HIPAA Compliance in A Year Handout
HIPAA Compliance should be an ongoing process and effort. This suggested handout divides HIPAA Compliance into monthly tasks, so you can pace your HIPAA efforts year-round.
NOTE: This handout aims to assist those who are new to HIPAA compliance. This suggested guideline aims to direct and organize your HIPAA tasks into a year-round task list. This is not a comprehensive handout, and HIPAA compliance should be addressed based on how your organization handles PHI.
- JANUARY: Identify PHI
- FEBRUARY: Conduct a Risk Assessment
- MARCH: Create a Risk Management Plan
- APRIL: Start Regular Employee Training
- MAY: Create an Incident Response Plan
- JUNE: Get Business Associates On Board
- JULY: Update Policies
- AUGUST: Test Your Employees
- SEPTEMBER: Test Your Employees (Continued)
- OCTOBER: Test Your Incident Response Plan
- NOVEMBER: Evaluate Your Technical Security
- DECEMBER: Assess Your Process
JANUARY: Identify PHI
HIPAA compliance begins with identifying how PHI flows in and out of your organization and documenting your findings. Create inventories and diagrams that document how PHI is created, stored, transmitted, or received in your organization.
Find where your protected health information (PHI) is located by identifying:
All processes your data goes through
Computers your data sits on
Everyone who touches your data
Any technology that has access to your data
Interview every department that touches PHI in any way, including third parties
Talk to different people within each department
See if they can uncover processes and technologies that no organization chart, tool, or previous data analysis can expose
Identify and document:
How data enters your environment
Where it goes after entering the environment
Where it’s stored:
If it’s sent off to a third party
If it’s printed and stored
If it’s recorded straight into the electronic health record (EHR) system
Workforce members who can extract PHI from the EHR system
How employees store PHI after they download it from the EHR system
How data is encrypted in every place it is stored, even temporarily
Ensure you understand how technology and personnel affect PHI by documenting every:
Network device
Server
Medical device connected to the Internet
Workstation
Mobile device (tablet/laptop/smartphone)
Employee BYOD smartphone used to interact with PHI
Document what you’ve learned and consider:
Drawing diagrams
Making lists
Recording the who, what, when, where, how, and why of your PHI
Process and organize your PHI information by:
Crafting a PHI flowchart for each different PHI flow
Ensure your PHI flowchart documents every instance in your environment where PHI could:
Enter
Exist
Exit
FEBRUARY: CONDUCT A RISK ASSESSMENT
With your intimate knowledge of your systems, technologies, and processes (from January), locate the risks, threats, and vulnerabilities that currently exist in your organization to create your HIPAA Risk Analysis.
- Analyze these questions to locate problem areas:
What vulnerabilities exist in your systems, applications, processes, or people?
What threats exist for each of those vulnerabilities?
Internal
External
Environmental
Physical
What is the probability of each threat triggering a specific vulnerability?
Do you use the cloud?
What are the implications there?
How are physical copies of PHI stored?
Is encryption implemented throughout the entire organization?
Do third parties use multi-factor authentication when using remote access into your environment?
When employees leave workstations, do they turn on a password-protected screensaver?
Capture each vulnerability, recording:
Potential impact
Probability
Risk rankings resulting from probability and impact
Document your entire process using a known risk assessment framework, such as FAIR, OCTAVE, or NIST 800-30
MARCH: CREATE A RISK MANAGEMENT PLAN
Your risk management plan should address prioritized risks discovered during your risk assessment. Spend February crafting a thorough risk management plan by working with your directors, IT, security administrators, and anyone else who should be involved.
As you prioritize, ask yourself:
What are the most critical parts of your risk management plan?
Which vulnerabilities are most likely to be exploited this year?
Where are our highest threats?
Pick the top five problems at your organization
Resolve these issues first
Remediate the rest of your threats and vulnerabilities
APRIL: START REGULAR EMPLOYEE TRAINING
Workforce members are the front line of healthcare security. Successful security training and awareness programs help people do their jobs in a way that doesn’t lead to a breach of patient information.
During your planning phase, consider these recommendations:
Tailor training to be relevant to specific roles
Require training before workforce members access PHI
Implement small, regular training sessions throughout the year
Place security reminders near where errors might occur, such as email banners reminding employees not to click on links
Decide how often you’ll train employees and which methods you will use
Schedule workforce member training sessions
Document your employee training
MAY: CREATE AN INCIDENT RESPONSE PLAN
With a better understanding of the most likely scenarios for your environment, you can personalize your incident response plan. Even if you already have an incident response plan, you can update it with your current systems, processes, and assigned personnel.
Use the information gleaned from your risk analysis and risk management plan to create your incident response plan
Develop realistic example situations using these questions:
What types of security precautions are in place?
What is the protocol if an employee suspects a data breach?
Internally and externally, who should be notified if an incident occurs?
Do employees know their responsibilities before, during, and after an incident?
What if a co-location or business associate is involved in the incident?
Address these steps and scenarios when preparing your incident response plan:
Ensure your employees are properly trained regarding their incident response roles and responsibilities in the event of a data breach
Develop incident response drill scenarios
Regularly conduct mock data breaches to evaluate your incident response plan
Ensure that the elements of your incident response plan (training, execution, hardware and software resources, etc.) are:
Approved by your organization
Funded in advance
Record answers to these questions if breached:
When did the event happen?
How was it discovered?
Who discovered it?
Have any other areas been impacted?
What is the scope of the compromise?
Does it affect operations?
Has the source (point of entry) of the event been discovered?
Disconnect affected devices from the internet
Devise a prevention plan for the future
Update and patch your systems
Review your remote access protocols
Change all user and administrative access credentials
Harden all passwords
Find and eliminate the cause of your breach
Securely remove malware
Ensure no trace of malware remains
Restore and return affected systems back into your business environment
Answer these questions to ensure you make a full recovery
When can systems be returned to production?
Have systems been patched, hardened and tested?
Can the system be restored from a trusted back-up?
How long will the affected systems be monitored and what will you look for when monitoring?
What tools will ensure similar attacks will not reoccur? (e.g., File integrity monitoring, intrusion detection/protection)
JUNE: GET BUSINESS ASSOCIATES ON BOARD
Follow up with every third party that could potentially impact the security of your patient data by having them sign a business associate agreement (BAA) containing language specified in the HIPAA regulations.
Implement or update your BAA template to make sure it follows the language outlined by HHS, which in general:
Establishes the permitted and required uses and disclosures of PHI
Provides that the BA will not use or disclose PHI other than as permitted or required by the contract or by law
Requires the BA to implement appropriate safeguards to prevent unauthorized use or disclosure of the information
Requires the BA to report to the covered entity any use or disclosure of the information not provided for by its contract, including breaches
Requires the BA to adhere to additional requirements specified in the regulations
Follow up with business associates on the state of their HIPAA compliance
Establish policies and procedures requiring due diligence prior to engaging with new business associates to make sure they will protect PHI and comply with HIPAA
JULY: UPDATE POLICIES
To maintain HIPAA compliance, update your current policy and procedure documentation, and ensure employees are appropriately trained.
Update your breach notification policies by including documentation of:
Members and contact information of your breach response team
State and federal breach response laws
Who to notify in case of a breach (e.g., stakeholders, the HHS, law enforcement, patients, and the public)
Response timelines
Update your security policies in your business plan by including:
Firewall configuration standards
Job descriptions
Network time protocol (NTP) configuration procedures
Physical security procedures
Security awareness training procedures
Workstation functions
Update your privacy policies in your business plan by including (as applicable):
Accounting of disclosures of PHI
Patient access to PHI
Authorization for release of PHI
Minimum necessary for uses and disclosures of PHI
Safeguarding and storing PHI
Destruction of PHI
Ensure your employees are appropriately trained to follow policies and procedure
Review policies on a regular basis and ensure they are updated with:
System
Personnel
Technology changes
AUGUST & SEPTEMBER: TEST YOUR EMPLOYEES
The best way to analyze the effectiveness of your security training program is through employee testing to learn how your employees respond to security threats in a controlled environment.
Complete a Social Engineering training:
Hire an ethical social engineer (or third party agency) to see if employees will question or report someone who doesn’t belong in their work environment
Record how your employees react
Document your results by answering the following questions:
How was the test conducted?
Who participated in the test?
When was the test conducted?
Complete phishing training:
Ask your IT team (or hire a third party) to create a fake phishing email
Send your staff the fake phishing email
Track the number of people who fall for the phishing email
Document your results by answering the following questions:
How was the test conducted?
Who participated in the test?
When was the test conducted?
Create a future plan to mitigate the results from both of your tests
When you test workforce members on security topics, gaps in their knowledge should be used to improve your program, not punish the learner
Consider outlining the statistics of your training to present to your board of directors
OCTOBER: TEST YOUR INCIDENT RESPONSE PLAN
Through comprehensive testing, you’ll be able to answer the question that really matters: does your incident response plan actually work?
Schedule a day to test your incident response plan
Use the scenarios developed previously to test for:
How your employees work together
How your employees make decisions in stressful situations
How fast your employees resolve issues
If your employees follow your plan and policies
Document both failures and successes during your test
Use your results to adjust your incident response plan or training as needed
NOVEMBER: EVALUATE YOUR TECHNICAL SECURITY
Performing automated/manual scans and penetration tests can help you identify and remediate issues as they appear.
Conduct regular vulnerability scans
Research penetration testing providers
Choose a pen tester by verifying that:
They follow industry best practice standards
They communicate their testing methodologies
Consider using this Penetration Testing Timeline
Determine your pen test date by answering these questions:
Is the pen test starting early enough to leave time for remediation later?
Is this during a busy time of the year?
Will office operations be interrupted?
How much notice should we give everyone?
Conduct a penetration test
DECEMBER: ASSESS YOUR PROCESS
HIPAA is not just an annual process but an ongoing one. Your HIPAA compliance should be reanalyzed every year and updated continuously based on changes in your organization.
Assess where you are and how far you’ve come
Set HIPAA goals and milestones for next year
Plan out employee training based on risks and vulnerabilities you found during your risk assessment this year
Remember to document your plans for next year