HealthLawProf Blog

Editor: Katharine Van Tassel
Concordia University School of Law

Tuesday, April 12, 2005

Checklist for HIPAA Security Rule

As we all have learned over the past few years, there's more to HIPAA than pre-existing conditions and privacy.  Now, on April 21, all but small health plans must comply with the HIPAA security rule. HealthLeaders Daily News has a helpful piece on the rule, "April 20 is Coming: A 16-Point Checklist for HIPAA Security," by Michael Doscher and Chris Davenport.   Here is their checklist (minus the explanatory text for each point):

  1. Does the application create, receive, maintain or transmit electronic Protected Health Information (ePHI)? (For all applications that process ePHI in some way, the entity must pursue responses to the next 15 questions.)
  2. Is there a procedure for authorizing, establishing and modifying user access?
  3. Does the application possess unique user identification capabilities?
  4. Have unique user identification capabilities been activated?
  5. Are there generic IDs in use?
  6. Does an Emergency Access Procedure exist?
  7. Does the application facilitate automatic logoff capability?
  8. Is automatic logoff capability enabled?
  9. Is there an encryption feature for data "at rest" in databases?
  10. Is the application capable of performing audit logging?
  11. Is the audit logging function enabled?
  12. Are audit logs reviewed on a routine basis?
  13. Does the application possess person or entity authentication capabilities?
  14. Are person or entity authentication capabilities activated?
  15. Is there a method to ensure transmission integrity?
  16. Is there a capability to encrypt the transmission?

If the checklist (and accompanying explanation) still leaves you in the dark, check out the final security rule[tm]

| Permalink