The HIPAA encryption requirements are part of the Security Rule standards for access controls and transmission security. The first standard aims to ensure that ePHI is unreadable, undecipherable, and unusable by those not granted access rights. The second standard requires covered entities to use technological security measures to protect ePHI transmitted over electronic communications networks from unauthorized access.
Table of Contents
HIPAA compliance checklist
HIPAA compliance checklist aids organizations and business partners in complying with HIPAA standards. There is no one-size-fits-all checklist due to various companies and services. The 2011 HHS Office of the Inspector General checklist outlines seven essential elements.
- Develop policies and procedures to help you comply with the Privacy Rule.
- Establish a Privacy and Security Officer, as well as, if possible, a compliance team.
- Implement successful training programs rather than infrequent training sessions.
- Enable mechanisms for reporting complaints, concerns, violations, and breaches.
- Monitor compliance to avoid undesirable behaviors from becoming cultural norms.
- Apply punishments to employees in a fair, equal, and visible manner.
- Respond to reported complaints, concerns, violations, and breaches as soon as possible.
HIPAA Risk Assessment Checklist
To ensure compliance, all enterprises subject to Administrative Simplification rules should create a HIPAA risk assessment checklist completed by a designated HIPAA Privacy or Security Officer. This checklist serves as the foundation for all other HIPAA checklists and should look like this:
- Identify the PHI created, received, stored, and communicated by the organization, including PHI sent to/from other Covered Entities, Business Associates, and/or subcontractors.
- Identify any human, natural, or environmental hazards to the privacy of personally identifiable health information, as well as the security, integrity, and availability of electronic protected health information (ePHI).
- Examine the efficacy of current policies, processes, and safeguards in place to avoid HIPAA breaches and reduce the possibility of a reasonably expected data breach.
- Determine the possible impact of reasonably expected HIPAA violations and data breaches and assign a risk rating to each kind of incident based on its likelihood and impact.
- Document the results and, if appropriate, establish additional policies, procedures, and measures, including training workforce members on major changes to current rules and procedures.
- Document the HIPAA risk assessment checklist, the reason for introducing new policies, procedures, and measures, and any substantial changes in training. The records must be kept for at least six years.
HIPAA Data at Rest Encryption Requirements
HIPAA data at rest encryption requirements protect ePHI stored on servers, desktop files, USBs, and mobile devices from hackers. Applying these requirements to all data, including login credentials and authentication codes, creates obstacles for hackers to move onto easier targets. Unencrypted devices are easy targets for hackers, who can use malware, phishing, or brute force attacks to access them. Although encrypted access may slow down processes, the increased security compensates for the loss in productivity.
HIPAA Compliant Email Encryption Software
HIPAA-compliant email encryption software is the most effective way to protect ePHI in transit, encrypting text content, file or image attachments. However, using an email service alongside HIPAA-compliant software requires a Business Associate Agreement. Encryption is one of two implementation specifications required by the transmission security standard, along with integrity controls. Instant Messaging apps like WhatsApp are not HIPAA compliant. Implementing a HIPAA-compliant email archiving solution ensures the integrity and availability of ePHI.
HIPAA-compliant encryption reduces the likelihood of unsecured ePHI breaches, improving compliance with a recognized security framework. This reduces administrative overhead, improves compliance history with HHS’ Office for Civil Rights, and allows for flexible compliance investigations and corrective action plans.