Key HIPAA Security Rule components:
- Appoint a security officer: Assign someone responsible for overseeing HIPAA security compliance, which
includes managing risk assessments, audits and staff training. - Implement access controls: Limit access to ePHI to authorized personnel only, and use strong password
policies, multi-factor authentication (MFA) and user role-based access - Conduct regular risk assessments: These are explicitly required for HIPAA compliance.
Covered entities and business associates are required to “conduct an accurate and thorough
assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and
availability of electronic protected health information (ePHI).” This is often referred to as a “risk
assessment” or “risk analysis.”
♦ A one-time risk assessment is not enough. Risk assessments need to be ongoing and
periodic to ensure that new threats, vulnerabilities and changes to systems are consistently
evaluated. This should be annually or as dictated by your organization’s risk profile.
♦ Document all risk assessment processes and results to meet HIPAA audit
requirements. - Schedule regular security audits: While a risk assessment identifies threats and
vulnerabilities, security audits go deeper into validating whether your safeguards and
controls are both in place and effective.
♦ Administrative safeguards: Audits check for proper security policies, workforce
training, and contingency planning.
♦ Physical safeguards: Audits assess physical controls around facility access and device security.
♦ Technical safeguards: Audits evaluate technical controls such as encryption, access controls and
network monitoring.
♦ By conducting these audits on a scheduled basis (e.g., annually or quarterly, depending on the
organization’s size and risk profile), you can detect and address any areas of non-compliance before they
become liabilities. - Establish data backup systems: Regularly back up ePHI and store backups securely offsite
- Enable audit logs: Activate and monitor audit logs for all systems handling ePHI.