HIPAA (HiTech) Small Provider Brief/Checklist.

*From the HIPAA Security Series on Small Providers

ePHI Health Information Security Requires Continual Assessment of Risks to Electronic Health Information. Regardless of the type of safeguard your practice chooses to implement, it is important to monitor its effectiveness and regularly assess your health IT environment to determine if new risks are present.

Implementation of the Security Rule standards, implementation specifications and requirements as they relate to covered entities that are sole practitioners or otherwise considered small providers.

Providers face major problems if their patients sensitive information is stolen, misused, or unavailable.

The Security Rule provides a flexible, scalable and technology neutral framework to allow all covered entities to comply in a manor that is consistent with unique circumstances of their size and environment.

All covered entities must comply with the applicable standards, implemented specifications, and requirements of the Security Rule with respect to EPHI, even though a small provider might not have a full time IT Staff.

A covered entity must comply with all of the standards of the Security Rule with respect to the EPHI it creates, transmits, or maintains.

An implementation specification is a more detailed description of the method or approach covered entities can use to meet particular standard.

A required implementation specification is similar to a standard, in that a covered entity must comply with it.

For addressable implementation specifications, covered entities must perform an assessment to determine whether the specification is a reasonable and appropriate safeguard in the covered entity's environment.

Upon reasonable analysis, a covered entity may find that an addressable specification or any alternative measures not be implemented. This must be documented with a reasons to the exemption for all decisions. Factors that determine what is “reasonable” and “appropriate” include cost, size, technical infrastructure, and resources. An addressable implementation specification is not optional, and the potential cost of implementing a particular security measure does not free covered entities from meeting the requirements identified in the rule.

Checklist

• Security Management Process: Implement policies and procedures to prevent, detect, contain and correct security violations
• Risk Analysis: Conduct an accurate and thorough assessment of the potential risk and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.
• Risk Management: Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with 164.306(a).
• Sanction Policy: Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity.
• Workforce security: Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information, and to prevent those workforce members who do not have access from obtaining access to electronic protected health information.
• Authorization and/or Supervision: Implement procedures for the authorization and/or supervision of workforce members who work with electronic protected health information or in locations where it might be accessed.
• Security Awareness and Training: Implement a security awareness and training program for all members of its workforce (including management).
• Password Management: Implement procedures for creating, changing, and safeguarding passwords.
• Contingency Plan: Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information.
• Data Backup Plan: Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information.
• Business Associate Contracts and Other Arrangements: A covered entity may permit a business associate to create, receive, maintain, or transmit electronic protected health information on the covered entity's behalf only if the covered entity obtains satisfactory assurances that the business associate will appropriately safeguard the information.
• Written Contract or Other Arrangements: Document the satisfactory assurances required by this section through a written contract or other arrangement with the business associate that meets the applicable requirements.
• Facility Access Controls: Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed while ensuring that properly authorized access is allowed.
• Facility Security Plan: Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft.
• Maintenance Records: Implement policies and procedures to document repairs and modifications to the physical components of a facility which are related to security (for example, hardware, walls, doors and locks).
• Workstation Use: Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protected health information.
• Device and Media Controls: Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out a facility, and the movement of these items within the facility.
• Disposal: Implement policies and procedures to address the final disposition of electronic protected health information, and/or the hardware or electronic media on which it is stored.
• Data Backup and Storage: Create a retrieval, exact copy of electronic protected health information, when needed, before movement of equipment.
• Access Control: Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in 164.308(a)(4).
• Unique User Identification: Assign a unique name and/or number for identifying and tracking user identity.
• Automatic Logoff: Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.
• Person or Entity Authentication: Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.
• Transmission Security: Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.
• Encryption: Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.

Information security is a necessity in today’s world. Preventing unauthorized use of sensitive health information is a core goal of every participant in the health care industry. The Security Rule allows covered entities, including small providers, to implement reasonable and appropriate measures that enable them to comply with the Rule.