all-in-one privacy solution":["Proton Unlimited es una solución de privacidad todo en uno"],"Black Friday":["Black Friday"],"No ads. Privacy by default.":["Sin publicidad. La privacidad por bandera."],"People before profits":["Nos importan las personas, no los beneficios"],"Security through transparency":["Seguridad con transparencia"],"The best Proton Mail ${ BLACK_FRIDAY } deals":["Las mejores ofertas del ${ BLACK_FRIDAY } de Proton Mail"],"The world’s only community- supported email service":["El único servicio de correo electrónico financiado la comunidad"]},"specialoffer:limited":{"${ hours } hour":["${ hours } hora","${ hours } horas"],"${ hoursLeft }, ${ minutesLeft } and ${ secondsLeft } left":["Tiempo restante: ${ hoursLeft }, ${ minutesLeft } y ${ secondsLeft }"],"${ minutes } minute":["${ minutes } minuto","${ minutes } minutos"],"${ seconds } second":["${ seconds } segundo","${ seconds } segundos"],"Limited time offer":["Oferta por tiempo limitado"]},"specialoffer:listitem":{"Create multiple addresses":["Crea varias direcciones"],"Hide-my-email aliases":["Alias de hide-my-email"],"Quickly unsubscribe from newsletters":["Date de baja rápidamente de boletines"],"Use your own domain name":["Usa tu propio nombre de dominio"]},"specialoffer:logos":{"As featured in":["Hablan de nosotros"]},"specialoffer:metadescription":{"Get an encrypted email that protects your privacy":["Apuesta por un servicio de correo electrónico cifrado que protege tu privacidad"]},"specialoffer:metatitle":{"Proton Mail Black Friday Sale - Up to 40% off":["Rebajas de Black Friday de Proton: hasta un 40 % de descuento"]},"specialoffer:newmetadescription":{"Get up to 40% off Proton Mail subscriptions this Black Friday. Find great deals on our secure end-to-end encrypted email plans.":["Contrata Proton Mail con hasta un 40 % de descuento en las rebajas de Black Friday. Encontrarás nuestros planes de correo electrónico cifrado de extremo a extremo al mejor precio."]},"specialoffer:newmetatitle":{"Proton Mail Black Friday sale | Up to 40% off secure email":["Rebajas de Black Friday en Proton Mail | Correo electrónico seguro con hasta un 40 % de descuento"]},"specialoffer:note":{"* Billed at ${ TOTAL_SUM } for the first year":["* A un precio de ${ TOTAL_SUM } durante el primer año"],"*Billed at ${ TOTAL_SUM } for the first 2 years":["*A un precio de ${ TOTAL_SUM } durante los 2 primeros años"],"30-day money-back guarantee":["Garantía de devolución de 30 días"],"Billed at ${ TOTAL_SUM } for the first 2 years":["A un precio de ${ TOTAL_SUM } durante los 2 primeros años"],"Billed at ${ TOTAL_SUM } for the first year":["A un precio de ${ TOTAL_SUM } durante el primer año"],"You save ${ SAVE_SUM }":["Ahorras ${ SAVE_SUM }"]},"specialoffer:off":{"${ PERCENT_OFF } off":["−${ PERCENT_OFF }"]},"specialoffer:testimonial":{"I love my ProtonMail":["Adoro ProtonMail"],"My favorite email service":["Mi servicio de correo electrónico favorito"],"Thanks Proton for keeping us all safe in the complicated internet universe.":["Gracias, Proton, por brindarnos protección en este mundo salvaje de Internet."],"You get what you pay for. In the case of big tech, if you pay nothing, you get used. I quit using Gmail and switched to @ProtonMail":["Dan justo lo que prometen. Si las grandes tecnológicas te ofrecen algo gratis, se aprovechan de ti, por eso dejé de usar Gmail y me pasé a @ProtonMail"]},"specialoffer:time":{"Days":["días"],"Hours":["horas"],"Min":["min"]},"specialoffer:title":{"And much more":["Y mucho más"],"Safe from trackers":["Evita los rastreadores"],"Stay organized":["Mantén el orden"],"Black Friday email deals":["Ofertas en correo electrónico del Black Friday"],"Don’t just take our word for it":["Lee testimonios de otras personas"],"Make your inbox yours":["Toma posesión de tu bandeja de entrada"],"Our story":["Nuestra historia"],"Transfer your data from Google in one click":["Transfiere tus datos de Google con un clic"]},"specialoffer:tooltip":{"Access blocked content and browse privately. Includes ${ TOTAL_VPN_SERVERS }+ servers in ${ TOTAL_VPN_COUNTRIES }+ countries, connect up to 10 devices, access worldwide streaming services, malware and ad-blocker, and more.":["Accede a contenido bloqueado y navega con privacidad. Incluye ${ TOTAL_VPN_SERVERS } servidores en más de ${ TOTAL_VPN_COUNTRIES } países. Conecta hasta 10 dispositivos, accede a servicios de streaming de todo el mundo, bloqueadores de malware y anuncios, etc."],"Easily share your calendar with your family, friends or colleagues, and view external calendars.":["Comparte tu calendario con familiares, amigos y compañeros fácilmente y consulta calendarios externos."],"Includes support for 1 custom email domain, 10 email addresses, 10 hide-my-email aliases, calendar sharing, and more.":["Incluye compatibilidad con 1 dominio de correo electrónico personalizado, 10 direcciones de correo electrónico, 10 alias de hide-my-email, posibilidad de compartir calendario, etc."],"Includes support for 3 custom email domains, 15 email addresses, unlimited hide-my-email aliases, calendar sharing, and more.":["Incluye compatibilidad con 3 dominios de correo electrónico personalizado, 15 direcciones de correo electrónico, alias ilimitados de hide-my-email, posibilidad de compartir calendario, etc."],"Manage up to 25 calendars, mobile apps, secured with end-to-end encryption, 1-click calendar import from Google, and more.":["Gestiona hasta 25 calendarios protegidos con cifrado de extremo a extremo y con opción, por ejemplo, de importar los de Google con un solo clic."]},"Status banner":{"Learn more":["Más información"],"Please note that at the moment we are experiencing issues with the ${ issues[0] } service.":["Ten presente que, en estos momentos, el servicio de ${ issues[0] } está dando problemas de funcionamiento."],"We are experiencing issues with one or more services at the moment.":["Uno o varios servicios están dando problemas de funcionamiento en estos momentos."]},"Status Banner":{"At the moment we are experiencing issues with the Proton VPN service":["Hay problemas con el servicio de Proton VPN en estos momentos"],"Learn more":["Más información"]},"steps":{"Step":["Paso"]},"suggestions":{"Suggestions":["Sugerencias"]},"Support":{"Sub category":["Subcategoría","Subcategorías"]},"Support article":{"${ readingTime } min":["${ readingTime } min","${ readingTime } min"],"Category":["Categoría","Categorías"],"Didn’t find what you were looking for?":["¿No has encontrado lo que buscabas?"],"General contact":["Contacto para consultas generales"],"Get help":["Obtener ayuda"],"Legal contact":["Contacto para cuestiones legales"],"Media contact":["Contacto para prensa y medios de comunicación"],"Partnerships contact":["Contacto para colaboraciones"],"Reading":["Lectura"]},"Support Form Platform option":{"VPN for Android TV":["VPN para Android TV"],"VPN for Apple TV":["VPN para Apple TV"],"VPN for Chromebook":["VPN para Chromebook"]},"Support troubleshooting":{"App version":["Versión de la aplicación"],"Browser":["Navegador"],"Check if this helps":["Comprueba a ver si te sirve"],"Choose a product":["Elegir producto"],"Did this solve your issue?":["¿Te ha resultado útil para resolver el problema?"],"Faster assistance is just a few clicks away":["Solo te separan unos clics de una asistencia más rápida"],"How can we help?":["¿Cómo podemos ayudarte?"],"No, contact support":["No, contactar con el equipo de asistencia"],"Please fill out one field after another":["Rellena un campo después de otro"],"Please make your selections":["Realiza tus selecciones"],"Proton account":["Cuenta de Proton"],"Proton for Business":["Proton for Business"],"Thank you for your feedback":["Gracias por tus comentarios"],"What can we help with?":["¿En qué podemos ayudarte?"],"Yes":["Sí"]},"support_modal_search_query":{"Search query":["Consulta de búsqueda"]},"support_search_button":{"Search":["Buscar"]},"support_search_i_am_looking_for":{"I'm looking for":["Busco"]},"SupportForm":{"For a faster resolution, please report the issue from the Bridge app: Help > Report a problem.":["Para una resolución más rápida, informa del problema desde la aplicación Bridge: Ayuda > Notificar un problema."],"Information":["Información"]},"SupportForm:option":{"Account Security":["Seguridad de la cuenta"],"Contacts":["Contactos"],"Custom email domain":["Dominio de correo electrónico personalizado"],"Email delivery and Spam":["Envío de correos electrónico y spam"],"Encryption":["Cifrado"],"Login and password":["Inicio de sesión y contraseña"],"Merge aliases and accounts":["Fusionar seudónimos y cuentas"],"Migrate to Proton":["Migrar a Proton"],"Notifications":["Notificaciones"],"Other":["Otro"],"Plans and billing":["Planes y facturación"],"Proton for Business":["Proton for Business"],"Sign up":["Regístrate"],"Storage":["Almacenamiento"],"Users, addresses, and identities":["Usuarios, direcciones e identidades"]},"SupportForm:optionIntro":{"Select a topic":["Selecciona un tema"]},"Testimonial":{"Awards":["Premios"],"Customers":["Clientes"],"Featured":["Destacado"],"Go to testimonial source":["Ir a la fuente del testimonio"],"Open source of award":["Fuente disponible del premio"],"Open source of quote":["Fuente disponible del testimonio"],"Reviews":["Opiniones"],"Videos":["Vídeos"],"Watch on TikTok":["Ver en TikTok"],"Watch on YouTube":["Ver en YouTube"]},"TestimonialCategory":{"Awards":["Premios"],"Customers":["Clientes"],"Featured":["Destacado"],"Media":["Medios"],"Reviews":["Opiniones"],"Videos":["Vídeos"]},"Text":{"If you need help, check out our ${ supportLink }.":["Si necesitas ayuda, consulta nuestra ${ supportLink }."],"The page you’re looking for might have been removed, or it could be an\nold link.":["Es posible que la página que buscas haya sido eliminada o que sea un\nenlace antiguo."],"Your question may already have an answer in our knowledge base:":["Puede que haya respuesta a tu pregunta en nuestra base de conocimientos:"]},"Title":{"On this page":["En esta página"],"Related articles":["Artículos relacionados"],"Share ${ thisPage }":["Compartir ${ thisPage }"],"Switch to Proton Pass - Contact us":["Cambia a Proton Pass - Contáctanos"],"Thank you!":["¡Gracias!"],"this page":["esta página"]},"tooltip_vpn":{"Access blocked content and browse privately. Includes ${ TOTAL_VPN_SERVERS }+ servers in ${ TOTAL_VPN_COUNTRIES }+ countries, highest VPN speed, ${ TOTAL_VPN_CONNECTIONS } VPN connections, worldwide streaming services, malware and ad-blocker, and more.":["Accede a contenido bloqueado y navega en privado. Tendrás a tu disposición más de ${ TOTAL_VPN_SERVERS } servidores en más de ${ TOTAL_VPN_COUNTRIES } países, VPN de máxima velocidad, ${ TOTAL_VPN_CONNECTIONS } conexiones VPN, servicios de streaming en todo el mundo, bloqueadores de malware y anuncios, y mucho más."]},"vpn_servers":{"Get Proton VPN Plus":["Obtener Proton VPN Plus"]},"wallet_signup_2024:Action":{"Get Proton Wallet":["Obtener Proton Wallet"]},"wallet_signup_2024:Homepage hero product link title":{"Wallet":["Wallet"]},"wallet_signup_2024:Homepage product navigation bar":{"Wallet":["Wallet"]},"wallet_signup_2024:menu item":{"Bitcoin guide":["Guía sobre Bitcoin"],"Proton Wallet news":["Novedades sobre Proton Wallet"],"Proton Wallet support":["Soporte para Proton Wallet"]},"wallet_signup_2024:Pricing":{"Includes everything in Proton Unlimited and":["Incluye todas las funciones en Proton Unlimited y"],"Limited availability":["Disponibilidad limitada"],"The easiest way to securely own, send, and receive Bitcoin":["La forma más fácil de retener, enviar y recibir Bitcoin con seguridad"]},"wallet_signup_2024:ProductRange":{"Discover Proton Wallet":["Descubre Proton Wallet"],"Store and transact Bitcoin privately with an encrypted self-custody wallet.":["Almacena Bitcoin y negocia de forma privada con una cartera de autocustodia cifrada."]},"wallet_signup_2024:wallet bitcoin":{"Learn about Bitcoin, the Internet's value network.":["Infórmate sobre Bitcoin, la red de valor de internet."]},"wallet_signup_2024:wallet overview":{"Ensure you're always in control of your Bitcoin.":["Asegúrate de tener siempre el control de tu Bitcoin."]},"wallet_signup_2024:wallet security":{"The encrypted, open-source wallet that puts you in control.":["La cartera cifrada de código abierto que te permite controlarlo todo."]}}},"base":"blog","cdn":{"enabledForAssets":true,"enabledForImages":true,"url":"https://pmecdn.protonweb.com/"},"unleashApi":"https://account.proton.me/api"};
window.frameworkContext = frameworkContext;
const context = frameworkContext.base === '' ? '' : `${frameworkContext.base}/`;
window.__toAssetUrl = (filename) => {
if (frameworkContext.cdn !== undefined && frameworkContext.cdn.enabledForAssets === true) {
return `${frameworkContext.cdn.url}${context}${filename}`;
} else {
return `/${context}${filename}`;
}
};
})();
HIPAA compliance checklist guide for 2022 | Proton
As discussed in our article on HIPAA Compliance, the Health Insurance Portability and Accountability Act (HIPAA) is a collection of closely aligned regulations that protect the medical data of patients in the United States.
In that article, we also discuss who must be HIPAA compliant — covered entities and business associates — which basically means anyone with any access to patients’ protected health information (PHI). Failures in HIPAA compliance are known as HIPAA violations(ventana nueva), and can result in stiff fines.
This article explains the most important measures and best practices that covered entities and business associates must address in order to be HIPAA compliant.
The HSS Office of Inspector General (OIG) offers a Compliance Resource Portal(ventana nueva) that establishes the “seven fundamental elements of an effective compliance program.” These elements are:
Standards, Policies, and Procedures
Compliance Program Administration
Screening and Evaluation of Employees, Physicians, Vendors, and other Agents
Communication, Education, and Training on Compliance Issues
Monitoring, Auditing, and Internal Reporting Systems
Discipline for Non‐Compliance
Investigations and Remedial Measures
A HIPAA compliance checklist
In practical terms, the key measures that must be implemented by all covered entities and business associates that wish to be (and remain) HIPAA compliant can be summarized as:
1. Develop robust standards, policies, and procedures
Covered entities and business associates must develop administrative systems and practices that ensure they meet the HIPAA compliance Rules (discussed here). Staff must be fully and routinely trained in all such standards, policies, and procedures, and are required to attest that they have received this training.
2. Implement strong physical and technical safeguards
In order to be HIPAA compliant, entities must ensure that all data relating to PHI is secure. This includes implementing:
Technical safeguards — such as restricting access to EPHI to authorized personnel only, requiring authorized personnel to verify their identity using unique identification methods (such as physical login tokens), monitoring hardware and software access logs for irregular activity, using strong encryption, implementing auto-logout, clearly specifying emergency access procedures, and using a HIPAA-compliant email(ventana nueva) service.
Physical safeguards — restrictions on who can physically access buildings, offices, and facilities, restrictions on who has access to workstations and electronic media, and procedures for disposing of or otherwise moving workstations and electronic media (such as old hard drives).
3. Perform an annual HIPAA risk assessment
According to the HIPAA Security Rule(ventana nueva), “risk analysis should be an ongoing process, in which a covered entity regularly reviews its records to track access to e-PHI and detect security incidents, periodically evaluates the effectiveness of security measures put in place, and regularly reevaluates potential risks to e-PHI.”
In order to comply with this requirement, HIPAA compliant entities are strongly advised to perform an annual audit to identify problems or gaps in their implementation of the security standards specified in the Security and Privacy Rules. These audits should therefore cover all administrative, physical security, and technical security measures deployed by the company in order to achieve HIPAA compliance.
4. Report data breaches
HIPAA-compliant entities must develop procedures outlining the measures to be taken in the event of a data breach. These include procedures for notifying customers, the HSS OCR, and any other entities required in accordance with the Breach Notification Rule.
5. Investigate violations and implement remedial measures
If a HIPAA violation occurs for any reason (including any violation identified during the annual self-audit) then it must be fully investigated, and a remedial plan developed and then implemented to correct the problem and bring the covered entity or business associate back in line with HIPAA regulations.
6. Document everything
Covered entities and business associates should document everything related to HIPAA compliance. This includes:
All measures taken to become HIPAA compliant.
All contact with other covered entities and business associates that they share PHI with.
All HIPAA violations that occur, plus all measures taken to remedy and report such incidents.
Failure to keep extensive documentation of all matters relating to HIPAA compliance is likely to result in a company failing the HSS OCR audit(ventana nueva) requirements.
A second phase was conducted in 2016, and in 2017 the OCR announced phase 3: on-site audits. This is a major expansion of the audit program and means that the OCR can now show up unannounced to view evidence that an individual or organization is HIPAA compliant.
The main purpose of maintaining a HIPAA compliance checklist could therefore be seen as providing proof of HIPAA compliance in the event of OCR audit. It is in everyone’s interest that covered entities and business associates work hard to maintain HIPAA compliance, however, regardless of whether an OCR audit is performed or not.
Audit Protocol
In order to help entities create checklists that meet HIPAA standards, the OCR has published an Audit Protocol(ventana nueva) which explains all areas that may be assessed during an OCR audit.
The audit protocol lists the different audit types (privacy, security, or breach), and identifies “key activities” that entities must comply with to be deemed HIPAA compliant. The “established performance criteria” needed to meet these standards are explained in detail.
HIPAA checklist FAQ
What is required for HIPAA compliance?
HIPAA compliant entities must appoint a HIPAA Privacy Officer and a HIPAA Security Officer to oversee HIPAA compliance. These can be existing staff members or outside contactors.
Their responsibility is to run risk assessments on the privacy and security systems and standards used by your company to protect PHI. The key areas that must be examined are:
The working practices of all staff members
Physical security measures in place to prevent unauthorized access to PHI
Electronic security measures in place to prevent unauthorized access to PHI
How your company will respond if a HIPAA violation or data breach occurs
Once risks have been identified, effective measures should be put into place to address them. The HIPAA Audit Protocol makes it clear that the OCR values evidence that self-audits are updated on a regular basis to account for changes within the entity, and for changes in the wider privacy and security landscape.
How do you do a HIPAA compliance checklist?
Your HIPAA Privacy and Security Officers should document all the key areas they have examined for potential risks. If existing safeguards are deemed sufficient to address these risks then this should be documented, or if additional safeguards are required then this, along with evidence of implementing the safeguards, should also be documented.
Detailed plans should be made and documented about what to do in the event of a HIPAA violation or data breach, with clear lines of responsibility established for actions that will be taken.
How do I know my documentation is sufficient to pass a HIPAA audit?
The Audit Protocol, which is published on the HSS website, should help identify all areas that your HIPAA compliance checklist should cover. If you are not confident in your entity’s ability to produce sufficient documentation, then there are many companies that offer professional help with HIPAA compliance.
What are desk audits and physical audits?
Desk audits are remote audits, where covered entities and business associates are asked to submit their documentation via the OCR’s secure web portal. Physical audits involve the OCR turning up at your workplace to inspect your HIPAA compliance provisions. They are often made in response to a lack of cooperation when an entity is asked to submit a desk audit, but also include the impromptu phase 3 on-site audits discussed above.
What happens if you fail a HIPAA audit?
If minor issues are found during a desk audit then you will be notified by the HSS. If minor issues are found during a physical audit then you may need to produce evidence of addressing them.
If major issues are found during any HSS audit then you may be subject to the penalties.
Do HIPAA audits only assess how EPHI is stored and transmitted?
No. Although HSA audits were introduced primarily to address an alarming rise in electronic data breaches, they assess all aspects of HIPAA compliance. This includes administrative practices, physical security measures, and planning for the possibility of data breaches, in addition to technical measures used to keep EPHI data safe.