HIPAA Compliance: Ensure Privacy & Security (Download Free Checklist)

The HIPAA 1996 Act sets regulatory measures to ensure the security of sensitive patient information held by health providers. The Department of Health and Human Services oversees HIPAA compliance, while the Office for Civil Rights enforces it.

PHI or Protected Health Information covers broad data of a patient, including electronic records, medical records, personal information, social security numbers, contact information, and more. Whenever the security of PHI is compromised, OCR investigates the possible violation of HIPAA. If violations are found, then OCR imposes fines to be paid based on a tiered penalty structure.

The HIPAA regulatory framework has been laid down to ensure that healthcare providers maintain confidentiality and security of sensitive information of the patients, thereby protecting individual privacy rights within the sector of healthcare.

Recent HIPAA enforcement cases such as when Lifespan Health System was required to pay $1,040,000 for a breach of electronic PHI (ePHI) after the theft of an unencrypted laptop that affected 20,431 people demonstrates the consequences of data breaches and the importance of data protection and information security. 

Hence, being HIPAA compliant is significant for the organization to enact appropriate security measures. In this article, we will explain how to be HIPAA compliant and share a step-by-step HIPAA compliance checklist that encompasses everything you need to know.

TL;DR HIPAA compliance entails meeting the requirements of the Privacy Rule, Security Rule, and Breach Notification Rule, as well as seven other elements of an effective compliance program.  Violations incur fines ranging from $100 to over $50,000 per incident based on severity.  The checklist covers the essential tactics for incorporating the physical, technical, and administrative safeguards of the HIPAA Security Rule.

What is HIPAA compliance?

HIPAA compliance is a process for covered entities and business associates to protect and secure PHI according to the Privacy, Security, and Breach Notification Rules.

The key goals and objectives of HIPAA are:

• Ensuring the privacy of health information
• Securing electronic health records
• Simplifying administrative processes
• Improving insurance portability

The reason? A patient’s health information often includes their family medical history and financial details, making it essential to keep it secure. This is why HIPAA certification was introduced.

Who is required to be HIPAA compliant?

HIPAA requires covered entities, business associates, subcontractors, and any other entities handling Protected Health Information (PHI) must be HIPAA compliant.

Being compliant involves meeting the requirements of HIPAA, its amendments, and related legislation like HITECH. Entities that are required to be HIPAA compliant include:

Health Information Exchanges (HIEs):

Organizations that facilitate the exchange of health information between different entities must ensure HIPAA compliance to protect the integrity and confidentiality of the shared data.

The companies who needs to be hipaa compliant also includes billing companies, health plan administrators for individuals and companies, and outsourced staff like lawyers, IT specialists, and accountants working with healthcare institutions. Also, companies that help dispose of hospital and personal records must be adhere to HIPAA requirements.

Covered entities:

Any company that provides payment, health-related operations, or medical assistance in healthcare and consequently creates, collects, or transmits PHI electronically is considered a covered entity. Examples are hospitals, nursing homes, health care providers, medical care entities, and health insurance providers, or third-party healthcare businesses.

Business associates:

Any company that has access to PHI and provides support in the form of treatment, operations, or operations is considered a business associate. Examples include cloud storage providers, third-party service providers, billing firms, IT providers, practice management companies, email hosting services, managed service providers, and electronic health record (EHR) platforms.

HIPAA compliance Rules you need to follow

HIPAA compliance rules and regulations are established to protect the confidentiality, integrity, and availability of electronically protected health information (ePHI). Moreover, HIPAA rules give patients certain rights regarding their healthcare information.

Here are the 7 HIPAA rules explained in detail:

HIPAA Privacy Rule

Puts in place national security standards for safeguarding patients’ rights to PHI. The patient must receive a file for the the HIPAA release form. It applies only to covered entities. (Read more on HIPAA privacy rule)

HIPAA Security Rule

It is a national standard for protecting the handling, transmission, and maintenance of ePHI. Covered entities and their business associates are subject to this rule. (Read more on HIPAA security rule)

HIPAA breach notification Rule

It obliges businesses on how to respond to a data breach and guidelines on reporting a breach. (Read more on HIPAA breach notification rules)

HIPAA Transaction Rule

It was introduced to protect healthcare services and other business entities to take the essential cybersecurity measures to protect ePHI while other transactions are performed. 

HIPAA enforcement rule

It was put in place so that businesses face necessary penalties for data breaches pertaining to civil and criminal laws. It also made reporting requirements for breaches regarding security and privacy mandatory. (Read more on HIPAA enforcement rule)

HIPAA Identifiers Rule

It was implemented to ensure that organizations share PHI solely with authorized entities. A distinct identification number must recognize each organization. This ensures that organizations only share the requested PHI with HIPAA-recognized entities. (Read more on HIPAA identifiers)

Omnibus Rule

It established new requirements for breach notifications with the intention of bolstering existing controls. (Read more on Omninus rule)

Aspects to consider for effective HIPAA compliance 

The importance of adhering to an effective HIPAA Compliance program cannot be overstated. The HHS Office of Inspector General (OIG) established the Seven Elements of an Effective Compliance Program, which is intended to help companies evaluate compliance solutions or build their own compliance programs. 

In addition to meeting HIPAA Privacy Rule and Security Rule standards, an effective compliance program should be able to handle these seven elements:

• Implementing written policies and procedures with respect to a code of conduct/ethics, corporate compliance program, disaster recovery plan, and training, acknowledgment, and corrective action plans
• Assigning a compliance officer and setting up a compliance committee
• Building open lines of communication
• Imparting effective education and HIPAA training
• Performing internal auditing and monitoring to check for relevance
• Enforcing through well-publicized disciplinary guidelines
• Reacting promptly to violations and executive corrective action plans

During OCR investigations of HIPAA violations, federal HIPAA auditors will compare the company’s compliance program against these seven elements.  

Check out How Sprinto enabled Neurosynaptic to embrace compliance automation to swiftly complete HIPAA.

HIPAA compliance checklist

A HIPAA compliance checklist will ensure your service, business, or product contains the appropriate technical, administrative, and physical safeguards according to the statement of the HIPAA Security Rule. This is in addition to adherence to the standards for the Privacy Rule and Breach Notification Rule.

Also, if you’re interested in getting HIPAA compliant, here’s a simple checklist we’ve created for you. Let’s understand the five steps you need to take to be compliant with HIPAA:

1. Understand the HIPAA Privacy Rule

The first step is to become familiar with the HIPAA Privacy Rule, which has provisions for implementing safeguards to protect the privacy of PHI and setting limits on the access and use of PHI. The Rule also confers certain rights to patients over their PHI, such as the right to examine and obtain a copy of their health records and to request corrections.

2. Determine whether the Privacy Rule applies to you

Next, evaluate and confirm whether the Privacy Rule applies to your healthcare organization, practice, or business. The Privacy Rule safeguards individual PHI by regulating the practice of all covered entities, which include nurses, doctors, insurance providers, and lawyers.

3. Protect patient data

Now, understand what types of sensitive health data you need to safeguard and establish the appropriate security and privacy measures. 

The Privacy Rule denotes PHI as “individually identifiable health information” that is transmitted or stored by covered entities or their business associates. It can take any form—verbal, electronic, or paper. 

Individually identifiable health information is considered to include all information that deals with a patient’s mental health or physical condition, their healthcare requirements, and payment for their healthcare requirements. It also includes the patient’s demographic information. 

There are three kinds of safeguards under the Security Rule for PHI:

Technical safeguards

Technical safeguards focus on the technology used to secure and manage access to ePHI. They mandate that ePHI, whether in transit or at rest, must be encrypted according to NIST standards when it leaves a company’s firewalled servers, rendering the data unreadable and unusable. 

• Key technical safeguards include:
• Proactively preparing for breach scenarios
• Implementing access control measures
• Establishing mechanisms to authenticate ePHI
• Using encryption and decryption tools
• Introducing audit controls and activity logs
• Enabling automatic log-off for devices and desktops

Physical safeguards

They center on physical access to ePHI regardless of its location. ePHI could be stored in the cloud, remote data centers, or on servers within the premises of the covered entity. They also specify how mobile devices and workstations should be protected against unauthorized access. 

Physical safeguards include:

• Facility access control policies
• Rules for using and accessing workstations and mobile devices
• Keeping an inventory of hardware

Administrative safeguards

Administrative safeguards deal with policies and guidelines that connect both the Security Rule and the Privacy Rule. They require designating a Privacy Officer and Security Officer to implement measures to safeguard ePHI, and they also provide guidelines on the conduct of the workforce.

Administrative safeguards include:

• Implementing a risk management policy
• Conducting regular HIPAA risk assessments
• Providing compliance training to ensure employee security
• Developing and testing a contingency plan
• Limiting access for third parties
• Reporting security incidents promptly

4. Avoid possible HIPAA violations

HIPAA violations can occur in a variety of ways so take the time to understand what constitutes a violation and how you can prevent it. 

Being HIPAA-compliant does not mean preventing all data breaches; instead, it means lowering risks to an acceptable and appropriate level. 

HIPAA violations are commonly due to internal reasons and not external data breaches or hacks. Many violations are a result of negligence (such as failing to perform an organization-wide risk analysis) or inadequate compliance with the Privacy Rule.  

Violations may be deliberate or unintentional. Failing to issue a breach notification within the maximum time frame of 60 days after discovering a breach is a deliberate violation. Failing to properly configure software like Office 365 for HIPAA compliance is an unintentional violation. 

5. Data breaches under HIPAA

HIPAA standard considers any unauthorized possession, use, access, or release of protected health information that puts its privacy or security at risk to be a data breach. 

To prevent data breaches, you need adequate internal security measures and training as well as a robust cybersecurity program. 

6. Recognizing common HIPAA violations

You should be familiar with the variety of scenarios and cases that can trigger a violation. The 10 most frequently-occurring HIPAA violations are:

• Failure to conduct an organization-wide risk analysis
• Absence of a risk management process or failure to manage potential risks
• Snooping on healthcare records
• Refusing to give patients access to their health records or exceeding the timeframe for giving access
• Failure to form a HIPAA business associate agreement
• Exceeding the 60-day timeframe for putting out breach notifications
• Incorrect disposal of PHI
• Impermissible disclosures of PHI
• Failure to encrypt ePHI on portable devices
• Failure to implement ePHI access controls

7. Anticipating a minor breach

According to the HIPAA Breach Notification Rule, any affected patient or customer should be notified about the theft, compromise, or risk exposure of their PHI. 

In case of a minor breach, which is one that affects fewer than 500 people in a single jurisdiction, HIPAA requires you to gather data on all minor breaches that occur throughout a year and report them to HHS OCR  within 60 days of the end of the year in which they occurred. 

Affected individuals must be informed within 60 days of the breach discovery.

8. Prepping for a meaningful breach

Breaches that affect more than 500 individuals in a single jurisdiction are meaningful breaches. They must be reported to HHS OCR within 60 days of breach discovery. All affected individuals should be informed upon immediate discovery of the breach. Local law enforcement agencies and media agencies should also be notified immediately so that they can alert the affected people.

The HHS Wall of Shame is a permanent repository of all meaningful HIPAA violations in the United States since 2009. 

9. Being aware of fines and penalties

OCR prefers to resolve HIPAA violations through non-punitive methods like voluntary compliance or offering technical guidance to assist covered entities with non-compliant areas. However, if the violation is severe or has been allowed to linger for long, tier-based financial penalties are imposed:

Tier 1: An infringement of which the covered entity had no knowledge and could not have reasonably avoided. Reasonable care was exercised to comply with the HIPAA Rules. Fines of $100 – $50,000 per violation

Tier 2: A violation that the covered entity knew or, by exercising reasonable diligence, would have known but that could not have been avoided even with reasonable care. Fines of $1,000 – $50,000 per incident

Tier 3: A violation that was the result of willful neglect of HIPAA Rules but where attempts have been made to try to correct it. Fines of $10,000 – $50,000 per incident

Tier 4: The violation was due to willful neglect, and the entity has yet to try to take any corrective action to fix it. Fines of $50,000 and above

10. Meeting transaction standards

HIPAA requires all data transactions or transmissions to meet the X12 Data Exchange Standard. Some of the common transactions are:

• Claims status
• Coordination of benefits
• Payment and remittance advice
• Eligibility
• Referrals and authorizations

11. Stay updated with HIPAA changes

HIPAA compliance is an ongoing process so you need to stay up-to-date with the latest developments. The recent additions to HIPAA are:

• Allowing patients to examine their PHI in person and take notes or photographs
• Decreasing the maximum time for providing access to PHI from 30 days to 15 days
• Required entities must publish their fee schedule for PHI access and disclosure on their websites
• Enlarging the definition of healthcare operations to encompass care coordination and case management. 

4 Steps to Achieve HIPAA Compliance

Implementing steps in your process can enhance your HIPAA compliance and help you effectively mitigate potential risks associated with non-compliance.

To help you get started few steps are listed below: 

1. Set up security policies and procedures

Implement cohesive HIPAA compliance policies to reduce errors in day-to-day activities that cover all aspects of handling the PHI. These policies should be regularly reviewed and updated to meet the regulatory requirements.

2. Implement Internal Audits

Perform regular risk assessments and internal audits to ensure continuous HIPAA compliance and to evaluate the likelihood of potential vulnerabilities and threats.

3. Train Staff According to HIPAA Guidelines

HIPAA compliance relies on employees’ understanding and adherence to the regulations. Therefore, it’s crucial to provide comprehensive training on HIPAA laws, updates, and nuances.

Annual Training Requirement

Employees must receive HIPAA training annually. This includes trainees, volunteers, employees, or any individual under the direct control of a business associate or covered entity.

Benefits of HIPAA Training:

• Reduces the risk of violations and data breaches due to human error.
• Demonstrates compliance during OCR audits or inquiries.
• Enhances patient trust, supports career advancement, and improves job prospects.
• Minimizes the risk of sanctions, such as written warnings or loss of professional accreditation.

4. Implement Continuous Monitoring

HIPAA compliance is an ongoing process, not a one-time task. You have to get audited every year. To avoid penalties, you need to keep monitoring your controls and the best way to do it is through continuous compliance. So, establish a practice of continuous readiness for HIPAA certification.

If you’re struggling to meet HIPAA’s demands, consider a compliance automation solution like Sprinto, which offers robust and proactive continuous monitoring.

How Does Sprinto Help?

Sprinto helps in two important ways:

Continuous Monitoring: Sprinto monitors your IT system, identifies security weaknesses, and alerts you to unusual activities. It collects evidence of potential vulnerabilities and threats, allowing you to upload screenshots for analysis manually.

Security Guidance: Sprinto provides suggestions on addressing security issues and guides you in patching any vulnerabilities. To ensure the security of third-party solutions, Sprinto performs regular tests.

Looking to get audit-ready in weeks? Sprinto, a GRC automation solution, helps you align your controls with the requirements of HIPAA, monitor compliance posture in real time, and gather crucial evidence to help you get audit-ready in a matter of weeks.

How to get HIPAA certified?

HIPAA certification can be completed with the following seven steps:

1. Appoint security & privacy officer

A dedicated person or team is required to oversee the creation, implementation, and maintenance of HIPAA policies.

2. Develop privacy policies

Create written policies to comply with HIPAA’s Security and Privacy Rules, ensuring they’re reviewed and updated regularly.

3. Implement security safeguards

Administrative, physical, and technical measures to safeguard PHI must be deployed along with access controls, encryption, and backup systems.

4. Set business associate agreements (BAAs)

Secure written agreements with vendors to ensure their adherence to HIPAA when handling PHI.

5. Train staff

Annual HIPAA training for employees that covers key regulations, updates, and security practices should be conducted.

6. Conduct risk assessments

Annually analyze risks to ePHI, identify vulnerabilities, and implement strategies to mitigate potential breaches.

7. Establish breach notification protocol

Define procedures for notifying affected parties and authorities within 60 days if a PHI breach occurs.

Understand all the aspects of getting HIPAA certified in detail: HIPAA Certification Guide.

Most Recent HIPAA Updates

HIPAA compliance is constantly evolving to address new challenges in the healthcare industry. Here are the most recent updates you need to know.

FTC Updates Health Breach Notification Rule

Health information is often collected, processed, and transmitted by entities not covered by HIPAA. This means the information isn’t classified as protected health information and doesn’t fall under HIPAA rules. 

On April 26, 2024, the FTC updated the Health Breach Notification Rule. This update includes new and revised definitions to expand coverage to health apps and other technologies not covered by HIPAA.

Biden-Harris Administration Issues New Rule for Reproductive Health Care Privacy Under HIPAA

The Biden-Harris Administration has introduced a new rule to enhance privacy protections for medical records and health information. This rule focuses on women, their family members, and doctors involved in seeking, obtaining, providing, or facilitating lawful reproductive health care.

OCR Updates FAQs on Change Healthcare Cybersecurity Incident

The Office for Civil Rights (OCR) updated the FAQ page about the Change Healthcare cybersecurity incident. It was first published on April 19, 2024. The page mainly answers questions about how HIPAA rules apply to the incident affecting Change Healthcare and many other healthcare entities.

HIPAA Violations You Need To Know

Not all data breaches are HIPAA violations. If the data breach is caused by an outdated, ineffective, or incomplete HIPAA compliance program or a direct violation of the company’s HIPAA policy, then it becomes a HIPAA violation. 

The OCR issues fines on a sliding scale ranging from $100 – $50,000 per incident depending on the severity of the violation. If it finds that the investigated company deliberately committed a violation due to “willful neglect” of HIPAA Rules, it may levy heavy fines to the tune of $50,000+.

HIPAA violations may be discovered in three ways:

• OCR investigations into a data breach
• OCR investigations into complaints about covered entities or business associates
• HIPAA compliance audits

Take a look at these examples of penalties due to HIPAA violations to understand why compliance is important:

• Premera Blue Cross, the largest health plan in the Pacific Northwest, was fined $6.85 million for a 2014 data breach that compromised the ePHI of 10.4 million people. The OCR discovered a failure to conduct risk analysis and risk management. 
• University of California Los Angeles Health System, a healthcare provider, was fined $865,000 for failing to restrict access to medical records. Dr. Huping Zhou, an employee, accessed the records of celebrities and other patients without authorization and was the first physician to be jailed for a HIPAA violation. 
• Banner Health, one of the largest healthcare systems in the United States, was fined $200,000 for long delays in responding to patients’ requests for access to their medical records. 

Also, check out: Best HIPAA compliance software

HIPAA Compliance with Sprinto

HIPAA was developed to ensure the privacy of patient PHI, and its safeguards are intended to help healthcare organizations take necessary measures to secure patient data. HIPAA compliance may seem like a daunting task, but adopting a step-by-step approach with a compliance checklist will help you achieve it quickly. 

You can become HIPAA-compliant quickly and effortlessly with Sprinto’s assistance in crafting HIPAA policies, establishing controls, and collecting evidence. 

Sprinto seamlessly simplifies your HIPAA compliance journey. Our platform automates compliance tasks, monitors safeguards continuously, and manages vendors with access to PHI. The platform also comes with a built-in HIPAA training module to help you update your team on HIPAA rules.

Moreover, Sprinto helps you align your organization’s security controls with HIPAA requirements and makes it easy to implement and monitor controls in real-time. Whether you’re updating policies, conducting risk assessments, or preparing for audits, Sprinto supports you every step of the way.

Ready to take the next step? See Sprinto in action.

FAQ: HIPAA Compliance

What is HIPAA?

HIPAA (Health Insurance Portability and Accountability Act) sets standards for healthcare providers, insurers, and related entities to ensure the privacy and security of medical records and personal health data. It is a U.S. law that protects sensitive patient health information from being disclosed without consent.

HIPAA compliance means?

HIPAA compliance is the process of adhering to the standards set by the Health Insurance Portability and Accountability Act (HIPAA) to protect sensitive patient data. It requires covered entities, such as healthcare providers handling treatment, payment, and operations, as well as business associates who access or process PHI, to implement physical, network, and process security measures. Subcontractors and other related entities involved in handling PHI are also required to maintain compliance.

How to comply with HIPAA privacy rule? 

To comply with the HIPAA Privacy Rule, healthcare providers and covered entities must implement safeguards to protect patients’ protected health information (PHI). This includes:

• Obtaining patient consent before sharing PHI
• Providing patients access to their medical records
• Establishing policies for secure handling of health data
• Training staff on privacy practices
• Using secure communication methods while limiing PHI access to authorized personnel only.  

What is not covered under HIPAA?

Certain entities and situations not covered by HIPAA include:

• Life insurance companies
• Employers unless they also act as a health plan or healthcare provider
• Workers’ compensation programs
• Most schools and school districts
• Law enforcement agencies
• Municipal offices not engaged in HIPAA-covered transactions
• Personal health records maintained by individuals

What is HIPAA compliance in healthcare?

HIPAA compliance in healthcare involves fulfilling the requirements of HIPAA, its later amendments, and related laws like HITECH. Companies dealing with protected health information (PHI) should implement physical, process, and network security measures to be HIPAA-compliant. 

Is it mandatory to follow all HIPAA rules?

HIPAA is a regulatory requirement. This makes it mandatory for all healthcare organizations and entities to follow HIPAA rules without exception. Violation of any rule can lead to severe fines and penalties.

What are HIPAA violations?

HIPAA violations are breaches in a company’s compliance program that compromise the integrity of PHI or ePHI. Data breaches are HIPAA violations if they occur as a result of a direct violation of the company’s HIPAA policy or an ineffective or outdated compliance program.