HIPAACYBERSECURITY

CHEAT SHEET

HIPAA

Continue reading on next page >

CRAIG PETERSØN.COM

HIP

AA

CY

BER

SECU

RIT

Y C

HEA

T S

HEE

T17

Compliance with HIPAA

1

2

© 2019 Craig Peterson. All Rights Reserved.

that it is stored securely, and usedcorrectly. HIPAA does severalimportant things. It reduces health careabuse and fraud and sets securitystandards for electronic billing ofhealthcare. It also does the same forthe storage of patients’ healthcareinformation. The Act mandates theprotection and handling of medicaldata, ensuring that healthcare data iskept private.

company’s reputation, and you could besubject to disciplinary action and strict violationfines and penalties by CMS/OCR. Organizationsthat fail to implement adequate systems cansuffer significant damage. The remediation andpenalties are substantial If a breach takesplace.

HIPAA compliance guidelinesare incredibly essential.Failure to comply can putpatients’ health informationat risk. Breaches can have adisastrous impact on a

It applies to three types ofcompanies: providers, supply

chain (contractors, vendors, etc.)and now service providers (such

as data centers and cloud servicesproviders). All health plans and

HIPAA Privacy Rule 3

healthcare clearinghouses must be HIPAAcompliant. These rules also apply to healthcare

providers who conduct electronic health-relatedtransactions. The Privacy Rule requires that

providers put safeguards in place to protect theirpatients’ privacy. The safeguards must shield theirPHI. The HIPAA Privacy Rule also sets limits on the

disclosure of ePHI.

HIPAA compliance isa must. HIPAAguidelines protectpatients’ healthinformation, ensuring

HIPAA Security Rule (con't.)

Continue reading on next page >

CRAIG PETERSØN.COM

© 2019 Craig Peterson. All Rights Reserved.

4

(CONTINUED)

Technical Safeguards:In the HIPAA Security Rule there are fourcategories in the technical safeguards.

First is access control. These controls aredesigned to limit access to ePHI. Onlyauthorized persons may access confidentialinformation.Second is audit control. Covered entities mustuse hardware, software, and procedures torecord ePHI. Audit controls also ensure thatthey are monitoring access and activity in allsystems that use ePHI.Third are integrity controls. Entities must haveprocedures in place to make sure that ePHI isnot destroyed or altered improperly. Thesemust include electronic measures to confirmcompliance.Lastly, there must be transmission security.Covered entities must protect ePHI wheneverthey transmit or receive it over an electronicnetwork.

The safeguards of the HIPAASecurity Rule are broken downinto three main sections. Theseinclude technical, physical, andadministrative safeguards.

4 HIPAA Security RuleAdministrative

Safeguards: In the HIPAA Security Rulethere are five categories in

the Administrativesafeguards.

HIPAACYBERSECURITY CHEAT SHEET

cover the facilities where data is stored, and thedevices used to access them. Access must belimited to authorized personnel. Workstation anddevice security are also essential. The removal,transfer, destruction, or re-use of such devicesmust be processed in a way that protects ePHI.

Physical Safeguards:

First, there must be a securitymanagement process. The coveredentity must identify all potentialsecurity risks to ePHI. It must analyzethem. Then, it must implementsecurity measures to reduce the risksto an appropriate level.Second, there must be securitypersonnel in place. Covered entitiesmust have a designated securityofficial. The official’s job is to developand implement HIPAA-related securitypolicies and procedures.Third, covered entities must have aninformation access managementsystem. The Privacy Rule limits theuses and disclosures of ePHI. Coveredentities must put procedures in placethat restrict access to ePHI to when itis appropriate based on the user’srole.Fourth, covered entities must provideworkforce training and management.They must authorize and superviseany employees who work with ePHI.

Requires that all coveredorganizations implementphysical safeguards to protectePHI. The physical safeguards

(CONTINUED)

CRAIG PETERSØN.COM

These employees must get training in theentity’s security policies. Likewise, the entitymust sanction employees who violate thesepolicies.

Fifth, there must be an evaluation systemin place. Covered entities mustperiodically assess their security policiesand procedures.

© 2019 Craig Peterson. All Rights Reserved.

4 HIPAA Security Rule (con't.)

HIPAACYBERSECURITY CHEAT SHEET

The information and content in this document is provided for informational purposes only and is provided “as is” with no warranty of any kind, eitherexpress or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, and non-infringement. Weare not liable for any damages, including any consequential damages, of any kind that may result from the use of this document. The information isobtained from publicly available sources. Though reasonable effort has been made to ensure the accuracy of the data provided, we make no claim,

promise or guarantee about the completeness, accuracy, recency or adequacy of information and is not responsible for misprints, out-of-dateinformation, or errors. We make no warranty, express or implied, and assumes no legal liability or responsibility for the accuracy or completeness of

any information contained in this document.If you believe there are any factual errors in this document, please contact us and we will review your concerns as soon as practical.