The Title II checklist
Title II is primarily concerned with secure storage, processing, transfer, and access to ePHI and other electronic health care transactions. It is divided into five sub-sections:
1. National Provider Identifier
2. Transactions and Code Sets
3. Standards for Privacy of Individually Identifiable Health Information
4. Security Standards for the Protection of Electronic Protected Health Information
5. HIPAA Enforcement Rule
Sections two through four contain the bulk of the technical and administrative safeguards that healthcare organizations often struggle to implement and maintain penalties for a violation are set at $50,000, and max out at $1.5 million annually. These technical and administrative safeguards include:
- Access control: All users must be given a unique username and password, and organizations must establish procedures that govern the access of ePHI as needed.
- Authentication: Electronic controls must be in place to verify that health information has not been illicitly altered or destroyed.
- Encryption and decryption: Messages sent beyond internal firewalls must be encrypted according to NIST standards, and decrypted when the message is received.
- Activity audit controls: Attempted access to ePHI must be logged, and any interaction with data during that access must be recorded.
- Automatic logoff: Once a certain amount of time elapses, authorized personnel must be automatically logged off unattended devices used to access or transmit ePHI.
- Procedures for mobile devices: This physical safeguard mandates the implementation of procedures to clear ePHI from lost or stolen devices (for instance, through the use of mobile device management tools).
- Risk assessments: Security officers must identify any areas where ePHI is in use and identify all ways in which that ePHI could be breached in a formal risk assessment.
- Risk management policy: Risk assessments are to be carried out regularly to identify and keep track of measures in place to manage risks.
- Employee security training: Formal, well-documented training sessions must review policies and procedures pertaining to ePHI, and the identification of malware.
- Contingency plans: A formal contingency plan must be created with the aim of facilitating uptime for critical processes and protecting ePHI during an incident.
- Contingency plan testing: Said plan must be tested periodically to assess the criticality of certain applications, and test backups of lost ePHI in an emergency event.
- Restricting third-party access: Unauthorized third parties (parent organizations, unauthorized vendors) must be barred from ePHI access.
- Reporting security incidents: There must be a framework to report security incidents (not necessarily breaches), and all employees should know how and when to report an incident, so as to take actions to prevent future breaches related to incidents.
Streamlining compliance management
Complying with HIPAA’s technical and administrative rules requires complete visibility into all information systems. Achieving this calls for a security operation center staffed with dedicated security engineers, who can not only establish baseline security configurations that comply with HIPAA but can also monitor your network around the clock for noncompliant or suspicious behavior.
A security operations center can be built and managed in-house, but outsourced alternatives are often far more affordable and just as effective. Either way, organizations need effective security operations in some capacity, both as a means for ensuring HIPAA compliance in a streamlined manner and for enhancing their overall security posture.