Medical data is one of the most sensitive information types an organization could have. Therefore, the government enforces its protection by providing data security guidelines and envisions penalties for its negligence. Failure to comply with the regulations can deal a devastating financial blow to many organizations. The recovery of business trust in customers’ eyes often can’t be amended.
One such regulatory framework is the Health Insurance Portability and Accountability Act or HIPAA, a federal statute enforced by the United States legislature. Its primary function is to uphold the integrity of health data.
Here’s a complete overview of HIPAA and how to make sure that your business is in the clear.
What is HIPAA compliance?
HIPAA compliance ensures that the organization meets all the regulatory requirements imposed by the US federal government for protected health information or PHI. It refers to any information concerning a person’s health, healthcare, or payment for their healthcare.
PHI can take many forms, but its digital counterpart is ePHI — electronic Protected Health Information. Since most modern healthcare organizations store patient data digitally, this has become the primary private patient data archiving method.
These types of data fall under HIPAA compliance:
Who needs to be HIPAA Compliant?
HIPAA aims to supervise the healthcare industry. Generally, three organization types are subject to their compliance requirements.
Covered entities — are directly involved in creating and transmitting PHI by performing treatment or other procedures and accepting payments for health services. These organizations are subject to a full scope of HIPAA regulations.
Examples include doctors, clinics, psychologists, dentists, pharmacies, and health insurance companies.
Business associates — organizations that encounter PHI from covered entities but aren’t involved in its creation. This type covers many enterprises providing services to the healthcare industry.
Examples include consultants, accounting firms, IT suppliers, and lawyers.
Subcontractors — organizations hired by business associates to help with specific niche roles. Since it also means that they could have some PHI access, meaning that HIPAA applies to them, as well.
Examples: Cloud hosting providers, shredding companies, etc.
HIPAA Compliance checklist
Staying compliant with HIPAA means ensuring that multiple business areas are covered, which can be a colossal job. To help you start, we came up with a short HIPAA requirements checklist.
1. Dedicate responsible personnel
HIPAA compliance is easiest to manage when a responsible officer or a department owns it. A good practice is dedicating a HIPAA compliance officer to oversee all fields relating to its compliance. Plus, it provides your business with a transparent accountability chain.
2. Develop a HIPAA compliance administration plan
HIPAA has several rules that the organization must follow to stay compliant. They include adherence to multiple internal procedures and requirements for staff training. Your long-term organization strategy should cover HIPAA-relevant fields if you’re working in the healthcare industry.
3. Make sure your IT infrastructure meets the required standards
PHI or ePHI can’t be stored just about anywhere — it requires secure storage. The protection types fall into two categories: technical and physical.
Technical deal with the supervision of hardware and software of the machine that stores PHI. Logs monitoring to check who accessed what particular data is a good example.
Physical safeguards govern restrictions on who has access to where PHI is stored. It regulates who has what credentials and how much of what data is accessible to them.
4. Maintain technologies used for PHI handling
Under HIPAA, a business is responsible for PHI safety during transmission, use, and rest. It requires adding cybersecurity technologies to your setup to ensure that your security methods aren’t easily bypassable. Outdated systems provide an open door to hackers, so plan for periodic security update pushes.
5. Evaluate the current risk level
HIPAA compliant organizations regularly perform security audits making risk analysis an ongoing matter. What is more, your audits should also cover all administrative and technical policies. The only way to stay compliant is through periodic checks.
6. Plan for emergencies
Develop an action plan that you would be taking in case of a cyberattack. All HIPAA compliant businesses must have specific procedures for unexpected data breach handling as stated in the Breach Notification Rule. Cover such areas as notifying customers and other entities.
7. Investigate found violations
An investigation into each report about a found HIPAA violation must provide guidelines and a timeframe for its resolution. Usually, this step will follow after your audits, and an organization must resolve each discovered violation before it can be fully HIPAA compliant.
8. Document your findings
Everything related to HIPAA and its actions must be logged and recorded. Its scope should include everything from the first steps taken to audit evaluations. A good practice is to keep it in one single corpus to make HIPAA compliance policies transparent and valuable in case of a violation.
9. Find the right partners
If you lack the resources to manage everything in-house, there are security vendors specializing in compliance. Such companies can provide you with software that matches your setup and complies with all HIPAA requirements. However, you must ensure that they’re trustworthy and won’t accidentally leak your data themselves.
10. Get familiar with the 4 HIPAA rules
HIPAA establishes four rules for safeguarding the privacy and security of a patient’s medical information. Each provides a framework for a specific field detailing how to proceed to HIPAA compliance.
HIPAA Privacy Rule
HIPAA Privacy Rule outlines a patient's rights regarding their health information and regulates who can access it. The framework defines what information falls under the ePHI classification and its maintenance and transmission channels without endangering data’s integrity.
Not all of it deals only with digital information. Parts of this rule also list the required paperwork and consent forms to be filled out by those handling PHI. The timeframe is irrelevant, as it applies to past, present, and upcoming visits, payments, or procedures.
The only disclosure exclusions are specific care, research, or legal purposes.
HIPAA Security Rule
HIPAA Security Rule establishes standards for safeguarding information when transmitted or stored electronically. So, while privacy defines procedures for keeping the data confidential, the security rule is about the technical methods to make it inaccessible for unauthorized individuals.
The Security Rule covers all areas, including physical safeguards, used technologies, administration, and everything else relating to the act of securing the PHI storage devices. Three main fields are usually distinguished:
Administrative — covers policies and procedures of PHI handling.
Physical — covers premise management of locations storing PHI where PHI.
Technical — covers the technology behind what’s done to PHI to keep its electronic version secure.
HIPAA Breach Notification Rule
As the name implies, the Breach Notification Rule details the course of action in case of a data breach. This rule assumes that no system is 100% hackproof and that it’s better to have a detailed plan of what to do in case of an emergency. It defines how to notify the affected patients and what steps to take to limit the damage.
The steps are as follows:
Affected individuals notification plan. Affected patients have to receive written notices about what has happened with their data.
Public disclosure plan. In most cases, the affected organization has to issue a public statement in primary news media sources.
The timeframe is two months. It’s imperative by law to disclose findings of a data breach under 60 days.
Inform the Secretary of Health. If the incident affects more than 500 people, the report submission timeframe is 60 days. If it affects less than 500 people, the timeframe extends to the end of the year.
HIPAA Omnibus Rule
One of the most recent additions to HIPAA, the Omnibus Rule, expands the scope of regulated entities beyond Covered Entities. The current result means that the Covered Entity will be held responsible for any potential violations of their business associates and subcontractors. It made it more challenging to blame the partners for raising the safety standards.
To ensure that the organization won’t have any problems with this point. It’s necessary to align safety standards used internally and externally. Closer alignment of risk assessment and compliance procedures is also needed.
HIPAA compliance checklist FAQ
What are HIPAA compliance requirements?
HIPAA compliant entities are required to evaluate potential risks targeting PHI confidentiality. The key areas are administrative practices, physical security, IT systems security, and crisis recovery plan. After identifying the risks, they must implement an action plan to eliminate them.
What must a HIPAA checklist include?
All HIPAA checklists will rely on the gathered data on all the key areas to evaluate potential risks. Its documentation should act as the basis for HIPAA compliance enforcement detailing specific actions to limit PHI exposure to the public.
How do I know my documentation is sufficient to pass the HIPAA compliance audit?
You can head to the HSS website and download their Audit Protocol. It covers all the areas that should reflect in your HIPAA compliance checklist. However, if you feel that this task is beyond your capabilities, consider that many consulting services will cover the paperwork for a fee.
What happens if you fail a HIPAA audit?
The consequences will depend on the severity of the violations. Your audit report should list minor infractions, and often you’ll have to provide evidence of the actions taken to protect the data. However, major offenses can make you liable for penalties.
What HIPAA audit focuses on the most?
HIPAA audits address all aspects of HIPAA compliance, covering administrative practices, physical security setup, data breach action plan, and other technical measures to keep PHI safe.
What are the most common HIPAA violations?
Most common HIPAA violations result from the lack of employee awareness and flaws in internal security practices. PHI data could be accidentally shared outside the company even if the top security precautions protect it.
How can NordLayer help?
NordLayer provides remote access to internal company resources. It makes it easier to comply with HIPAA technical requirements without requiring advanced setups or long deployment. Secure every endpoint in your organization, locking down essential apps and databases while keeping user-friendly access. Get in touch with our team and learn how your organization can benefit from the Zero Trust and the SASE framework.