A HIPAA Technical Safeguards Risk Assessment Checklist

Written by
Understanding the HiTrust Certification Process

The HIPAA Technical Safeguards Requirement focuses on storing electronic Protected Health Information (ePHI). While the Security Rule focuses on security requirements, the technical safeguards requirements focus on the technology. Healthcare providers, covered entities, and business associates must undergo audits to prove regulatory compliance so that they can assure new customers of their security posture. Beginning the road to HIPAA compliance requires assessing security risk and mitigation controls.

A HIPAA Technical Safeguards Risk Assessment Checklist

What is HIPAA?

HIPAA was enacted in 1996 to protect information as people moved from one job to another. The US Department of Health and Human Services (HHS) additionally passed the Privacy Rule in 2003, defining Protected Health Information (PHI) as “any information held by a covered entity which concerns health status, the provision of healthcare, or payment for healthcare that can be linked to an individual.”

In 2005, the HIPAA Security Rule focused on electronically stored PHI (ePHI). This update created three types of compliance safeguards. “Administrative safeguards” refers to policies and procedures that show compliance. Physical safeguards include controlling access to data storage areas. Technical safeguards incorporate communications transmitting PHI electronically over open networks.

Who is a healthcare provider?

According to HIPAA, healthcare providers include doctors of medicine or osteopathy who are authorized to practice medicine or surgery (as appropriate) by the State in which they practice or any other person determined by the Secretary to be capable of providing health care services.

If a person or organization engages in practicing medicine or helping treat sick people, HIPAA applies to them.

What is a covered entity?

HIPAA defines covered entities as health plans, healthcare clearinghouses, and healthcare providers who transmit any health information electronically.

What is a business associate?

This term broadened HIPAA’s reach. The law defines a business associate as any person or entity that involves use of or disclosure of protected health information on behalf of or while providing a service to a covered entity.

This broad definition incorporates everyone from third-party administrators assisting in the healthcare claims processing area or certified public accountants whose advisory services involve accessing protected health information. Functionally, if a person or company may at any time see any information that identifies a patient, the healthcare provider or covered entity should make sure the business associate is HIPAA compliant.

What Can I Do To Get Compliant?

Risk assessments are the first step to HIPAA compliance. The risk assessment helps determine the locations of greatest vulnerability. The Office of the National Coordinator for Health Information Technology created the Security Risk Assessment Tool to help organizations identify their most significant risks by establishing 156 questions.

Within those 156 questions, the Security Assessment Tool breaks them up into three categories: administrative safeguards, technical safeguards, and physical safeguards.

What are technical safeguards?

The HIPAA Security Rule requires that covered entities and business associates protect ePHI by creating controls to create a secure IT environment. Leaving ePHI unsecured creates both a legal liability under HIPAA but also places confidentiality, integrity, and availability of patient information at risk.

Risk Assessment

  • Create an inventory of all information systems within your environment including hardware, software, applications, and electronic devices.
  • Review roles and responsibilities for information risk.
  • Determine risk associated with remote access
  • Review business associate roles and risks to ePHI.
  • Identify information system components and electronic devices with data capabilities.
  • Review key audit events, such as activities that create, store, and transmit ePHI, to create risk-based categorizations for audit timings.
  • Assess and measure intentional or malicious disclosure risk arising out of information transmission or reception.
  • Review authentication requirements to ensure scalability, practicality, and security when balancing ease of ePHI access and protected information systems that adequately mitigate risk.
  • Assess and measure unintentional or malicious information access or modification when being prepared to transmit or when being received.

Technical Safeguards Plan and Policy

  • Establish technical policies and procedures for electronic information systems maintaining ePHI focusing on authorized access.
  • Share with workforce members access control policy addressing purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.
  • Share with workforce members procedures that enable implementation of access control policy and associated access controls.

User Authorization/Segregation of Duties

  • Review user activities for creation, storage, and processing of ePHI within information systems.
  • Separate workforce member duties and service provider duties to define ePHI access authorizations to support segregation of duties.
  • Use the principle of least privilege/minimum necessary access for ePHI.
  • Enforce role-based access control (RBAC) policies based on workforce member and service provider duties and needs.

Identification and Authorization

  • Share with workforce members identification and authorization policy addressing purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.
  • Create unique identification for each workforce member within a group account to establish accountability.
  • Assign a unique name and/or number to track and identify user activity.
  • Establish and implement registration process including supervisory authorization for new identifiers.
  • Prohibit reuse of information system account identifiers.
  • Identify information system components and electronic devices with auto log-off capabilities.
  • Implement electronic procedures that limit activity time and terminate session automatically.
  • Enforce session locks for inactivity or user request.
  • Establish rules for continuing session lock until user reestablishes access with appropriate identification and authentication procedures.
  • Incorporate authentication measures such as passwords, tokens, biometrics, or some combination of these to create multifactor authentication.
  • Establish short-term emergency accounts allowing emergency access.
  • Create automatic removal or deactivation of emergency accounts once business operations return to normal.

Contingency Plan and Policy

  • Establish and implement procedures for obtaining ePHI during an emergency.
  • Cleary define emergency and circumstances triggering contingency plan including natural and environmental threats as well as human threats such as unauthorized employee or service provider access.
  • Identify individual responsible for activating emergency access method.
  • Ensure RBAC policy defines workforce and service provider roles and access based on defined user roles.
  • Implement RBAC policies and employ audited and automated access control mechanism overrides for emergency situations.
  • Establish an alternate storage site with necessary agreements to permit storage and retrieval of exact copies of ePHI.
  • Ensure alternate storage site provides information security safeguards comparable to your own.
  • Identify roles and responsibilities for ePHI access and critical information systems needed during an emergency within contingency plan.
  • Incorporate into contingency plan essential activities and associated requirements including roles, responsibilities, and process to restore systems, including emergency access termination and reinstitution of normal access controls. Share with workforce members the contingency planning policy addressing purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.
  • Establish predetermined time period and implement restoration capability of information systems to match this period.

Systems and Communications Protection

  • Implement encryption and decryption mechanism for ePHI.
  • Implement cryptographic mechanisms to prevent unauthorized ePHI disclosures.
  • Implement cryptographic mechanisms to detect information changes during transmission unless physical security controls protect information.
  • Share with workforce members a systems and communications policy addressing purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.

Information Integrity

  • Implement policies and procedures to protect ePHI from improper alteration or destruction.
  • Implement technical security measures to protect ePHI transmitted over an electronic communication network.
  • Implement security measures to ensure ePHI transmitted electronically is not improperly modified without detection prior to regulatory disposal time.
  • Incorporate “Identification and Authorization” and “Systems and Communications” protections as part of guarding against threats and vulnerabilities to information integrity.
  • Establish and implement electronic mechanisms to corroborate that ePHI has not been altered or destroyed improperly.
  • Use integrity verification tools to detect unauthorized changes.
  • Implement procedures to verify the identity of a person or entity seeking ePHI access.
  • Provide management notification of any discrepancies during integrity validation.
  • Share with workforce members an information integrity policy addressing purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.

Internal and External Audit Requirements

  • Identify and periodically review and update key audit events such as activities that create, store, and transmit ePHI.
  • Identify and periodically review and update key audit even events that are significant to securing information systems and their environments to support ongoing audit needs.
  • Determine audit scope and frequency based on risk categorization of key audit events.
  • Share with workforce members an audit and accountability policy addressing purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.
  • Implement hardware, software, and/or procedural mechanisms that record and examine information system activities if those systems contain or use ePHI.
  • Configure information systems and components so they automatically capture and generate audit records.
  • Ensure these records contain information establishing event type that occurred, when it occurred, where it occurred, its source, and the outcome.
  • Collect identity information for individuals and subjects of the even.
  • Periodically review or analyze information system audit records for indications of inappropriate or unusual activity.
  • Provide audit reduction and report generation capability that supports on-demand audit review, analysis, and reporting requirements that does not alter original content or time ordering of records.
  • Conduct backups of user-level, system-level, and security-related documentation for ePHI.
  • Test continuity and emergency operations to ensure activation of emergency access.
  • Test RBAC policies to ensure the assigned individual has appropriate emergency mode access and permissions to ensure continuity.
  • Allocate audit storage capability based on audit types and audit processing requirements and configure systems to periodically transfer audit records to an alternate system or media for effective storage utilization.

For information on how ZenGRC can help your organization get compliant more quickly, schedule a demo.