IT Guy HIPAA Compliance Checklist

For users or potential users.
Post Reply
User avatar
Justin Shafer
Posts: 596
Joined: Sat Jul 28, 2007 7:34 pm
Location: Fort Worth, TX.

IT Guy HIPAA Compliance Checklist

Post by Justin Shafer » Sun Feb 28, 2016 9:57 am

IT Guy HIPAA Compliance Checklist!
HIPAA Compliance! Note this list does not include all of the OTHER things a business will need to do for HIPAA, for that go here: http://hipaanews.org/checklist.htm (I would hire someone who specializes in HIPAA and Dentistry)

1. Enable BitLocker on ALL computers TPM+Pin or TPM+USB including Backup Drives.
2019 edit: https://www.zdnet.com/article/new-bitlo ... a-at-risk/


2. Enable Auditing on certain objects:
*When employees login
*The number of failed login attempts on a computer
*The last time you conducted a software update
*Who downloaded a new program, and when
*When you changed your password
*Who logged into the EHR at a certain time
*What information was accessed by the person logged in
*What protected health information (PHI) was changed and by whom
*FileSharing Auditing (Who deleted a file over a network share?)
Domain Auditing + Net ShareMonitor (use the portable version and use as a service)

3. Domain instead of a WorkGroup.

4. Up to date on Security Software and Updates. I use Kaspersky, MalwareBytes, and OpenDNS.

5. Automatic locking of screens after 30 minutes of inactivity in your Group Policies.

6. Check for Vulnerabilties. (on going!)
a. PMS.
b. Wireless Mice can now be vulnerable!?!?
c. Wireless Security (reaver, aircrack)
d. Use two-factor authentication for remote access.
e. Check your router for open ports and vulnerabilities.
f. Read up on security from time to time!

7. Use Standard Users if software supports it.

8. Use usernames by computername with the employee name as the "Full Name" and roaming profiles for Domain users for auditing purposes and convenience. This goes to naming convention rules. Keep account for which employees are assigned to users, especially if employees change. Use different passwords per User! Create a master password list that is not easily accessible.

Username: Operatory1
Computername: Operatory1-PC
User Full Name: Jane Doe

9. Is your server physically secure?

10. Is your email and fax compliant?

11. HIPAA Security Risk Assessment.
Check out the Security Risk Assessment Tool as well: https://www.healthit.gov/providers-prof ... sment-tool

How frequent should a Risk Assessment be performed?
http://www.hhs.gov/sites/default/files/ ... ncepdf.pdf
"Some covered entities may perform these processes annually or as needed (e.g., bi-annual or every 3 years) depending on circumstances of their environment." I can hear every dentist nod their head to 3 years.... :lol:

12. Do you have all of your Business Associate Agreements (BAA) in order?

Have you had a breach (even small) and do you want a Breach Risk Analysis by a professional? Are you in Texas? If so I HIGHLY recommend Jeff Drummond.
http://www.jw.com/Jeffery_P_Drummond/

Still want to be in dentisty? :D
(this will be updated over time)
http://justinshafer.blogspot.com/2016/0 ... klist.html

PS. Thanks to Dissent from http://www.databreaches.net for helping me with this list.
Last edited by Justin Shafer on Fri Mar 15, 2019 6:20 am, edited 8 times in total.

KevinRossen
Posts: 293
Joined: Mon Apr 22, 2013 8:49 am
Location: Dallas, TX
Contact:

Re: IT Guy HIPAA Compliance Checklist

Post by KevinRossen » Mon Feb 29, 2016 2:48 pm

Glad to see you actively contributing here, Justin. I know you've had a strange few years with online dental forums. Thanks for this resource. It's very helpful. One suggestion I have is cleaning up item 3 to match your suggestion on 9. Maybe merge those two suggestions into one?
Kevin Rossen
Office Manager, Rossen Dental
Founder, DivergentDental.com
Image

User avatar
Justin Shafer
Posts: 596
Joined: Sat Jul 28, 2007 7:34 pm
Location: Fort Worth, TX.

Re: IT Guy HIPAA Compliance Checklist

Post by Justin Shafer » Mon Feb 29, 2016 4:47 pm

Thanks Kevin! Updated! I just want EVERYONE to be REALLY sure to make them different. We still need to grab a bite to eat, I can tell you the story that brought about this post. :lol:

"DentalTown".... Isn't the first time I stopped posting, the last time I made a new dental forum. http://web.archive.org/web/200605280157 ... /index.php? :D

babysilvertooth
Posts: 129
Joined: Sat Jun 12, 2010 3:18 pm

Re: IT Guy HIPAA Compliance Checklist

Post by babysilvertooth » Mon Apr 11, 2016 1:01 pm

Quick question. Regular email does not have to beHIPAA compliant, just ePHI stuff correct?
DO i have to have my email host sign a BAA ? I use a separate service for ePHI stuff to patients and referrals.

Post Reply