Overview Healthcare companies that store, process or transmit Electronic Protected Health Information (EPHI) are required to comply with the Health Insurance Portability and Accountability Act (HIPAA). The HITECH Act extends the scope of privacy and security protections provided by HIPAA, provide enforcement, and broaden the potential legal liability for non-compliance. Protected Health Information (PHI) maintained or transmitted in electronic media or any other form or media includes name, telephone, fax number, e-mail address, SSN, driver’s licence number, Internet address. HIPAA requirements apply to PHI kept in electronic form known as EPHI (Electronic Protected Health Information). The HIPAA Security Rule covers 36 implementation specifications supported by 18 HIPAA Standards that protect the confidentiality, integrity and availability of individually identifiable health information. The HIPAA requirements are organized in three security safeguard categories:
o Security Management Process - 164.308(a)(1)(i) o Assigned Security Responsibility - 164.308 (a)(2) o Workforce Security - 164.308 (a)(3)(i) o Information Access Management - 164.308 (a)(4)(i) o Security Awareness and Training - 164.308 (a)(5)(i) o Security Incident Procedures - 164.308 (a)(6)(i) o Contingency Plan - 164.308 (a)(7)(i) o Evaluation - 164.308 (a)(8) o Business Associate Contracts and Other Arrangements - 164.308 (b)(1)
o Facility Access Controls - 164.310(a) o Workstation use - 164.310(b) o Workstation Security - 164.310(c) o Device and Media Controls - 164.310(d)
o Access Control - 164.312(a)(1) o Audit Controls - 164.312(b) o Integrity - 164.312(c) o Person or Entity Authentication - 164.312(d) o Transmission Security - 164.312(e) HIPAA Compliance Program The HIPAA Compliance Program is designed to answer questions raised by any company that stores, processes or transmits EPHI while evaluating and selecting products to support the HIPAA requirements. This Compliance Program provides validated evidence about a product’s features and capabilities to support the HIPAA requirements. The HIPAA Compliance Testing and analysis cover several aspects of the product including: Compliance Effectiveness
HIPAA Compliance Testing criteria HIPAA Compliance Testing is conducted by trained analysts against the HIPAA Compliance Program criteria, as well as Compliance Labs functional and quality assurance requirements. HIPAA Compliance Program criteria rely on NIST SP800-66 requirements intent from auditors’ perspective, companies’ needs, and from queries numerous specialists, including affected products vendors, developers, users and industry groups. The compliance analyst will report the results of each phase of testing in the Reports of Compliance, and will also document the product components submitted by the vendor and the configuration of the product evaluated. Continuous evaluation process Compliance Labs has developed the compliance continuous testing process as a fundamental aspect of the HIPAA Compliance Program. The continuous evaluation process will monitor new compliance requirements and best practices and update testing criteria to drive product compliance effectiveness and quality over the long term. Learn more about HIPAA requirements |