Medical data is your organization's most sensitive information. That's why the government enforces its protection and provides the regulatory framework for data security. Neglecting it results in high penalties and can deal a devastating financial blow to your business.
But this is not the only loss you can suffer. Often, it's also hard to regain your customers' trust. And your organization can also be on the Office for Civil Rights Wall of Shame, with all the details about the violation.
The Health Insurance Portability and Accountability Act, or HIPAA, is a federal statute enforced by the United States legislature. It sets standards for protecting patients' sensitive data from being disclosed without their consent.
This HIPAA compliance checklist can help you comply with regulations. In this article, we focus on ten steps to achieving HIPPA compliance and tips on implementing them, and then we'll answer frequently asked questions.
What is HIPAA compliance?
HIPAA compliance ensures that the organization meets all the regulatory requirements imposed by the US federal government for protected health information or PHI. It refers to any information concerning a person's health, healthcare, or payment for their healthcare.
PHI can take many forms, but its digital counterpart is ePHI — electronic Protected Health Information. Since most modern healthcare organizations store patient data digitally, this has become the primary private patient data archiving method.
These types of data fall under HIPAA compliance:
The benefits of HIPAA compliance
HIPAA compliance is essential for healthcare organizations and patients. It ensures healthcare providers securely handle sensitive information according to the same rules. For example, according to the HIPPA Minimum Necessary Standard, an insurance company can only get information on a patient's clinical history. In short, every covered entity must follow HIPAA regulations.
Also, HIPAA compliance builds your organization's reputation and patients' trust. And it gives them peace of mind about their sensitive data.
Who needs to be HIPAA Compliant?
Generally, three organization types are subject to their compliance requirements.
Covered entities — are directly involved in creating and transmitting PHI by performing treatment or other procedures and accepting payments for health services. These organizations are subject to a full scope of HIPAA regulations.
Examples: doctors, clinics, psychologists, dentists, pharmacies, and health insurance companies.
Business associates — organizations that handle PHI and obtain it from covered entities but aren't involved in its creation. This type covers many enterprises providing services to the healthcare industry.
Examples: consultants, accounting firms, IT suppliers, and lawyers.
Subcontractors — organizations hired by business associates to help with specific niche roles. Since it also means that they could have some PHI access, meaning that HIPAA applies to them.
Examples: Cloud hosting providers, shredding companies, etc.
HIPAA compliance checklist
Being HIPAA-compliant means covering multiple business areas, which can be a colossal job. To help you get started, we created a short HIPAA compliance checklist.
1. Dedicate responsible personnel
The first step is to appoint a privacy and security officer to oversee the implementation of your HIPAA compliance program and ensure it is efficient. It will also make your organization transparent. Then the second step is to develop a written privacy and security policy and code of conduct for everyone in your organization. It's also essential to carefully document all the policies and procedures.
2. Develop a HIPAA compliance administration plan
HIPAA has several rules that organizations must follow to stay compliant. They include following internal guidelines for staff training. Your long-term organization strategy should cover HIPAA-relevant fields if you're working in the healthcare industry. And it should also have a security awareness training program for your staff.
Most HIPAA breaches happen because of unintentional disclosures or negligence. For example, sending a patient's PHI to the wrong party or accessing their billing information accidentally while going through their medical history. That's why having a HIPAA compliance plan is essential, so all the staff knows how to handle PHI at your organization.
3. Make sure your IT infrastructure meets the required standards
PHI or ePHI can't be stored anywhere — it requires secure storage. The protection types fall into two categories: technical and physical.
Technical deal with supervising hardware and software of the machine that stores PHI. Logs monitoring to check who accessed what particular data is a good example.
Physical safeguards govern restrictions on who has access to where PHI is stored. It regulates who has what credentials and how much data is accessible to them.
4. Deploy technologies for PHI handling
According to HIPAA, every covered entity is responsible for PHI safety. It involves adding technologies to your setup to ensure your security methods aren't easily bypassable. Outdated systems open the door to hackers, so plan for regular security software updates.
According to the HIPAA Security Rule, covered entities and their business associates must protect PHI at rest and during transmission. One of the security methods is to use technology that encrypts data, monitors authorized users and blocks unauthorized user access.
5. Evaluate the current risk level
HIPAA doesn't require official audits as it is a federal law. And, you can't get a certification that you're HIPAA-compliant. Instead, what you need to do is self-assessment. You can then discover if there's a breach or a suspicion of a violation.
HIPAA-compliant organizations regularly perform security audits making risk analysis an ongoing matter. What is more, your audits should also cover all administrative and technical policies. The only way to stay compliant is through periodic checks.
6. Plan for emergencies
Develop an action plan for responding in case of cyberattacks or security incidents. As the Breach Notification Rule states, all HIPAA-compliant businesses must have specific policies and procedures for handling an unexpected data breach.
The administrative safeguards require a contingency plan. Tailoring it to your organization, location, and policies would be best. It is the only way to secure the availability, integrity, and security of Protected Health Information. The plan should create a roadmap of actions during an emergency and should include the method of data backup, contacting workforce and business associates. So, everybody in your organization knows what to do if an incident happens.
7. Investigate found violations
An investigation into each report about a found HIPAA violation must provide guidelines and a timeframe for its resolution. Usually, this step will follow after your audits, and an organization must resolve each discovered violation before it can be HIPAA-compliant.
As the HIPAA Breach Notification Rule states, you should report a breach within 60 days following the date of discovery. Exceeding this time is one of the HIPAA violations. In addition, your business associates must also report attempts or successful unauthorized uses or disclosures of PHI.
8. Document our HIPAA activity
Everything related to HIPAA and its actions must be logged and recorded. Its scope should include everything from the first steps taken to audit evaluations. A good practice is to keep it in one place to make HIPAA compliance policies transparent and valuable in case of a violation.
Remember to keep the documents containing PHI or the policies about PHI for at least six years. The HIPAA documentation includes policies and procedures, all written and electronic communications, and actions requiring records.
9. Find the right security provider
If you lack the resources to manage everything in-house, there are security vendors who specialize in compliance. Such companies can provide software that matches your setup and complies with all HIPAA requirements. However, you must ensure they're trustworthy and won't accidentally leak your data.
10. Get familiar with HIPAA
HIPAA establishes four rules for safeguarding the privacy and security of patient medical information. Each provides a framework for a specific field detailing how to meet HIPPA compliance regulations, as HIPAA violation consequences can be profound. Violating HIPAA laws can cost your organization thousands of dollars in fines.
By familiarizing yourself and your staff with HIPAA rules, you can ensure your organization is compliant. And your sensitive data is protected.
Main HIPAA rules
HIPAA Privacy Rule
HIPAA Privacy Rule outlines patients' rights regarding their health information and regulates who can access it. It also defines what information falls under the ePHI classification and its maintenance and transmission channels without endangering data integrity.
Not all of it deals only with digital information. Parts of this rule also list the required paperwork and consent forms to be filled out by those handling PHI. The timeframe is irrelevant, as it applies to past, present, and upcoming visits, payments, or procedures.
However, there're some exceptions regarding the uses and disclosures of PHI. The HIPAA Minumum Necessary Standard defines these exceptions. For example, when a patient wants to access their medical history or in case of judicial proceedings, a covered entity must share the requested PHI.
HIPAA Security Rule
HIPAA Security Rule establishes standards for safeguarding information when transmitted or stored electronically. So, while privacy defines procedures for keeping the data confidential, the security rule concerns the technical methods to make it inaccessible to unauthorized individuals.
The Security Rule covers all areas, including physical safeguards, used technologies, administration, and everything else relating to securing the PHI storage devices. Three primary safeguards are:
Administrative safeguards concern PHI handling policies and procedures, including training all employees on HIPAA regulations and code of conduct and assigning a staff security official. Administrative safeguards also apply to regular security risk assessments to monitor risks and system gaps.
Physical safeguards are measures that ensure the physical security of PHI. Your organization needs a restricted-access location or facility where you can store all the PHI. It's also essential to implement security systems to prevent intrusion and detection and to control workstations and devices accessing PHI.
Technical safeguards apply to hardware, software, and other technologies that limit access to ePHI and secure the digital transmission of ePHI. It means implementing access control solutions like encryption, multi-factor authentication, automatic log-off, and audit control.
HIPAA Breach Notification Rule
As the name implies, the Breach Notification Rule details the course of action in case of a data breach. This rule assumes that no system is 100% hackproof and that it's better to have a detailed plan of what to do in an emergency. It defines how to notify the affected patients and what steps to take to limit the damage.
The steps are as follows:
Affected individuals' notification plan. Patients whose PHI has been disclosed must receive a written notice about what has happened with their sensitive data.
Public disclosure plan. In most cases, the affected organization has to issue a public statement in primary news media sources.
The timeframe is two months. It's imperative by law to disclose data breach findings under 60 days.
Inform the Secretary of Health. If the incident affects more than 500 people, the report submission timeframe is 60 days. If it affects less than 500 people, the timeframe extends to the end of the year.
HIPAA Omnibus Rule
It's one of the most recent additions to HIPAA that expands the scope of regulated entities beyond covered entities. The current result means that a covered entity will be held responsible for any potential violations of their business associates and subcontractors. It made it more challenging to blame the partners for raising the safety standards.
To ensure that your organization won't have any problems, aligning internal and external safety standards and risk assessment with compliance procedures is necessary.
Tips for a successful HIPAA compliance plan
As covered entities and their business associates have access to medical records, they must meet HIPAA regulations. All aspects, such as physical and technical data security safeguards, are equally important and should be considered.
Our HIPAA compliance checklist can help you determine the expectations for your organization. To demonstrate HIPPA compliance, you must know where your sensitive data is, how it's classified, who and when can access it, and how to design and implement controls to protect your PHI and monitor all its access.
The path to HIPAA compliance can be long and winding, but choosing the right network access solution can make it easier to achieve it.
HIPAA compliance checklist FAQ
What are HIPAA compliance requirements?
HIPAA-compliant entities are required to evaluate potential risks targeting PHI confidentiality. The key areas are administrative practices, physical security, IT systems security, and crisis recovery plan. After identifying the risks, they must implement an action plan to eliminate them.
What must a HIPAA checklist include?
All HIPAA checklists will rely on the gathered data on all the key areas to evaluate potential risks. Its documentation should act as the basis for HIPAA compliance enforcement detailing specific actions to limit PHI exposure to the public.
How do I know my documentation is sufficient to pass the HIPAA compliance audit?
You can head to the HSS website and download their Audit Protocol. It covers all the areas that should reflect in your HIPAA compliance checklist. However, if you feel this task is beyond your capabilities, consider that many consulting services will cover the paperwork for a fee.
What happens if you fail a HIPAA audit?
The consequences will depend on the severity of the violations. Your audit report should list minor infractions, and often you'll have to provide evidence of the actions taken to protect the data. However, major offenses can make you liable for penalties.
What HIPAA audit focuses on the most?
HIPAA audits address all aspects of HIPAA compliance, covering administrative practices, physical security setup, data breach action plans, and other technical measures to keep PHI safe.
What are the most common HIPAA violations?
Most common HIPAA violations result from the lack of employee awareness and flaws in internal security practices. PHI data could be accidentally shared outside the company even if the top security precautions protect it.
How can NordLayer help?
NordLayer's HIPAA-compliant solutions make it easier to comply with HIPAA requirements without advanced setups or long deployment. Secure every endpoint in your organization, locking down essential apps and databases while keeping user-friendly access. Contact our team and learn how your organization can benefit from the Zero Trust and SSE solutions.
This article has been prepared for general informational purposes and is not legal advice. We hope that you will find the information informative and helpful. However, you should use the information in this article at your own risk and consider seeking advice from a professional counsel licensed in your state or country. The materials presented on this site may not reflect the most current legal developments or the law of the jurisdiction in which you reside. This article may be changed, improved, or updated without notice.