HIPAA Compliance Checklist

In order to comply with HIPAA requirements, it is helpful to know what items are required. Here is a checklist for compliance with the Technical Safeguards section of HIPAA.

The Technical Safeguards selection relate to technology requirements to access and protect PHI. PHI must be encrypted once it travels outside of the organization’s internal perimeter. This ensures that a breach of confidential patient information renders it unreadable and unusable. Provided that criteria are met, organizations can select whatever tools allow them to:

  • Implement access control – Assign unique user access as well as procedures to govern release/disclosure of PHI during an emergency
  • Authenticate PHI – Make sure PHI has not been altered or destroyed
  • Encrypt and decrypt messages – Authorized users must be able to decrypt messages when sent beyond an internal firewalled server and decrypt them when received.
  • Audit and log activity – Audit controls should record attempted access to PHI and what has been done to the data when it’s been accessed.
  • Automatically log off of devices – Automatically log authorized people out of devices in order to prevent unauthorized access from unattended devices

FAQ

Understanding HIPAA compliance is a crucial part of your network security compliance posture.

How can network security automation help me meet HIPAA requirements and comply with my HIPAA audit?

The HIPAA privacy rule requires covered entities to audit all access to PHI. Audit records have to state who accessed the data, what application they accessed, as well as additional data in order to help with investigating data breaches. In order to ensure that your organization is not accidently violating HIPAA violations, or open to manual misconfigurations, it is important that you have clear and repeatable change management process. By automating policies, you can ensure that new policies introduced on your network do not violate HIPAA or other regulatory requirements. By ensuring centralized management of your entire hybrid network, automation ensures that your entire network can maintain a state of continuous compliance. Automation also reduces the amount of resources required to maintain HIPAA compliance. Network security automation, such as that provided by AlgoSec FireFlow and AppChange, can prevent rules that violate HIPAA requirements from being introduced to your network.

How can firewalls help my organization comply with the HIPAA Security Rule?

The HIPAA Security Rule establishes standards to protect electronic personal health information (PHI) that is created, received, used, or maintained by a covered entity. The Security Rule requires safeguards to ensure that health information remains confidential and secure. Under the HIPAA Security Rule, rules can be created for HIPAA firewall controls, so that each employee’s computer will be configured with the suitable amount of network access. For example, an office manager may not need access to patient names but not their healthcare records, a healthcare provider needs to be able to access patient healthcare records when they are being treated. You can create firewall rules that allow the healthcare providers to have more access, due to their need-to-know, than other employees who do not need to access this. Firewall rules can be created for various positions, to ensure each employee is given appropriate access based on his or her role. Using HIPAA firewall controls ensures that only those people authorized to access PHI can. HIPAA firewall controls are a necessary part of maintaining HIPAA compliance and securing your organization. Not implementing HIPAA firewall controls puts your organization at risk for costly breaches and fines.

What are examples of some common safeguards I can take according to the HIPAA Security Rule?

According to the HIPAA Security Rule Security Risk Assessment (SRA) Tool, Technical Safeguards, you can:

  • Employ hardware, software, and processes that record and inspect activity in that contains or uses PHI.
  • Automatically capture and generate audit records that establishes what occurred, when and where it occurred, its source, and the outcome. You should also record the identity of any individuals associated with the event.
  • Review and analyze audit records to spot any inappropriate or unusual activity.
  • Support on-demand audit review, analysis, and reporting requirements.

What are some of the security risks healthcare organizations face with electronic health portals?

Vulnerable portals can expose PHI to application attacks, including SQL injection and cross-site scripting (XSS) and should be protected by a firewall. Suspicious access to PHI stored in files and databases should be alerted or blocked.

How AlgoSec Helps with HIPAA Compliance?

AlgoSec automatically generates pre-populated, audit-ready compliance reports for leading industry regulations which helps reduce audit preparation efforts and costs. AlgoSec also uncovers gaps in the compliance posture and proactively checks every change for compliance violations. AlgoSec provides daily audit and compliance reporting across the entire heterogeneous network estate.  AlgoSec automatically identifies gaps in compliance, enables users to remediate them, and instantly generates compliance reports that users can present “as is” to auditors. As part of this process all firewall rule changes are proactively checked for compliance violations before they are implemented, enabling users to ensure continuous compliance across their organizations. 

See how AlgoSec can help with your HIPAA compliance

Check out these resources

blank

Stop putting out fires. Pass network security audits – every time

Compliance with network and data security regulations and internal standards is vital and mission-critical. But with increasing global regulations and network complexities, it’s ...

The firewall audit checklist

Six best practices for simplifying firewall auditing and compliance, and reducing risk.

blank

Regulations and compliance for the data center – A Day in the Life

The company has a hybrid network – multiple firewalls spread across a physical data center, Cisco ACI and Amazon Web Services. Each platform is protected by its own security cont...

Tips to Meet HIPAA Requirements

img

Conduct a network security audit

It is critical to periodically audit your network security controls. Network security audits help to identify weaknesses in your network security posture so you know where your security policies need to be adapted. Firewall audits also demonstrate that you have been doing your due diligence in reviewing security controls and policy controls.

img

Conduct periodic compliance checks

Your network firewalls are a critical part of many regulatory requirements. Ensuring that your network firewalls comply with critical regulations is a core part of your network security posture.

img

Consider network segmentation

By building and implementing a network segmentation strategy, networks can be broken down into multiple segments and made safer against potential breaches by dangerous cybercriminals and hackers.

img

Periodically evaluate your firewall rules

Following firewall rules best practices, you should periodically evaluate your firewall rules. Identify and consolidate duplicate rules, remove obsolete or unused firewall rules, and perform periodic firewall rule re-certification.

Choose a better way to manage your network