Checklist: Do Your Healthcare Data Safeguards Need a Check-up?


While all companies (public, private, large and small) need to be concerned about IT security, healthcare organizations and their business associates are at especially high risk for data breaches. In fact, our recent study found that the number of individuals affected by healthcare data breaches nearly doubled from 2010 to 2011. More than 19 million people were affected by breaches of protected health information (PHI) since reporting to the Department of Health and Human Services began in August 2009 through the end of 2011.

But how can you tell if your organization is at risk of a breach? Here’s a quick checklist of just a few of the questions you should be asking. For the full checklist and to read the study, download our free HITECH Act white paper.

  • Are laptops always stored in locked, secured areas when not in use?
  • Are all portable electronic storage devices (e.g., backup tapes, CDs, flash drives) containing PHI encrypted and password protected?
  • Are all paper documents containing PHI disposed of in locked bins and then shredded?
  • Do you have an Information Security Officer and do your employees receive HIPAA and data security training on a periodic basis?
  • Do business associates have service organization control reports available or independent IT audits that evaluate HIPAA and HITECH Act compliance?
  • Have you performed a risk analysis to identify risks and vulnerabilities to e-PHI?

Evaluate your current data security procedures to identify vulnerabilities, and make adjustments as necessary. Pay close attention to any opportunities for theft, unauthorized access, and loss, which are the most common types of breaches. Secure all laptops, sensitive paper documents, and other items, and implement a safe disposal process. You should also consider investing in a professional, comprehensive risk assessment to identify major weaknesses and help prevent a potentially catastrophic breach.

Please note this checklist is meant to serve as a guide in your decision making and is not a substitute for a formal risk assessment. Each covered entity and business associate should consider its own policies, technical safeguards/constraints, mitigation strategies and details specific to the organization when evaluating data security.

Jorge Rey, CISA, CISM, is a Cybersecurity & Compliance Principal at Kaufman Rossin, one of the Top 100 CPA and advisory firms in the U.S.

Leave a Reply

Your email address will not be published. Required fields are marked *

We respect your personal information. Please review our Privacy Policy for more details.