HIPAA Compliance Checklist for Password Security
As an IT service provider, there’s no doubt you’ve been hearing a lot about HIPAA compliance—especially if any of your clients are “covered entities” (CEs: healthcare providers, plans, or clearinghouses) or businesses that deal with ePHI (electronic protected health information). If you have access to a covered entity’s data and/or network—even if you just manage their system and never actually access the information—you’re considered a “business associate” (BA), and are therefore required to be comply with the regulations of the Health Insurance Portability and Accountability Act (HIPAA). In the event of a security breach or compromised password, you could be held liable.
So the question is, what does it mean to be HIPAA compliant, in terms of password and authentication security?
Here’s my breakdown of what to go over with any client that handles ePHI in any way:
Security Management Process
Policies and procedures must be put into place to prevent and handle security violations. Ask your clients:
- Have you completed a risk analysis?
- Have penalties for employees who violate security procedures been established?
- Are employees aware of the penalties they will face if they violate security rules?
- Are procedures in place to regularly monitor and review security records like audit logs and access reports?
- Have you identified the security official who will be responsible for the creation and implementation of a smart security and password policy?
This is an important one. Having a point-person in charge of all things password security-related makes it much easier to establish strong processes.
Ensure that those who need to access ePHI can and prevent those who don’t have permission from accessing it. Ask you clients:
- Have you implemented processes and procedures for the authorization (or supervision) of users accessing ePHI?
- Are there processes in place to determine if a user’s access to ePHI is necessary/appropriate?
- When an employee is terminated or separated from the business, is he or she blocked from ePHI?
This is another important point. Many businesses have weak practices in this area.
Security Awareness and Training
A security training and awareness program must be put into place for all employees, including management. Ask your clients
- Are employees regularly reminded about security concerns?
- Have there been any meetings about the importance of password and software security?
- Are employees aware of how to deal with and report any malicious software?
- Are there procedures in place for regularly reviewing login attempts, watching out for any discrepancies or outstanding issues?
- Do you have procedures in place for creating, changing, and safeguarding passwords?
This is one of the most important points for MSPs, and a password management system can automate these password-related tasks.
Security Incident Procedures
Implement policies and procedures to address and document security incidents. Ask your clients:
- Does each and every user know what to do in the event of a security issue or incident?
- How are you documenting, tracking, and addressing any security issues or incidents?
Establish a plan for protecting and accessing ePHI in the event of an emergency or disaster. Ask your clients:
- Can exact copies of ePHI documents be created or retrieved?
- Can electronic ePHI data be restored?
- If your business goes into “emergency mode,” will your ePHI data be protected?
- Will you be able to carry out critical business functions relating to ePHI?
- Has your emergency plan been tested and revised as needed?
- Have you analyzed the different applications and data needed to support your emergency plan?
- In the event of a disaster, would you be able to depend on these connecting factors?
Business Associate Contracts
Business associate contracts are important for IT service providers. Although you don’t need to sign a contract to be liable in terms of HIPAA compliance, spelling out your agreed-upon duties can provide some protection in the event of an investigation, audit, or breach.
Physical and Technical Safeguards
Procedures should be established to limit physical access to facilities and equipment that house ePHI data. Just as important, procedures must be in place to ensure that ePHI is accessible to employees who have permission.
There’s a lot to go over here. Perhaps the most important rule of thumb, from an IT perspective, is that access to applications and data that contain ePHI should be limited only to authorized users.
One option to discuss with your client is multi-factor authentication (MFA or two-factor authentication). With MFA, users log in not only with a password, but also with an additional security factor like a fingerprint scan or one-time use code from a secure mobile app. Because of its enhanced security, MFA allows businesses to explore advanced security solutions like single sign-on (SSO). For many CEs and other businesses that must comply with HIPAA regulations, security solutions like multi-factor authentication and single sign-on are exactly what they’ve been looking for.