IMPORTANT NOTE: The example below is just an example and is at about 95% completion. Prior to posting to a clients Basecamp Message Board, you will want to ensure all links and content are appropriate for your client (including client name + acronym) and also get final approval from CR prior to posting this as a client-facing post. Lastly, there are many other previous HIPAA post examples that can be used for finding appropriate links, i.e. ABS, DERM, ROW, etc.
This note should be posted to the Message Board of the client's Basecamp prior to Go-Live and as we approach Go-Live. I recommend posting this prior to or as a follow-up to the AccountableHQ, Azure Hosting, and HIPAA HITRUST Security and Environment Hardening Meeting/Working Session with the client.
Subject Line for Basecamp Post: HIPAA Go-Live Notes & Checklist
Message:
"Hello Jeff and Team,
Here are the critical recommendations and suggestions for HIPAA Compliance that I was mentioning in our go-live acknowledgement note that we'll want to work through with you to ensure as the business thrives we continue to stay HIPAA Compliant. (Note: Many of these items are complete, but they are here for your confirmation and reference. We'll plan to engage with you in an ongoing HIPAA review if you are comfortable? We typically recommend a monthly cadence on reviewing with you and your team in working sessions to ensure everything is good well into the future.)
¶ Compliance Tracking
Use an interactive tool to track compliance. We'll be using AccountableHQ to track and maintain compliance with key HIPAA principles prior to launch and regularly after launch:
NOTE: This tool will cover HIPAA and compliance in much more detail than this brief document and furthermore completing them will establish a record of your compliance! It is critical you use one of these services to ensure a complete audit!
¶ Document ePHI
Maintain a document detailing the nature of any known electronic Personal Health Information and include details such as: where is it stored, who can access it, how it is secured/encrypted, how can it be permanently deleted, and how can it be restored in the event of a critical failure or data loss.
Potential ePHI for this system (not exhaustive)
- Usernames and passwords that would give access to online data
- Phone numbers and addresses
- Email addresses
- Names and any other identifying information or descriptions of individuals (including any data sent via email)
- Insurance information
- Appointment history and schedules
- Online communications with healthcare professionals
- Online communications about personal health with any other users in the system
- Feedback form submissions
- Activity logs and any user tracking information
¶ User Account Security
Verify that everyone is required to have a strong, secure password.
Verify that users are automatically logged out after an appropriate length time and remember login settings are disabled.
It's strongly recommended that some form of multi-factor authentication is setup for this site. Resources.
¶ Secure the CMS (Wordpress)
Audit CMS vulnerabilities, apply updates as needed, assign someone to monitor future security bulletins.
If you would like more details around securing the CMS within Wordpress we're happy to provide support and additional information here.
¶ Secure the Server
-
Verify that file permissions are set appropriately and that Application Identity, MS SQL, RDP and windows users are all secured properly using industry standard best practices.
-
Configure automated updates as appropriate to keep OS software up to date and secure.
-
Install Virus/Malware/Ransomware Scanning applications as appropriate and keep them up to date.
-
Configure/Activate a Web Application Firewall (AWS, Cloudflare, etc) protect vulnerable ports and limit access.
-
Verify TLS configuration for secure transmission of data using the latest stable protocol (1.2)
-
It's recommended that you use a tool to scan the server/website for vulnerabilities and that you review these reports on a regular basis. Example services:
-
Add appropriate DNS/DDOS/Firewall protection. Example services:
-
Add appropriate uptime monitoring to make sure that users can always access their data. Example services:
-
Run quarterly (or more often) QSA Scans for PCI/DSS compliance and resolve any issues. Example services:
¶ Storing Data Securely
- Verify that all ePHI data and credentials that are used to access that data are encrypted both in transit and at rest.
- Verify that all backups and archived are stored securely and can only be accessed/restored by authorized personnel.
- Verify that all user passwords and email addresses are stored within the database using industry best practices.
- Verify that methods to change passwords or access decryption tools are secured appropriately and only accessible to authorized users.
¶ Backing up Data
- Verify that all files and data are regularly backed up and archived, and that backups are stored in a secure fashion.
- Verify that you have a documented plan to rapidly restore backups in the event of a critical failure or emergency.
¶ Logging Activity
Verify that any interaction with sensitive data is logged and that these logs are retained.
Examples (not exhaustive):
- A user logs into the getmystride.com website
- A user views online communications (forum or chat)
- A user views appointment history for themselves or another individual (schedule, and teams schedule)
- Anyone logs into or accesses files or data directly on the file or SQL server
- A user submits changes to their insurance or account information
- Failed login attempts and password changes
- Server or CMS updates are applied
- Server and CMS Errors are encountered
¶ Limit Access
- Be sure that only qualified and approved users have access to administrative, BT, and BCBA accounts and limit access to any accounts that can view others schedules and communications.
- Be sure that only approved users have access to the server and that any server access is securely appropriately by firewall, vpn, and or other means.
¶ Training
- Verify that any DERM employees/partners are instructed to not download or save any information from the website locally (by taking screenshots, copy pasting, creating locally stored notes, creating screen casts or by any other means).
- Verify that any DERM users are instructed to know the signs of malicious or unapproved activity and that they know how and whom to report to.
- Verify that all DERM employees know the signs of a data breach and know how to report it.
- Verify that all DERM users understand and use best practices when storing passwords and usernames.
¶ Roles and Responsibilities
- Maintain and up to date list of all users/employees who have the ability to view or change ePHI
- Appoint an individual to be in charge of reviewing and maintaining HIPAA compliance including regular audits for new issues or failure to follow documented guidelines and procedures
- Keep a log of all third parties, partners and contractors who may have accessed to or be exposed to ePHI. Be sure business agreements are signed and logged where appropriate.
- Set up Business Associate Agreement (BAA) with AWS, Clarity and any other relevant other service providers or vendors.
¶ User Behavior and informed consent
- Make sure all users are aware of what information is being stored, how it will be used, and who can access it.
- Be sure that all users are informed of how they can request that their information be fully removed from the system, and document a mechanism for developers to comply with this request.
- Discourage users from storing any potential ePHI insecurely or form posting ePHI in areas where it is not appropriate.
- Monitor user behavior for inappropriate sharing of PHI and document a procedure to identify and expunge any data that could be at risk.
¶ Maintenance and Monitoring
- Periodically perform a HIPAA compliance audit
- Train all new activities on appropriate handing of ePHI and log training activities
- Archive (securely) all server and CMS logs
- Regularly review the server and CMS for updates, patches or new best practices.
- Periodically retrain employees on best practices for handling ePHI.
- Remove data and users that are no longer needed.
- Log all maintenance and monitoring history and activity.
¶ ADDENDUM - HIPAA Review
There is no official litmus or pass/fail test for HIPAA Compliance via the HHS
The law (noting that we encourage reviewing with your legal counsel to determine this for your business) is interpreted by many to dictate that you use 'industry best practices' based on the size of your organization and perceived risk. (These are vague standards so there is more detail from the HHS on this matter).\
¶ Key Items:
- Encrypt Everything, both during data transmission (SSL) and when it is stored (Encrypted Databases).
- Automate backups and safely secure them.
- Authorize users by having secure logins for all data. Make sure that data, whether it is in storage or accessed through an application, is protected in such a way that only authorized users can access it. (Everyone must have a unique username and strong password, they must login to access any PHI in any form, they are automatically logged out after a period of inactivity etc)
- Track Everything any attribute any changes made to specific users. By knowing who made what changes we can verify that the data is being appropriately handled and is authentic.
- Permanently Delete data by having an accessible way to remove no longer needed data without a trace built into your application.
- Make sure that any web hosts are HIPAA-compliant and have a Business Associate Agreement with them. (See key terms)
COMPONENTS OF HIPAA
This is just the short version, for more detail please see the resources section
Four HIPAA Rules
- Privacy Rule
- Security Rule
- Enforcement Rule
- Breach Notification Rule.
For our web development project, we are primarily concerned with the security rule for which there are three sections:
https://www.hhs.gov/hipaa/for-professionals/security/guidance/index.html?language=es
¶ 1. Technical Safeguards
These rules are those that your web developer will work most closely with you on satisfying and have meaningful impact on how your web applications will be developed and configured.
Access Control

- Everyone needs a unique user name or id so they can log in securely and their behavior can be tracked and logged.
- There must be a way to access data in the event of an emergency.
- Users must be automatically logged off after a period of time.
- Make sure that users are authentic, or that they are who they say they are by enforcing strong passwords, private usernames, password recovery procedures, multi factor authentication and other relevant mechanisms.
- Encrypt (and decrypt) all data.
Data Transmission

- Integrity Controls - If this information will be shared, make sure that it will remain accurate and unchanged (or detect and log any changes) during transmission.
- Encryption - encrypt all data during transmission (SSL or other mechanisms).
Audit Data and Verify its integrity

- Audit Controls - Track all activity, who is accessing the data and what changes are they making.
- Authenticate ePHI - We need confidence that no one has improperly changed or removed your data.
\
¶ 2. Physical Safeguards
These rules can be satisfied by your organization in consultation with your web developers and web hosts. The precise nature of these policies may impact web development decisions.\
- Facility access controls must be implemented (addressable) (Contingency operations, facility security plan, access control and validation, maintenance records)
- Policies relating to workstation security (required) (access to machines and policies on how they are to be used)
- Policies and procedures for mobile devices (required) (mobile devices have some special considerations, what if they are lost or stolen etc?)
- Inventory of hardware (addressable)
¶ 3. Administrative Safeguards
If your business is already handling HIPAA data you most likely already have plans and policies to address all these measures. Your web developer can help assess if they need to be supplemented or modified to address your new application.\
- Conducting risk assessments (required)
- Introducing a risk management policy (required)
- Training employees to be secure (addressable)
- Developing a contingency plan (required)
- Testing of contingency plan (addressable)
- Restricting third-party access (required)
- Reporting security incidents (addressable)
_____________________
¶ Recommended Solution: Accountable HQ
https://www.accountablehq.com/
Screen Shot 2022-08-17 at 6.13.11 PM.png 199 KB View full-size Download
- ($100k worth of insurance against violations)
- Provides a HIPAA compliance seal when you complete their checklist
- Ongoing testing
- https://www.accountablehq.com/pricing
\
¶ Other Tools
https://www.hipaajournal.com/hipaa-compliance-tool/
https://www.capterra.com/hipaa-compliance-software/
https://www.healthit.gov/topic/privacy-security-and-hipaa/security-risk-assessment-tool
\
¶ Additional Resources
- https://www.hipaajournal.com/hipaa-compliance-checklist/
- https://github.com/truevault/hipaa-compliance-developers-guide
- https://www.clarity-ventures.com/hipaa-guidelines
- https://www.hhs.gov/hipaa/for-professionals/index.html
- https://www.cms.gov/Outreach-and-Education/Medicare-Learning-Network-MLN/MLNProducts/Downloads/HIPAAPrivacyandSecurity.pdf
- https://www.healthit.gov/topic/hipaa-providers
- https://cvilnk.com/collateral/HIPAA-GDPR-eCommerce.pdf