Health Insurance Portability and Accountability Act/Audit guidelines and checklist
The following guidelines and checklist items provide a frame of reference for vendors and auditors to better determine potential compliance issues with the Health Insurance Portability and Accountability Act and a variety of other regulatory guidelines.
The following checklist is focused largely on computerized systems that house Protected Health Information (PHI) under the HIPAA regulations. However, since the computerized system exists as part of a complete operation, even when it is hosted by a Cloud provider, the checklist covers the majority of the regulation. This notion of the requirements of the entire regulation applying even to Cloud companies is particularly underscored with the HITECH modifications to the HIPAA regulations where Business Associates are now entirely responsible with adherence to the HIPAA privacy regulations and not merely on a contractual basis.
Security Management Process
- Does a detailed risk assessment exist regarding potential vulnerabilities to the confidentiality, integrity, and availability of PHI?
- Does the assessment identify actions to mitigate certain risks? Have these actions been taken, or have plans been generated to take these actions?
- Does a policy exist specifying sanctions to be taken against employees who fail to comply with security policies and procedures?
- Is there a system in place for regular review of system activity, including things such as audit logs and incident reports?
Assigned security responsibility
- Is there a formally identified individual who is responsible for developing and implementing security policies?
- Has this individual, or the individual's direct reports, developed and implemented security policies?
- Collect evidence of security policies being implemented (group policy reports for the AD server, for instance)
Workforce security and Information Access Management
- Do procedures exist governing access to PHI by employees?
- Are employees who should not have access to PHI prevented from accessing it?
- If employees are permitted to access systems that contain PHI, but are not permitted to access PHI, does the system have suitable controls to prevent that access?
- View system accesses by both individuals who have access to PHI and those who don't, and evaluate potential areas of weakness in the security measures.
- Do processes exist for authorizing access to PHI? Do these processes seem reasonable.
- Are employees who have access to PHI supervised appropriately? Do their supervisors have adequate training and understanding regarding the treatment of PHI?
- Are adequate procedures in place governing the termination of employees with access to PHI?
- Do these procedures include appropriately times termination of accounts (i.e., in the case of involuntary termination, is the account terminated before the employee might have the opportunity to cause harm?).
- For voluntary terminations, are procedures in place that require the supervisor to evaluate the need for continued access to PHI prior to the departure of the employee in question?
- Is there a clear requirement for communication with system administrators and IT staff regarding affected accounts?
- If a health clearinghouse is part of a larger organization, confirm that adequate controls exist that prevent the larger organization from accessing PHI.
- Do the PHI access procedures apply to the IT/IS organization? That is, is access to PHI only allowed for IT/IS employees with a legitimate business reason to access that data? Are IT/IS employees adequately trained in the HIPAA regulations, internal policies and procedures regarding PHI?
Security Awareness and Training
- Is there a formal and documented training program for employees who deal with PHI?
- Are employees provided training on principles of security?
- Are there procedures in place for addressing malicious software, including it's detection and reporting? Are employees prevented from accessing remote sites that are at high risk for containing malicious software?
- Is there a system for ensuring that security protection software (in particular anti-virus programs, and firewalls) are updated periodically?
- For outward facing applications, is there a process by which security flaws in components (such as Java) are identified and fixed.
- For systems that provide access to PHI, do they track log-ins, and in particular failed logins?
- Does the system lock out users after a specified number of failed logins?
- Are system administrators notified if such an event occurs?
- Is there evidence that administrators respond to such events in an appropriate manner?
- Are there policies governing password complexity, change and reuse frequency? Are the policies consistent with current "standards" within the industry?
- Are employees trained to maintain strict secrecy regarding their passwords?
- Are there procedures mandating that IT may not request passwords from users?
Security Incident Procedures
- Are procedures in place for responding to security incidents?
- Is there evidence that these procedures are being followed (review any logs/files regarding actions taken in response to security incidents).
- Does the organization have a comprehensive disaster preparedness/business continuity plan?
- Does the plan included a backup and recovery procedure for all system data?
- Does the plan adequately address how operations can be continued under various scenarios?
- Does the plan include procedures for testing the various elements of the plan to ensure they are still valid?
- Does the plan address the criticality of the various systems in its design?
- Is a periodic re-evaluation of security standards undertaken?
- Does the re-evaluation take into account changes in the current state of IT security and the environment of threats facing secured systems, as well as the current state of the regulations?
Business Associate Agreements
- If components of the system are held outside the direct control of the company, such that PHI will be outside of the direct control of the company, do sufficient agreements exist to guarantee that the party responsible for handling the PHI will adhere to the requirements of the regulation?
- Are these agreements in such a form that they qualify as a contract or equivalent?
Facility Access Controls
- Is the facility containing the system (this includes electronic access points that connect to the system in a "non-secure" manner) sufficiently protected from unauthorized access?
- Is access to application and database servers further restricted to only those personnel who are authorized to directly interact with those elements of the system (i.e., system administrators).
- Is there a system that limits access to facilities and areas within facilities to authorized personnel? Does this system implement a mechanism for confirming the identify of individuals accessing the facility (e.g., through a electronic key access system)
- Does this system apply to visitors as well?
- Is access to systems used for testing and revision of software similarly restricted? Evaluate the access restrictions to tools that could be used to modify and deploy the software. Ensure that these access restrictions are addressed via SOP.
- Do procedures exist which govern the class of workstation that can be used to access PHI?
- Are workstations that are used to access PHI appropriately restricted?
- If workstations can directly interact with PHI without additional controls, are the workstations secured in appropriately restricted areas?
Device and Media Controls
- Are procedures in place governing the use and removal of hardware and storage media used to house PHI?
- Do the procedures seem reasonable?
- Do procedures exist regarding the disposal of media and devices used to store PHI?
- Are records maintained that account for the movement of such media, and who moved it?
- Do systems with access to PHI have a robust authentication process for gaining access?
- Do these system require that all users have a unique id?
- Are password assignment, change, recovery, and related processes designed in such a way so as to ensure that the user gaining access to PHI is who they say they are?
- Is there a mechanism for gaining access to necessary PHI in the event of an emergency? Is this mechanism designed such that it's invocation during non-emergencies would not be achievable in a non-obvious way?
- Does this system automatically log off users after a defined period of inactivity?
- Does the system maintain PHI in an encrypted state?
- Do systems used for PHI maintain audit trails which record, in a secure manner, all activities within the system. Are the audit trails reviewed periodically?
- Are policies and procedures in place to ensure that PHI has not been altered or destroyed in an unauthorized manner?
- Are electronic mechanisms employed to corroborate that PHI has not been altered or destroyed in an unauthorized manner?*
- If PHI is transmitted outside of the responsible entity (i.e., via the internet), is the data transmitted in such a way so as to prevent unauthorized access (via ssl or similar protocols?)
- Are security certificates on servers involved in managing PHI current, and authenticated by a recognized third party certifying organization?
Business associate contracts
- Are business associates required contractually to adhere to the regulations with regard to PHI they maintain?
- Do business associate agreements exist with third party data/application hosting services?
- Do business associate agreements extend, contractually, to agents/subcontractors?
- Is it clear within the terms of the business associate agreements that the business associate must immediately report any breaches or incidents?
- Is it clear within the terms of the business associate agreements that the relationship can be terminated if the associate fails to comply with the requirements of the regulations?
- Do records exist of audits and other reviews of business associates? If breeches or violations of the regulation have occurred, have appropriate actions been taken, up to and including termination of the agreement?
- Are the procedures required by the regulations maintained in written (or alternatively electronic, but signed) form?
- Are actions and activities which are required to be documented maintained in written form (or electronic alternatives)?
- Is there a retention policy regarding the policies and procedures? Does the policy require that such documents be maintained for at least 6 years after either the date of its creation or of its effective date (whichever is later)?
- Does a review system exist for these policies and procedures to ensure that they are current?