HIPAA Requirements: Complete Guide to Healthcare Data Protection

You must implement policies and procedures to prevent, detect, contain, and correct security violations. This includes conducting a thorough risk analysis and implementing a risk management program to reduce risks to a reasonable level.

You must designate a security official responsible for developing and implementing security policies. This person is accountable for your organization HIPAA security compliance.

You must have policies ensuring that workforce members have appropriate access to ePHI based on their role, and that access is terminated when employment ends. This includes authorization, supervision, and clearance procedures.

You must implement policies for authorizing access to ePHI. This includes procedures for granting access based on need-to-know, access establishment, and access modification when roles change.

You must implement a security awareness and training program for all workforce members. This includes training on malicious software protection, login monitoring, and password management.

You must have formal procedures to identify, report, and respond to security incidents. This includes documenting incidents, their outcomes, and remediation actions taken.

You must establish policies for responding to emergencies or disasters that damage systems containing ePHI. This includes data backup plans, disaster recovery plans, and emergency mode operation plans, all of which must be tested regularly.

You must have written contracts (Business Associate Agreements) with any third party that creates, receives, maintains, or transmits ePHI on your behalf. The BAA must specify how the associate will safeguard ePHI.

You must limit physical access to your facilities while ensuring authorized access is allowed. This includes contingency operations procedures, facility security plans, access control and validation, and maintenance records.

You must specify the proper functions, manner of use, and physical attributes of workstations that access ePHI. This includes policies about where and how workstations can be used.

You must have policies governing the receipt, removal, disposal, and reuse of electronic media containing ePHI. This includes secure disposal procedures, media reuse procedures, and tracking of hardware and media movements.

You must implement technical policies to allow only authorized persons to access ePHI. This includes unique user identification, emergency access procedures, automatic logoff, and encryption/decryption of data.

You must implement hardware, software, and procedural mechanisms to record and examine activity in systems containing ePHI. This means logging access, modifications, and other actions on systems with ePHI.

You must implement policies and procedures to protect ePHI from improper alteration or destruction. This includes mechanisms to authenticate ePHI and verify that data has not been altered or destroyed improperly.

You must implement technical measures to guard against unauthorized access to ePHI transmitted over electronic networks. This typically means encryption (like TLS) for all ePHI in transit.

PHI may only be used or disclosed for treatment, payment, or healthcare operations without patient authorization. Any other use requires written patient authorization. You must apply the minimum necessary standard, using only the minimum PHI needed for the purpose.

If a breach of unsecured PHI occurs, you must notify affected individuals within 60 days, HHS within 60 days (or annually for breaches affecting fewer than 500 individuals), and prominent media outlets if the breach affects more than 500 residents of a state.