HIPAA Compliance Checklist
Ensure You Comply with the HIPAA Regulations
If your organization has access to electronic protected health information (ePHI), it is recommended that you review our HIPAA compliance checklist to ensure that you comply with all the HIPAA regulations for the security and privacy of confidential patient data.
Failure to comply with the HIPAA regulations can result in a substantial fine and possible criminal and civil action should a breach of ePHI occur. There are also regulations you need to be aware of regarding how to report a breach; and ignorance of these regulations is not considered to be a justifiable reason for escaping a penalty from the Department of Health and Human Services.
Our HIPAA compliance checklist has been compiled by dissecting the HIPAA Security and Privacy Rules, the HIPAA Breach Notification Rule and the HIPAA Enforcement Rule.
Our HIPAA Compliance Checklist
Our HIPAA compliance checklist has been divided into segments for each of the applicable rules. It should be pointed out that there is no hierarchy in the HIPAA regulations, and even though some are referred to as “addressable”, this does not imply that they are optional. Each of the criteria of the HIPAA compliance checklist has to be adhered to if your organization is to comply with the HIPAA regulations.
HIPAA Security Rule
The HIPAA Security Rule contains the standards that must be applied to safeguard and protect ePHI when it is at rest and in transit. The rules apply to anybody that has access to confidential patient data, and by “access” we mean having the means necessary to read, write, modify or communicate personal identifiers which reveal the identity of an individual whose data should remain confidential.
There are three parts to the HIPAA Security Rule – technical safeguards, physical safeguards and administrative safeguards – and we will address each of these in order on our HIPAA compliance checklist.
The Technical Safeguards concern the technology that protects ePHI and access to it. The only stipulation is that ePHI – whether at rest or in transit – must be encrypted to NIST standards so that any breach of confidential patient data renders the data unreadable, undecipherable and unusable. Thereafter organizations are free to select whichever mechanisms are most appropriate to:
- Implement a means of access control (required). This not only means assigning a centrally-controlled unique username and PIN code for each user, but also establishing procedures so that ePHI can be accessed during an emergency.
- Introduce a mechanism to authenticate ePHI (addressable). This mechanism is essential in order to comply with the HIPAA regulations as it corroborates that ePHI has not been altered or destroyed in an unauthorized manner.
- Implement tools for encryption and decryption (addressable). This guideline relates to the devices used by authorized users having the function to encrypt messages when they are sent and decrypt messages when they are received.
- Introduce activity audit controls (required). The audit controls that are required under the technical safeguards are there to register access to ePHI and record what is done with it once it has been accessed.
- Facilitate automatic logoff (addressable). This function – although addressable – logs authorized users off of the device they are using to access or communicate ePHI after a pre-set period of time to prevent unauthorized access to ePHI when the device is left unattended.
The Physical Safeguards focus on physical access to ePHI irrespective of its location. ePHI could be stored in a remote data center, in the cloud, or on servers which are located within the HIPAA covered entity´s location. They also stipulate how workstations and mobile devices should be secured against unauthorized access:
- Facility Access Controls must be implemented (addressable). Procedures have to be introduced to record any person who has physical access to the location where ePHI is stored. This includes software engineers, cleaners and even a handyman coming to change a light bulb. The procedures must also include safeguards to prevent unauthorized physical access, tampering, and theft.
- Policies relating to workstation use (required). Policies must be devised and implemented to restrict access to workstations that have access to ePHI, to specify the protective surrounding of a workstation (so that the screen of a workstation cannot be overlooked from an unrestricted area) and govern how functions are to be performed on the workstations.
- Policies and procedures for mobile devices (required). If mobile devices are to be allowed access to ePHI, policies must be devised and implemented to govern how ePHI is removed from the device before it is re-used.
- Inventory of hardware (addressable). An inventory of all hardware must be maintained, together with a record of its movements. A retrievable exact copy of ePHI must be made before any equipment is moved.
The Administrative Safeguards are the policies and procedures which bring the Privacy Rule and the Security Rule together. They are the pivotal elements of a HIPAA compliance checklist and require that a Security Officer and a Privacy Officer be assigned to put the measures in place to protect ePHI and to govern the conduct of the workforce. These measures include:
- Conducting risk assessments (required). Among the Security Officer´s tasks is compiling a risk assessment to identify every area in which ePHI is being used and to determine all of the ways in which breaches of ePHI could occur.
- Introducing a risk management policy (required). The risk assessment must be repeated at regular intervals with measures introduced to reduce the risks to an appropriate level and implement a sanctions policy for employees who fail to comply with the HIPAA regulations.
- Training employees to be secure (addressable). Training schedules must be introduced to raise awareness of the policies and procedures governing access to ePHI and how to identify malicious software attacks and malware.
- Developing a contingency plan (required). In the event of an emergency, a contingency plan must be ready to enable the continuation of critical business processes while protecting the integrity of ePHI while the organization is operating in emergency mode.
- Testing of contingency plan (addressable). The contingency plan must be tested periodically to assess the relative criticality of specific applications. There must also be accessible backups of ePHI and procedures to restore lost data in the event of emergency mode.
- Restricting third-party access (required). It is the role of the Security Officer to ensure that ePHI is not accessed by unauthorized parent organizations and subcontractors, and that Business Associate Agreements are signed with business partners who will have access to ePHI stored on the organization´s system.
- Reporting security incidents (addressable). The reporting of security incidents is different from the Breach Notification Rule (below) inasmuch as incidents can be contained and data retrieved before the incident develops into a breach. Nonetheless, all employees should be aware of how and when to report an incident in order that action can be taken to prevent a breach whenever possible.
The difference between the “required” safeguards and the “addressable” safeguards on the HIPAA compliance checklist is that “required” safeguards must be implemented whereas there is a certain amount of flexibility with “addressable” safeguards.
If it is not reasonable to implement an “addressable” safeguard as it appears in the HIPAA Security Rule, covered entities have the option of introducing an appropriate alternative, or not introducing the safeguard at all.
The decision will depend on factors such as the entity’s risk analysis, risk mitigation strategy, and what security measures are already in place; but the decision must be documented in writing and include the factors that were considered as well as the results of the risk assessment on which the decision was based.
HIPAA Privacy Rule
The HIPAA Privacy Rule governs how ePHI is used and disclosed in order to comply with the HIPAA regulations. In force since 2003, the Privacy Rule applies to all healthcare organizations, the providers of healthcare plans (including employers), health care clearing houses and – from 2013 – business associates.
The Privacy Rule requires appropriate safeguards be implemented to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Rule also gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections where necessary.
Although there are no specific items that would need to appear on a HIPAA compliance checklist, readers are advised to ensure:
- Training is provided to employees in order that they know what information may and may not be shared outside of an organization´s security mechanism.
- Appropriate steps are taken to maintain the integrity of ePHI and the individual personal identifiers of patients.
- That written permission is obtained from patients before their health information is used for purposes such as marketing, fundraising or research.
Covered entities should therefore make sure that their patient authorization forms have been updated to include the disclosure of immunization records to schools, the option for patients to restrict disclosure of ePHI to a health plan (when they have paid for a procedure privately) and to include the option of providing an electronic copy to a patient when it is requested.
The full content of the HIPAA Privacy Rules can be found on the Health & Human Service website.
HIPAA Breach Notification Rule
The HIPAA Breach Notification Rule requires covered entities to notify patients when there is a breach of their ePHI. The Breach Notification Rule also requires entities to promptly notify the Department of Health and Human Services if there is any breach of ePHI, and notify the media if the breach affects more than five hundred patients. Notifications should include the following information:
- The nature of the ePHI involved, including the types of identifiers
- The unauthorized person who used the ePHI or to whom the disclosure was made (if known)
- Whether the ePHI was actually acquired or viewed (if known)
- The extent to which the risk to the ePHI has been mitigated
Breach notifications must be made without unreasonable delay and in no case later than 60 days following the discovery of a breach; and – when notifying a patient of a breach – the covered entity must inform the individual of the steps they should take to protect themselves from potential harm, a brief description of what the covered entity is doing to investigate the breach, and prevent further breaches.
HIPAA Enforcement Rule
The HIPAA Enforcement Rule governs the investigations that will follow a breach of ePHI, the penalties that could be imposed on covered entities responsible for an avoidable breach of ePHI, and the procedures for hearings. Although not part of a HIPAA compliance checklist, covered entities should be aware of the following penalties:
- A violation attributable to ignorance can attract a fine of $100 – $50,000
- A violation which occurred despite reasonable vigilance can attract a fine of $1,000 – $50,000
- A violation due to willful neglect which is corrected within thirty days will attract a fine of between $10,000 and $50,000
- A violation due to willful neglect which is not corrected within thirty days will attract the maximum fine of $50,000.
Fines are imposed per violation per record and can quickly mount up to the maximum amount of $1,500,000 per year if action in not taken to comply with the HIPAA regulations. It should also be noted that the penalties for willful neglect will also include criminal charges in addition to civil lawsuits from the affected patient(s).
If you would like make sure that your organization is doing all it can to be compliant with the latest HIPAA laws, please visit our partners at eGestalt for a free scan of your network for HIPAA violations and a road map to help you create a culture of compliance.