security Rule – Safeguards.
- 4. Technical Safeguards • Technical safeguards outline what your application must do while handling PHI. • Access Control Requirements • Audit and Integrity • Transmission Security
- 5. Technical Safeguards Encryption is a critical control even though it is listed as “Addressable”
- 6. Technical Safeguards - Required • Assign a unique name and/or number for identifying and tracking user identity (R) • Ensure the verification of the individual or entity who is authorized to access ePHI and that the identity is correctly bound to a unique user identification (“sign-on”) for access to ePHI. • Each User must be provided a unique account, with unique username/userID & password, to access ePHI. • Generic or shared accounts are not permitted for access to ePHI. • Establish(and implement as needed) procedures for obtaining necessary EPHI during and emergency (R) • Emergency access procedures may be included in Contingency Plan procedures. • The emergency access procedures shall be written and communicated in advance to multiple individuals within the organization. • Emergency access procedures should not rely on the availability of a single individual. • Access to emergency procedures should not rely on the availability of local power or network. • Identify roles that may require special access during an emergency. • Individuals are to require proper ID or other official verification before granting access to unknown or not-normally- authorized individuals in emergency circumstances
- 7. Technical Safeguards - Required • Implement Audit Controls, hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use EPHI (R) • Establish criteria for log creation, retention, and examination of activity. • New systems should be selected with the ability to support audit requirements. • Implement Person or Entity Authentication procedures to verify that a person or entity seeking access EPHI is the one claimed (R) • Each User must be provided a unique account, with a unique username and password, to access ePHI. • Generic or shared accounts are not permitted for access to ePHI. • Passwords for access to ePHI will not be shared by Covered Entity employees. • All passwords providing access to ePHI, including local administrator/root passwords, must comply with the password strength requirements. • Physically protect passwords. • Review, as appropriate, workstation, OS and application access logs, as well as failed or successful changes to account permissions. • Systems and applications will not be configured to save passwords. • All of the above practices apply to vendors and third parties.
- 8. Technical Safeguards - Addressable • Implement procedures that terminate an electronic session after a predetermined time of inactivity (A) • Implement a mechanism to encrypt and decrypt EPHI (A) • Implement electronic mechanisms to corroborate that EPHI has not been altered or destroyed in an unauthorized manner (A) • Implement security measures to ensure that electronically transmitted EPHI is not improperly modified without detection until disposed of (A) • Implement a mechanism to encrypt EPHI whenever deemed appropriate (A)
- 9. S No Technical Safeguards Business Associate Covered Entity 1 Each User must be provided an unique account, with a unique username/user ID and password, for access to ePHI. 2 ePHI accessible only with valid credentials. 3 Generic or shared accounts are not permitted for access to ePHI 4 Established (and implemented as needed) procedures for obtaining for obtaining necessary EPHI during an emergency. 5 The emergency access procedures shall be written and communicated in advance to multiple individuals within the organization. 6 Establish criteria for log creation, retention, and examination of activity. 7 New systems should be selected with the ability to support audit requirements. 8 Individuals are to require proper ID or other official verification before granting access to unknown or not-normally-authorized individuals in emergency circumstances. 9 All passwords providing access to ePHI, including local administrator/root passwords, must comply with the password strength requirements. 10 Set processes and follow the review, of workstation, OS and application access logs, as well as failed or successful changes to account permissions 11 Systems and applications will not be configured to save passwords. 12 Where possible, terminate electronic sessions after a period of inactivity. Where session termination is not possible, either technically or from a business process perspective, implement screen lock as a compensating control.
- 10. S No Technical Safeguards Business Associates Covered Entities 13 Maximum duration of inactivity prior to session termination or automatic workstation lockout could be set to 15 – 20 minutes. 14 Follow the NIST`s Advanced Encryption Standard (AES) for encryption. 15 Always use SSl(Secure Socket Layer) for web based access to any sensitive data. 16 When it comes to remote access to applications and data use a VPN (Virtual Public Network) and maintain upto date firewalls. 17 Technically enforce complex passwords where possible 18 Store ePHI on a secure server 19 Deploy robust anti-virus software on devices handling ePHI and anti-virus patches and signatures to be updated automatically. 20 ePHI to be stored on physically secure sites 21 Implement a system of regular review of access logs for unauthorized direct access or administrator/root access to table data containing ePHI. 21 Create a contingency plan to address any security failure 22 Implement processes to notify users and take other appropriate remedial action in the event of propagation of malicious software. 23 Unprotected ePHI shall not be sent via unencrypted email. 24 Employees must delete or redact ePHI from the body of received email before replying to it.