A Comprehensive HIPAA Compliance Checklist (Most Recommended)
Srividhya Karthik
Apr 07, 2024
Did you know healthcare is the second most targeted industry, with 20% of victims falling prey to cloud misconfiguration breaches? These high-profile cases are just the tip of the iceberg when it comes to HIPAA violations.
The Office of Civil Rights regularly issues fines for smaller breaches that fail to meet the HIPAA compliance checklist requirements.
And that’s not it all. Once you’ve had a HIPAA breach, your business gets listed on OCR’s Wall of Shame with details on the violation, including the penalty, date, and number of individuals affected.
That’s a lot to handle, right? The easiest way to avoid these is to double down on your business’s compliance with HIPAA.
If you are a cloud-hosted business associate, read on. In this article, we have put together a HIPAA compliance checklist that can serve as a detailed and easy-to-understand guide for you to become HIPAA compliant.
Bonus: A downloadable PDF to use as a reference.
Why do you need to be HIPAA compliant?
The short answer, HIPAA is a US federal law. And if your business comes under its purview, you don’t have much choice but to comply or risk heavy penalties and a place in the eternal OCR ‘Wall of Shame’. But aside from complying with the spirit and the letter of the law, HIPAA has business merits too.
Before we get to the merits of complying with HIPAA, let’s take a quick detour to understand the basics.
hands-on workshop
From Manual To Maverick: For Security Professionals
All about Compliance Automation!
Who is required to follow the HIPAA compliance checklist?
The HIPAA compliance checklist needs to be followed by any healthcare business, organization, or individual entity that collects, processes, stores, and transmits private health information (PHI).
The federal act provides several categories of organizations and individuals mandated to follow the HIPAA checklist:
1. Covered entities: These entities include healthcare providers, doctors, clinics, pharmacies, insurance companies, government programs, clearing houses, etc.
2. Business Associates: Business associates are individuals or organizations that perform certain functions or activities on behalf of, or provide certain services to, a covered entity that involve the use or disclosure of protected health information. Examples include billing companies, practice management firms, IT contractors, cloud storage services, etc.
3. Subcontractors: Business associates of business associates who handle protected health information
4. Hybrid entities: Organizations that have some HIPAA-covered functions and some non-covered functions.
8 Steps HIPAA Compliance Checklist
This detailed HIPAA compliance checklist aims to ensure you have everything you need to know in a single place to get your organization HIPAA compliant.
Here is the 8-step checklist to becoming HIPAA complaint:
1. Determine if the Privacy Rule affects you or not
HIPAA’s Privacy Rule protects PHI in any form (verbal, electronic, or written). While most of the Privacy Rule provisions don’t directly apply to business associates, you will still need to implement some of the mandatory policies and safeguards for your covered entity, such as rules around the use and disclosure of PHI and patient rights concerning their PHI.
As a rule of thumb, you must abide by the basic privacy rules: you mustn’t use, access, or disclose PHI without the individual’s valid, HIPAA-compliant authorization (barring exceptions).
Typically, your BAA with the covered entity will outline these rules. The HIPAA Privacy Rule requires covered entities to enter into written contracts or other arrangements (by way of BAA) with business associates to ensure the privacy protection of PHI.
Covered entities, however, don’t (and aren’t mandated to) monitor or oversee how you implement privacy safeguards or the extent to which you abide by the privacy requirements of the contract. That’s on you!
It, therefore, makes business sense also to be aware of all the privacy rules that apply to the covered entity, including its notice of privacy practices (NPP) and other business agreements.
To ensure you are on the right side of HIPAA’s Privacy rules, appoint a privacy officer to develop and implement these privacy policies. And remember to keep all your PHI documentation, including amendments and requests, for at least six years.
Want to watch the HIPAA compliance checklist video instead? Here it is:
Download your HIPAA Compliance Checklist
2. Protect the right types of patient data
To know if you are protecting the right kind of data, you must understand what constitutes PHI, where it originates from, where it is stored, and who has access to it in your organization.
You must also know the type of patient information your organization uses and transmits. While your BAA would cover it, it’s good practice to ensure the details are clearly spelled out and the relevant parties in your organization are aware of it.
Besides, knowing what types of patient data you must protect makes a good starting point for putting suitable security and privacy safeguards in place.
Protect patient’s data by automating HIPAA compliance. Talk to our experts now
3. Understand HIPAA Security Rules & the types of safeguards
HIPAA’s Security Rule comprises many required and addressable categories and lay down the general rules for covered entities and their business associates as follows:
- Protect against any reasonably anticipated threats or hazards to the security and integrity of ePHI
- Protect against any reasonably expected uses or disclosures of PHI that’s not permissible per the Privacy Rule
- Ensure compliance by the workforce
HIPAA defines workforce as ‘trainees, volunteers, employees or any other individual whose conduct, while performing work under a business associate or covered entity, is under the business associate’s or entity’s direct control.’
HIPAA’s Security Rule requires organizations to implement administrative safeguards as well as physical, and technical safeguards based on risk assessments and analyses to protect ePHI. These safeguards lay the foundation for the security procedures organizations must implement in their environment.
Here’s an overview of the safeguards:
Organizations must complete their HIPAA risk assessment to understand what and which data is at risk and the steps they must take to secure it.
As such, compliance with the Security Rule will depend on many factors. Some of those include
- Your organization’s size, complexity, and capabilities, including technical infrastructure, hardware, and software security capabilities
- Costs of the additional security measures
- Probability and criticality of the potential risks to ePHI
Stop worrying about the HIPAA rules with the help of Sprinto. Talk to us now!
4. Understand the causes of HIPAA violations
HIPAA violations can occur in many ways. So, it’s essential to understand its causes and the safeguards you can implement to prevent them. While external data breaches or hacks by bad actors are the more commonly-known sources of HIPAA violations, they aren’t your usual culprits.
HIPAA violations occur more due to internal lapses driven by security oversights or, at times, caused by plain negligence.
For instance, unattended workstations, releasing patient information after the expiration of the authorization, or having insufficient ePHI access controls can lead to HIPAA violations.
Sending PHI to the wrong party, discussing PHI in public (social media included), and using non-compliant services, such as clouds, websites, and Gmail, are among the common causes of violations.
Nonetheless, these oversights can prove to be very expensive. That Pagosa Springs Medical Center paid a penalty of $111400 in 2018 for failing to revoke ePHI access following an employee termination, and lack of BAA may help put the cost of HIPAA oversights in perspective.
Loss or theft of devices is also a common occurrence. But it doesn’t necessarily mean a HIPAA violation. You aren’t liable for penalties if your PHI is encrypted per the rules.
– Avoiding violations
You must keep your staff educated and updated on HIPAA regulations to avoid violations and ensure your policies and procedures reflect the most recent HIPAA updates. Failure to do this can attract a hefty fine or even jail time.
As business associates, you must avoid the following or risk a visit from the OCR.
- Failure to perform risk assessment or implement the administrative, physical, and technical safeguards
- Failure to enter into BAAs with subcontractors that create or receive PHI
- Failure to take reasonable steps to address a material breach or violation of a subcontractor’s BAA
- Impermissible use or disclosure of PHI as per BAA
- Failure to make reasonable efforts to limit the request, use, or disclosure of PHI to the minimum necessary
- Failure to disclose a copy of ePHI to the covered entity (or parties specified in BAA) to enable the covered entity to comply with the patient’s right of access
- Failure to provide an accounting of disclosures to enable the covered entity to comply with its obligations to provide such an accounting when requested
- Failure to notify the covered entity or another business associate of a breach of PHI as required by the breach notification rule
- Retaliating against others for filing a HIPAA complaint or opposing an act or practice that is unlawful under the HIPAA Rules
- Failure to provide the HHS with records and compliance reports; cooperate with complaint investigations and compliance reviews.
Also, find out: How to get HIPAA certification
5. Document every activity towards protecting data
As with any compliance, in HIPAA too, the devil is in the documentation. You must diligently document all your HIPAA-related compliance efforts. You must maintain a log and record of all actions, including the first steps taken to audit evaluations to corrective actions taken.
It’s good practice to compile all HIPAA-related documentation and make your policies transparent. In general, you should document everything related to PHI. You should hold the documents containing PHI or the policies about disclosing PHI for at least six years.
Broadly, the HIPAA documentation requirements include the following:
- Policies and procedures
- Written/electronic copy of communications
- All activities, actions, or designations that require electronic/written records
These would include (not limited to):
- HIPAA Risk Analysis
- Actions you took to deal with the gaps and vulnerabilities
- HIPAA Risk Management Plan
- Notice of Privacy Practices
- Employee Sanction Policy
- Contracts
- List of Vendors
- Training Logs
- Work Desk Procedures
- Business Associate Agreements
- Breach Response Plan
- Compliance process, procedures, and assessment reports
- Electronic media used to store PHI and records of hardware
- Disaster recovery plan
- Password policies
- Documentation of incidents
- Physical Security Maintenance Records
- Authorizations for disclosing PHI
8. Set up breach notifications if any data is lost
You must establish guidelines around breach notification in line with HIPAA compliance requirements. HIPAA’s Breach Notification Rule requires business associates to notify covered entities when a PHI breach occurs at or by a business associate.
As a business associate, you must provide notice to the covered entity without unreasonable delay and within 60 days of the breach’s discovery. To the extent possible, you must also provide the identification of each individual affected by the breach to the covered entity.
Note that the covered entity may, through the terms of the BAA, demand an expedited notice or a more detailed breach response from you.
That said, the burden of proving that all required notifications have been provided or that the use or disclosure of PHI didn’t cause a breach lies on the business associates and covered entities (as applicable).
As business associates, you must also report uses or disclosures that violate the BAA (presumably HIPAA, too) with the covered entity to the latter, even if it’s not reportable under HIPAA’s Breach Notification Rule.
In addition, you must report security incidents, including attempted or successful unauthorized access, use, disclosure, modification, or destruction of PHI or interference with system operations in a PHI system.
Therefore, it is an excellent practice to maintain documentation that all required notifications were made or to maintain documentation to demonstrate that the breach didn’t need a notification.
7. Implement physical safeguards
HIPAA defines physical safeguards as the physical measures, policies, and procedures you should implement to protect your electronic information systems and related buildings and equipment from unauthorized intrusion and natural and environmental hazards.
All physical access to e-PHI must be considered for evaluation and implementation for this safeguard. Physical access may include workforce members’ homes or other physical locations outside the office where e-PHI is accessible.
As per HIPAA, you must limit physical access to your facilities with access to ePHI through authorizations based on access controls and validation. You must also prepare policies and procedures for the proper use and restricted access to workstations and electronic media, such as digital memory cards, hard drives, and disks.
Business associates must also implement policies and procedures to address the disposal of ePHI and the electronic media on which it is stored. You must craft policies to address media re-use too. Another safeguard you can implement is creating a retrievable backup of ePHI.
8. Implement technical safeguards to protect access to ePHI
HIPAA’s Security Rule defines technical safeguards as ‘the technology and the policy and procedures for its use that protect ePHI and control access to it.’
Business associates and covered entities must implement technical policies and procedures that define and describe how only authorized persons, based on unique user identification, can access ePHI. You must also incorporate an emergency access procedure and implement automatic log-off, encryption and decryption of ePHI.
Policies and procedures around audit controls to monitor access to ePHI and integrity controls to ensure ePHI isn’t compromised are also HIPAA requirements. You must implement user authentication and ensure transmission security by implementing integrity controls and encryptions.
Let’s skip to you becoming HIPAA compliant, with Sprinto
Merits of HIPAA Compliance
With the HIPAA brass tacks out of the way, here’s a look at the business merits of complying with HIPAA.
Avoid hefty penalties for noncompliance
HIPAA violations can result in fines ranging from $127 to $250,000, depending on the severity of the breach. The Department of Health and Human Services (HHS) and US State Attorneys General issue HIPAA penalties for violations. A violation occurs when a covered entity or business associate fails to comply with one or more of