HIPAA/HITECH Compliance Checklist for Multi-User Health Kiosk
PRIVACY	Yes	NO	N/A
1. Personal Information (§164.506, §164.514 (Swanson, 2001; Watzlaf et al., 2010)
Is there a privacy policy?
Does the kiosk have a privacy screen?
Will user information be shared with third-party organizations?
○ If yes, is there a Business Associate agreement (BAA) with this organization?
2. Retention of Personal Information
Is user information and e-PHI stored?
Is there a policy outlining the retention period of e-PHI?
Can users request copies of their information?
○ If yes, is there a well-defined procedure for requesting copies of PHI and other information?
CONFIDENTIALITY §164.522 (Swanson, 2001)
3. Request of Information
Is there a policy for disclosure of e-PHI or identifiable information?
SECURITY §164.308 (Swanson, 2001; Watzlaf et al., 2010; Watzlaf et al., 2011)
4. Security Management Process
Is there a well-written procedure or protocol for performing a thorough risk assessment?
How many times a year is a risk assessment performed? ○ 0 times per year ○ Once a year? ○ Twice a year? ○ Three times a year? ○ More than three times a year?
Is there a formal or informal policy or procedure to review information system activities like audit logs, access reports incident tracking etc.?
Are current security measures sufficient to reduce risk and vulnerabilities to a reasonable level?
5. Assigned Security Responsibility
Do you have a security officer in charge of developing, implementing, monitoring and communicating HIPAA/HITECH security policies and procedures?
6. Workforce Security
Do you have documentation for authorization and supervision of all entities working with or helping to manage and maintain the kiosk?
Do you have clear job descriptions for all entities working with the kiosk?
Is there documentation listing the level of access to the system, including e-PHI for each employee?
Is there a clear procedure to terminate access to resources once a person is removed from the project or terminated?
7. Information Access Management
Is there a clear written procedure to grant access to e-PHI?
Do policies and standards exist to authorize and document access, review and modify a user’s right to computer systems, software, databases and other network resources?
Are users going to pay to use the kiosk system? ○ If so, will a clearinghouse or third party be used to process payment? ▪ If so, are there policies and procedures for access to information, by clearinghouse workers, consistent with HIPAA and HITECH security rules?
Are formal or informal policies and procedures in place for security measures relating to access control?
Is there any HIPAA and HITECH security awareness and training program in place?
Are there procedures and measures in place for protection from malicious software and exploitation of vulnerabilities?
Have employees been trained as to the importance of protecting against malicious software and how to guard against it?
Are there policies and procedures for log–on monitoring and password management?
Do security training materials target current IT security topics relevant to kiosk security?
How often are security procedures, policies and protocols updated? ○ 0 times per year? ○ Once a year? ○ Twice a year? ○ Three times a year? ○ More than three times a year?
Are there any policies and procedures in place to identify, respond to, report and mitigate security incidents?
8. Contingency Plan
Is there a contingency plan in place to identify critical applications, data and other operations of the kiosk system?
Is there a disaster recovery and backup plan in place to restore lost data?
Is any redundancy built into the kiosk deployment?
Is there any well-defined policy for operating in emergency mode that allows continuation of critical business processes?
Are there any policies for testing emergency contingency plans or backup procedures?
9. Evaluation
Are there policies in place for evaluating the security procedures as they apply to HIPAA/HITECH security rules?
10. Business Associate (BA) Contracts
Is there a policy for contracts with Business Associates and other third-party vendors?
11. Physical Security
Are there policies in place to analyze physical security vulnerabilities of the kiosk system?
Are there policies in place to guard against physical security vulnerabilities and to protect kiosk hardware and components that hold e-PHI?
Are there procedures and policies in place to control access to kiosk hardware, systems and other components by staff, visitors etc. that could compromise the kiosk system as a whole?
Are there maintenance records for repairs and modification of physical components especially relating to security?
12. Computer Component Use
Is there other computer hardware, like workstations and servers that manage the kiosk system?
○ If yes, are there policies and documentation outlining specific workstations and servers and their functions and location?
○ Is there documentation and procedures to identify specific functions of each workstation and server?
13. Workstation and Server Security
Is there any policy or procedure to prevent unauthorized access to an unattended workstation or to limit the ability of un-authorized persons to access other users’ information (analyze physical surroundings for physical attributes)?
How are workstations and servers physically restricted to limit or restrict access to only authorized people?
14. Device and Media Controls
Is there any policy for monitoring and tracking the location and movement of kiosk hardware (especially containing e-PHI)?
15. Access Control
Is there an access control policy?
Is there an encryption procedure in place to protect e-PHI?
○ If yes, are there any well documented policies governing and outlining the encryption strategy?
Are there any policies to make sure all users are assigned unique access credentials, like IDs and passwords, to log on to the kiosk system?
Are all users assigned usernames and passwords?
Is there documentation of each user’s exact privileges in the kiosk system (useful to prevent privilege escalation)?
Are there clearly defined policies to track changes and modifications made within the kiosk system, including which users made the changes?
Are there any policies in place to make sure user access is reviewed on a periodic basis and how often that is done?
Is the system configured to auto-logoff after a predetermined time?
○ Is there any documentation and defined policy for this?
Are there procedures for terminating access when it is no longer needed?
16. Audit Control
Has any audit control been implemented?
Are there any audit control policies in place?
How often are the audit control tools and mechanisms reviewed to determine if upgrades are needed? ○ 0 times per year? ○ Once a year? ○ Twice a year? ○ Three times a year? More than three times a year?
Integrity
Who has access to information or e-PHI stored in the kiosk systems?
Is there a well-defined policy or procedure to identify these individuals?
Person or Entity Authentication
What kind of authentication procedure or mechanism is in place within the kiosk system?
Are there any policies to govern this and also evaluate the authentication mechanisms in place to assess the strengths and weaknesses of the mechanism?
If so does the policy also look at the cost benefit ratio of the various types of authentication mechanisms?
Is there a policy to test and upgrade the authentication mechanism tested on a periodic basis?
Transmission Security
Is there any formal data transmission policy for the kiosk system?
Is there any risk assessment policy to determine the security level of the data transmission procedure in the kiosk system?
Is there a formal policy for breach notification?
Is there a template or letter or other defined means of breach notification?
Does the notification policy include procedure for notification of media outlets?
Does the policy also spell out notification procedures for Business Associates, if any?