A Comprehensive HIPAA Compliance Checklist (Most Recommended)

Did you know that in 2022 alone, healthcare companies will have paid over $2 million in penalties following HIPAA non-compliance? And these large-scale settlements are just drops in the HIPAA penalties pool. The Office of Civil Rights levies fines on several other small-scale HIPAA breaches too.

And that’s not it all. Once you’ve had a HIPAA breach, your business gets listed on OCR’s Wall of Shame with details on the violation, including the penalty, date, and number of individuals affected.

That’s a lot to handle, right? The easiest way to avoid these is to double down on your business’s compliance with HIPAA.

If you are a cloud-hosted business associate, read on. In this article, we have put together a HIPAA compliance checklist that can serve as a detailed and easy-to-understand guide for you to become HIPAA compliant.

Bonus: A downloadable PDF to use as a reference.

Why do you need to be HIPAA compliant?

The short answer, HIPAA is a US federal law. And if your business comes under its purview, you don’t have much choice but to comply or risk heavy penalties and a place in the eternal OCR ‘Wall of Shame’. But aside from complying with the spirit and the letter of the law, HIPAA has business merits too.

Before we get to the merits of complying with HIPAA, let’s take a quick detour to understand the basics.

8 Steps HIPAA Compliance Checklist

The aim of this quick HIPAA checklist is to ensure you have everything you need to know in a single place to get your organization HIPAA compliant.

Here is the 8-step checklist to becoming HIPAA complaint:

1. Determine if the Privacy Rule affects you or not

HIPAA’s Privacy Rule protects PHI in any form (verbal, electronic, or written). While most of the Privacy Rule provisions don’t directly apply to business associates, you will still need to implement some of the mandatory policies and safeguards for your covered entity, such as rules around the use and disclosure of PHI and patient rights concerning their PHI.

As a rule of thumb, you must abide by the basic privacy rules: you mustn’t use, access, or disclose PHI without the individual’s valid, HIPAA-compliant authorization (barring exceptions).

Typically, your BAA with the covered entity will outline these rules. The HIPAA Privacy Rule requires covered entities to enter into written contracts or other arrangements (by way of BAA) with business associates to ensure the privacy protection of PHI.

Covered entities, however, don’t (and aren’t mandated to) monitor or oversee how you implement privacy safeguards or the extent to which you abide by the privacy requirements of the contract. That’s on you!

It, therefore, makes business sense also to be aware of all the privacy rules that apply to the covered entity, including its notice of privacy practices (NPP) and other business agreements. 

To ensure you are on the right side of HIPAA’s Privacy rules, appoint a privacy officer to develop and implement these privacy policies. And remember to keep all your PHI documentation, including amendments and requests, for at least six years.

Want to watch the HIPAA compliance checklist video instead? Here it is:

2. Protect the right types of patient data

To know if you are protecting the right kind of data, you must understand what constitutes PHI, where it originates from, where it is stored, and who has access to it in your organization.

You must also know the type of patient information your organization uses and transmits. While your BAA would cover it, it’s good practice to ensure the details are clearly spelled out and the relevant parties in your organization are aware of it.

Besides, knowing what types of patient data you must protect makes a good starting point for putting suitable security and privacy safeguards in place.

---

3. Understand HIPAA Security Rules & the types of safeguards

HIPAA’s Security Rule comprises many required and addressable categories and lay down the general rules for covered entities and their business associates as follows:

• Protect against any reasonably anticipated threats or hazards to the security and integrity of ePHI
• Protect against any reasonably expected uses or disclosures of PHI that’s not permissible per the Privacy Rule
• Ensure compliance by the workforce

HIPAA defines workforce as ‘trainees, volunteers, employees or any other individual whose conduct, while performing work under a business associate or covered entity, is under the business associate’s or entity’s direct control.’

HIPAA’s Security Rule requires organizations to implement administrative safeguards as well as physical, and technical safeguards based on risk assessments and analyses to protect ePHI. These safeguards lay the foundation for the security procedures organizations must implement in their environment. 

Here’s an overview of the safeguards:

Organizations must complete their HIPAA risk assessment to understand what and which data is at risk and the steps they must take to secure it. 

As such, compliance with the Security Rule will depend on many factors. Some of those include

• Your organization’s size, complexity, and capabilities, including technical infrastructure, hardware, and software security capabilities
• Costs of the additional security measures
• Probability and criticality of the potential risks to ePHI 

---

4. Understand the causes of HIPAA violations

HIPAA violations can occur in many ways. So, it’s essential to understand its causes and the safeguards you can implement to prevent them. While external data breaches or hacks by bad actors are the more commonly-known sources of HIPAA violations, they aren’t your usual culprits.

HIPAA violations occur more due to internal lapses driven by security oversights or, at times, caused by plain negligence.

For instance, unattended workstations, releasing patient information after the expiration of the authorization, or having insufficient ePHI access controls can lead to HIPAA violations.

Sending PHI to the wrong party, discussing PHI in public (social media included), and using non-compliant services, such as clouds, websites, and Gmail, are among the common causes of violations. 

Nonetheless, these oversights can prove to be very expensive. That Pagosa Springs Medical Center paid a penalty of $111400 in 2018 for failing to revoke ePHI access following an employee termination, and lack of BAA may help put the cost of HIPAA oversights in perspective. 

Loss or theft of devices is also a common occurrence. But it doesn’t necessarily mean a HIPAA violation. You aren’t liable for penalties if your PHI is encrypted per the rules.

– Avoiding violations

You must keep your staff educated and updated on HIPAA regulations to avoid violations and ensure your policies and procedures reflect the most recent HIPAA updates. Failure to do this can attract a hefty fine or even jail time.

As business associates, you must avoid the following or risk a visit from the OCR.  

• Failure to perform risk assessment or implement the administrative, physical, and technical safeguards
• Failure to enter into BAAs with subcontractors that create or receive PHI
• Failure to take reasonable steps to address a material breach or violation of a subcontractor’s BAA
• Impermissible use or disclosure of PHI as per BAA
• Failure to make reasonable efforts to limit the request, use, or disclosure of PHI to the minimum necessary 
• Failure to disclose a copy of ePHI to the covered entity (or parties specified in BAA) to enable the covered entity to comply with the patient’s right of access
• Failure to provide an accounting of disclosures to enable the covered entity to comply with its obligations to provide such an accounting when requested
• Failure to notify the covered entity or another business associate of a breach of PHI as required by the breach notification rule
• Retaliating against others for filing a HIPAA complaint or opposing an act or practice that is unlawful under the HIPAA Rules
• Failure to provide the HHS with records and compliance reports; cooperate with complaint investigations and compliance reviews.

Also, find out: How to get HIPAA certification

5. Document every activity towards protecting data

As with any compliance, in HIPAA too, the devil is in the documentation. You must diligently document all your HIPAA-related compliance efforts. You must maintain a log and record of all actions, including the first steps taken to audit evaluations to corrective actions taken.

It’s good practice to compile all HIPAA-related documentation and make your policies transparent. In general, you should document everything related to PHI. You should hold the documents containing PHI or the policies about disclosing PHI for at least six years. 

Broadly, the HIPAA documentation requirements include the following:

• Policies and procedures
• Written/electronic copy of communications
• All activities, actions, or designations that require electronic/written records

These would include (not limited to):

• HIPAA Risk Analysis
• Actions you took to deal with the gaps and vulnerabilities
• HIPAA Risk Management Plan
• Notice of Privacy Practices
• Employee Sanction Policy
• Contracts
• List of Vendors
• Training Logs
• Work Desk Procedures
• Business Associate Agreements
• Breach Response Plan
• Compliance process, procedures, and assessment reports
• Electronic media used to store PHI and records of hardware
• Disaster recovery plan
• Password policies
• Documentation of incidents
• Physical Security Maintenance Records
• Authorizations for disclosing PHI

8. Set up breach notifications if any data is lost

You must establish guidelines around breach notification in line with HIPAA compliance requirements. HIPAA’s Breach Notification Rule requires business associates to notify covered entities when a PHI breach occurs at or by a business associate. 

As a business associate, you must provide notice to the covered entity without unreasonable delay and within 60 days of the breach’s discovery. To the extent possible, you must also provide the identification of each individual affected by the breach to the covered entity.

Note that the covered entity may, through the terms of the BAA, demand an expedited notice or a more detailed breach response from you.

That said, the burden of proving that all required notifications have been provided or that the use or disclosure of PHI didn’t cause a breach lies on the business associates and covered entities (as applicable). 

As business associates, you must also report uses or disclosures that violate the BAA (presumably HIPAA, too) with the covered entity to the latter, even if it’s not reportable under HIPAA’s Breach Notification Rule.

In addition, you must report security incidents, including attempted or successful unauthorized access, use, disclosure, modification, or destruction of PHI or interference with system operations in a PHI system. 

Therefore, it is an excellent practice to maintain documentation that all required notifications were made or to maintain documentation to demonstrate that the breach didn’t need a notification.

7. Implement physical safeguards

HIPAA defines physical safeguards as the physical measures, policies, and procedures you should implement to protect your electronic information systems and related buildings and equipment from unauthorized intrusion and natural and environmental hazards.

All physical access to e-PHI must be considered for evaluation and implementation for this safeguard. Physical access may include workforce members’ homes or other physical locations outside the office where e-PHI is accessible.

As per HIPAA, you must limit physical access to your facilities with access to ePHI through authorizations based on access controls and validation. You must also prepare policies and procedures for the proper use and restricted access to workstations and electronic media, such as digital memory cards, hard drives, and disks.  

Business associates must also implement policies and procedures to address the disposal of ePHI and the electronic media on which it is stored. You must craft policies to address media re-use too. Another safeguard you can implement is creating a retrievable backup of ePHI. 

8. Implement technical safeguards to protect access to ePHI

HIPAA’s Security Rule defines technical safeguards as ‘the technology and the policy and procedures for its use that protect ePHI and control access to it.’

Business associates and covered entities must implement technical policies and procedures that define and describe how only authorized persons, based on unique user identification, can access ePHI. You must also incorporate an emergency access procedure and implement automatic log-off, encryption and decryption of ePHI. 

Policies and procedures around audit controls to monitor access to ePHI and integrity controls to ensure ePHI isn’t compromised are also HIPAA requirements. You must implement user authentication and ensure transmission security by implementing integrity controls and encryptions.

---

Merits of HIPAA Compliance

With the HIPAA brass tacks out of the way, here’s a look at the business merits of complying with HIPAA.

Avoid hefty penalties for noncompliance

The Department of Health and Human Services (HHS) and US State Attorneys General issue HIPAA penalties for violations. A violation occurs when a covered entity or business associate fails to comply with one or more of the provisions of HIPAA’s Privacy, Security, or Breach Notification Rules.

Depending on the severity of the violations, the OCR may either resolve them using non-punitive measures (such as issuing technical guidance) or levy appropriate financial penalties. Penalties range from a minimum fine of $100 per violation to even $50000+ and can include criminal penalties.

Follow best security practices in compliance

With the healthcare industry becoming an attractive target for cyber-attacks, it becomes critical for business associates to up their data security game. Complying with HIPAA makes for a strong security moat, for it is touted as one of the most stringent healthcare legislations in the world.

HIPAA forms the backbone of all cybersecurity and privacy initiatives for the healthcare industry and mandates several security measures to be implemented.

For instance, HIPAA requires organizations to assign role-based security of information, backup data, use strong passwords, conduct regular internal audits, and whatnot.

Put patients’ interests at the fore

HIPAA puts the patients at the core and ensures their interests get prioritized first. HIPAA emphasizes the privacy of patient information, gives individuals the right to access and correct their information, and requires organizations to take the patients’ consent before their data gets shared with any third party.

It also gives them the right to file a complaint if data is misused or shared without permission. Organizations that comply with HIPAA automatically keep their patients’ interests at the fore.

Prioritizing patients’ interests can help them build trust and scale their businesses ethically. Besides, health information, when stolen, can lead to identity theft, security breaches, and much more. As business associates, you don’t want to be the source of a leak or hack that could put PHI at risk.

Build a comprehensive cybersecurity program

When you comply with HIPAA, you can rest assured that complying with other infosec compliances worldwide, such as SOC 2, GDPR and ISO 27001, would be easy too. For instance, there are many commonalities in security controls suggested by HIPPA, NIST CSF and SOC 2. 

Sprinto offers a common controls framework that allows you to build off your earlier compliances, saving you time and resources. 

Also check out: List of components of HIPAA

HIPAA Checklist PDF to Download

It’s a good practice for all healthcare organizations under the purview of HIPAA to follow the HIPAA checklist. Here’s a curated HIPAA compliance checklist for cloud-hosted business associates.

Sprinto helps business associates get HIPAA-compliant

HIPAA regulations, understandably so, can get overwhelming. But ignorance of the rules doesn’t earn any relaxation from the OCR; ignorance can be very expensive. 

Sprinto, therefore, is designed to ensure you are always on the side right of the law. It not only automates the entire compliance journey, it breaks all the HIPAA requirements into simple, easy-to-understand steps that don’t overwhelm.

The automation compliance software provides you with editable policy templates, in-app employee training modules updated to reflect the most recent changes in HIPAA, and a real-time dashboard that updates your organization’s overall compliance status, highlighting gaps and tasks to move the needle on your compliance status. 

Talk to us today to get your HIPAA compliance journey kickstarted. 

FAQs

Why do you need a HIPAA compliance checklist?

You need a HIPAA compliance checklist to evaluate whether your organization complies with HIPAA regulations and, if not, to know how to adhere to them. 

Who needs to comply with HIPAA?

Individuals, healthcare organizations, their staff, vendors, cloud-hosted companies, and contractors that access, store and use protected health information (PHI) of patients in the US need to comply with HIPAA. 

What is Protected Health Information?

PHI is any health information that identifies an individual (such as name, address, and health conditions) and is maintained or exchanged electronically or in hard copy. Such information is protected under HIPAA from being disclosed without the patient’s consent or knowledge. 

What is a Covered Entity?

Covered entities are healthcare providers, health plans, and healthcare clearinghouses that conduct transactions electronically and generate, store, transmit and handle PHI.  

What is a Business Associate?

Business associates are service providers, vendors and other entities that work on behalf of HIPAA-covered entities that involve the use or disclosure of PHI.