HIPAA Compliance Checklist

HIPAA Compliance Checklist 2018-2019

If your organization has access to electronic Protected Health Information (ePHI), it is recommended that you review our HIPAA compliance checklist 2018-2019. The purpose of our HIPAA compliance checklist is help ensure that your organization complies with the HIPAA regulations covering the security and privacy of confidential patient data.

Failure to comply with HIPAA regulations can result in substantial fines being issued and criminal charges and civil action lawsuits being filed should a breach of ePHI occur. There are also regulations you need to be aware of covering breach reporting to the OCR and the issuing of breach notifications to patients.

Ignorance of HIPAA regulations is not considered to be a justifiable defense by the Office for Civil Rights of the Department of Health and Human Services (OCR). The OCR will issue fines for non-compliance regardless of whether the violation was inadvertent or resulted from willful neglect.

Our HIPAA compliance checklist 2018-2019 has been compiled by dissecting the HIPAA Security and Privacy Rules, the HIPAA Breach Notification Rule, HIPAA Omnibus Rule and the HIPAA Enforcement Rule. If you are unsure as to whether you need to comply with these HIPAA regulations you should refer to our “HIPAA Explained” page. For more information on the background to the regulations please review our “HIPAA History” page.

Our HIPAA Compliance Checklist

Our HIPAA compliance checklist has been divided into segments for each of the applicable rules. It should be pointed out that there is no hierarchy in HIPAA regulations, and even though privacy and security measures are referred to as “addressable”, this does not mean they are optional. Each of the criteria in our HIPAA compliance checklist has to be adhered to if your organization is to achieve full HIPAA compliance.

What is HIPAA Compliance?

Before discussing the elements of our HIPAA compliance checklist, it is best to answer the question “What is HIPAA compliance?” HIPAA compliance involves fulfilling the requirements of the Health Insurance Portability and Accountability Act of 1996, its subsequent amendments, and any related legislation such as the Health Information Technology for Economic and Clinical Health (HITECH) Act.

Typically the question following “What is HIPAA compliance?” is “What are the HIPAA compliance requirements?” That question is not so easy to answer as – in places – the requirements of HIPAA are intentionally vague. This is so HIPAA can be applied equally to every different type of Covered Entity or Business Associate that comes into contact with Protected Health Information (PHI). For the sake of clarification:

What is a Covered Entity?

A covered entity is a health care provider, a health plan or a health care clearing house who, in its normal activities, creates, maintains or transmits PHI. There are exceptions. Most health care providers employed by a hospital are not covered entities. The hospital is the covered entity and responsible for implementing and enforcing HIPAA complaint policies.

Employers – despite maintaining health care information about their employees – are not generally covered entities unless they provide self-insured health cover or benefits such as an Employee Assistance Program (EAP). In these cases they are considered to be “hybrid entities” and any unauthorized disclosure of PHI may still be considered a breach of HIPAA.

What is a Business Associate?

A “business associate” is a person or business that provides a service to – or performs a certain function or activity for – a covered entity when that service, function or activity involves the business associate having access to PHI maintained by the covered entity. Examples of Business Associates include lawyers, accountants, IT contractors, billing companies, cloud storage services, email encryption services, etc.

Before having access to PHI, the Business Associate must sign a Business Associate Agreement with the Covered Entity stating what PHI they can access, how it is to be used, and that it will be returned or destroyed once the task it is needed for is completed. While the PHI is in the Business Associate´s possession, the Business Associate has the same HIPAA compliance obligations as a Covered Entity.

HIPAA Requirements

Despite the intentionally vague HIPAA requirements, every Covered Entity and Business Associate that has access to PHI must ensure the technical, physical and administrative safeguards are in place and adhered to, that they comply with the HIPAA Privacy Rule in order to protect the integrity of PHI, and that – should a breach of PHI occur – they follow the procedure in the HIPAA Breach Notification Rule.

All risk assessments, HIPAA-related policies and reasons why addressable safeguards have not been implemented must be chronicled in case a breach of PHI occurs and an investigation takes place to establish how the breach happened. Each of the HIPAA requirements is explained in further detail below. Business unsure of their obligation to comply with the HIPAA requirements should seek professional advice.

HIPAA Security Rule

The HIPAA Security Rule contains the standards that must be applied to safeguard and protect ePHI when it is at rest and in transit. The rules apply to anybody or any system that has access to confidential patient data. By “access” we mean having the means necessary to read, write, modify or communicate ePHI or personal identifiers which reveal the identity of an individual (for an explanation of “personal identifiers”, please refer to our “HIPAA Explained” page).

There are three parts to the HIPAA Security Rule – technical safeguards, physical safeguards and administrative safeguards – and we will address each of these in order in our HIPAA compliance checklist.

Technical Safeguards

The Technical Safeguards concern the technology that is used to protect ePHI and provide access to the data. The only stipulation is that ePHI – whether at rest or in transit – must be encrypted to NIST standards once it travels beyond an organization´s internal firewalled servers. This is so that any breach of confidential patient data renders the data unreadable, undecipherable and unusable. Thereafter organizations are free to select whichever mechanisms are most appropriate to:

Implementation Specification Required or Addressable Further Information
Implement a means of access control Required This not only means assigning a centrally-controlled unique username and PIN code for each user, but also establishing procedures to govern the release or disclosure of ePHI during an emergency.
Introduce a mechanism to authenticate ePHI Addressable This mechanism is essential in order to comply with HIPAA regulations as it confirms whether ePHI has been altered or destroyed in an unauthorized manner.
Implement tools for encryption and decryption Addressable This guideline relates to the devices used by authorized users, which must have the functionality to encrypt messages when they are sent beyond an internal firewalled server, and decrypt those messages when they are received.
Introduce activity logs and audit controls Required The audit controls required under the technical safeguards are there to register attempted access to ePHI and record what is done with that data once it has been accessed.
Facilitate automatic log-off of PCs and devices Addressable This function logs authorized personnel off of the device they are using to access or communicate ePHI after a pre-defined period of time. This prevents unauthorized access of ePHI should the device be left unattended.

Physical Safeguards

The Physical Safeguards focus on physical access to ePHI irrespective of its location. ePHI could be stored in a remote data center, in the cloud, or on servers which are located within the premises of the HIPAA covered entity. They also stipulate how workstations and mobile devices should be secured against unauthorized access:

Implementation Specification Required or Addressable Further Information
Facility access controls must be implemented Addressable Controls who has physical access to the location where ePHI is stored and includes software engineers, cleaners, etc. The procedures must also include safeguards to prevent unauthorized physical access, tampering, and theft.
Policies for the use/positioning of workstations Required Policies must be devised and implemented to restrict the use of workstations that have access to ePHI, to specify the protective surrounding of a workstation and govern how functions are to be performed on the workstations.
Policies and procedures for mobile devices Required If users are allowed to access ePHI from their mobile devices, policies must be devised and implemented to govern how ePHI is removed from the devices if the user leaves the organization or the device is re-used, sold, etc.
Inventory of hardware Addressable An inventory of all hardware must be maintained, together with a record of the movements of each item. A retrievable exact copy of ePHI must be made before any equipment is moved.

Administrative Safeguards

The Administrative Safeguards are the policies and procedures which bring the Privacy Rule and the Security Rule together. They are the pivotal elements of a HIPAA compliance checklist and require that a Security Officer and a Privacy Officer be assigned to put the measures in place to protect ePHI, while they also govern the conduct of the workforce.

The OCR pilot audits identified risk assessments as the major area of Security Rule non-compliance. Risk assessments are going to be checked thoroughly in the second phase of the audits; not just to make sure that the organization in question has conducted one, but to ensure to ensure they are comprehensive and ongoing. A risk assessment is not a one-time requirement, but a regular task necessary to ensure continued compliance.

The administrative safeguards include:

Implementation Specification Required or Addressable Further Information
Conducting risk assessments Required Among the Security Officer´s main tasks is the compilation of a risk assessment to identify every area in which ePHI is being used, and to determine all of the ways in which breaches of ePHI could occur.
Introducing a risk management policy Required The risk assessment must be repeated at regular intervals with measures introduced to reduce the risks to an appropriate level. A sanctions policy for employees who fail to comply with HIPAA regulations must also be introduced.
Training employees to be secure Addressable Training schedules must be introduced to raise awareness of the policies and procedures governing access to ePHI and how to identify malicious software attacks and malware. All training must be documented.
Developing a contingency plan Required In the event of an emergency, a contingency plan must be ready to enable the continuation of critical business processes while protecting the integrity of ePHI while an organization operates in emergency mode.
Testing of contingency plan Addressable The contingency plan must be tested periodically to assess the relative criticality of specific applications. There must also be accessible backups of ePHI and procedures to restore lost data in the event of an emergency.
Restricting third-party access Required It is vital to ensure ePHI is not accessed by unauthorized parent organizations and subcontractors, and that Business Associate Agreements are signed with business partners who will have access to ePHI.
Reporting security incidents Addressable The reporting of security incidents is different from the Breach Notification Rule (below) inasmuch as incidents can be contained and data retrieved before the incident develops into a breach.

The difference between the “required” safeguards and the “addressable” safeguards on the HIPAA compliance checklist is that “required” safeguards must be implemented whereas there is a certain amount of flexibility with “addressable” safeguards. If it is not reasonable to implement an “addressable” safeguard as it appears on the HIPAA compliance checklist, covered entities have the option of introducing an appropriate alternative, or not introducing the safeguard at all.

That decision will depend on factors such as the entity’s risk analysis, risk mitigation strategy and what other security measures are already in place. The decision must be documented in writing and include the factors that were considered, as well as the results of the risk assessment, on which the decision was based.

HIPAA Privacy Rule

The HIPAA Privacy Rule governs how ePHI can be used and disclosed. In force since 2003, the Privacy Rule applies to all healthcare organizations, the providers of health plans (including employers), healthcare clearinghouses and – from 2013 – the Business Associates of covered entities.

The Privacy Rule demands that appropriate safeguards are implemented to protect the privacy of Personal Health Information. It also sets limits and conditions on the use and disclosure of that information without patient authorization. The Rule also gives patients – or their nominated representatives – rights over their health information; including the right to obtain a copy of their health records – or examine them – and the ability to request corrections if necessary.

Under the Privacy Rule, covered entities are required to respond to patient access requests within 30 days. Notices of Privacy Practices (NPPs) must also be issued to advise patients and plan members of the circumstances under which their data will be used or shared.

Covered entities are also advised to:

  • Provide training to employees to ensure they are aware what information may – and may not – be shared outside of an organization´s security mechanism.
  • Ensure appropriate steps are taken to maintain the integrity of ePHI and the individual personal identifiers of patients.
  • Ensure written permission is obtained from patients before their health information is used for purposes such as marketing, fundraising or research.

Covered entities should make sure their patient authorization forms have been updated to include the disclosure of immunization records to schools, include the option for patients to restrict disclosure of ePHI to a health plan (when they have paid for a procedure privately) and also the option of providing an electronic copy to a patient when it is requested.

The full content of the HIPAA Privacy Rules can be found on the Department of Health & Human Services website.

HIPAA Breach Notification Rule

The HIPAA Breach Notification Rule requires covered entities to notify patients when there is a breach of their ePHI. The Breach Notification Rule also requires entities to promptly notify the Department of Health and Human Services of such a breach of ePHI and issue a notice to the media if the breach affects more than five hundred patients.

There is also a requirement to report smaller breaches – those affecting fewer than 500 individuals – via the OCR web portal. These smaller breach reports should ideally be made once the initial investigation has been conducted. The OCR only requires these reports to be made annually.

Breach notifications should include the following information:

  • The nature of the ePHI involved, including the types of personal identifiers exposed.
  • The unauthorized person who used the ePHI or to whom the disclosure was made (if known).
  • Whether the ePHI was actually acquired or viewed (if known).
  • The extent to which the risk of damage has been mitigated.

Breach notifications must be made without unreasonable delay and in no case later than 60 days following the discovery of a breach. When notifying a patient of a breach, the covered entity must inform the individual of the steps they should take to protect themselves from potential harm, include a brief description of what the covered entity is doing to investigate the breach and the actions taken so far to prevent further breaches and security incidents.

HIPAA Omnibus Rule

The HIPAA Omnibus Rule was introduced to address a number of areas that had been omitted by previous updates to HIPAA. It amended definitions, clarified procedures and policies, and expanded the HIPAA compliance checklist to cover Business Associates and their subcontractors.

Business Associates are classed as any individual or organization that creates, receives, maintains or transmits Protected Health Information in the course of performing functions on behalf of a covered entity. The term Business Associate also includes contractors, consultants, data storage companies, health information organizations and any subcontractors used by Business Associates.

The Omnibus Rule amends HIPAA regulations in five key areas:

  • Introduction of the final amendments as required under the Health Information Technology for Economic and Clinical Health (HITECH) Act.
  • Incorporation of the increased, tiered civil money penalty structure as required by HITECH.
  • Introduced changes to the harm threshold and included the final rule on Breach Notification for Unsecured Protected Health Information under the HITECH Act.
  • Modification of HIPAA to include the provisions made by the Genetic Information Nondiscrimination Act (GINA) to prohibit the disclosure of genetic information for underwriting purposes.
  • Prevented the use of ePHI and personal identifiers for marketing purposes.

Definition changes were also made to the term Business Associate, the term Workforce was amended to include employees, volunteers and trainees, and what material is now classified as Protected Health Information.

Covered entities must now:

  • Update Business Associate Agreements – Old BA agreements must be updated to take the Omnibus Rule into account. Business Associates must be made aware that they are bound by the same Security Rule and Privacy Rule regulations as covered entities, and must similarly implement the appropriate technical, physical and administrative safeguards to protect ePHI and personal identifiers. Bas must comply with patient access requests for information and data breaches must be reported to the covered entity without delay, while assistance with breach notification procedures must also be provided.
  • Issue new Business Associate Agreements – A new HIPAA-compliant agreement must be signed before the services provided by a BA are used.
  • Update privacy policies – Privacy policies must be updated to include the Omnibus Rule definition changes. These include amendments relating to deceased persons, patient access rights to their ePHI and the response to access requests. Policies should also reflect the new limitations of disclosures to Medicare and insurers, the disclosure of ePHI and school immunizations, the sale of ePHI and its use for marketing, fundraising and research.
  • Update Notices of Privacy Practices – NPPs must be updated to cover the types of information that require an authorization, the right to opt out of correspondence for fundraising purposes and must factor in the new breach notification requirements
  • Train staff – Staff must be trained on the Omnibus Rule amendments and definition changes. All training must be documented.

HIPAA Enforcement Rule

The HIPAA Enforcement Rule governs the investigations that follow a breach of ePHI, the penalties that could be imposed on covered entities responsible for an avoidable breach of ePHI and the procedures for hearings. Although not part of a HIPAA compliance checklist, covered entities should be aware of the following penalties:

  • A violation attributable to ignorance can attract a fine of $100 – $50,000.
  • A violation which occurred despite reasonable vigilance can attract a fine of $1,000 – $50,000.
  • A violation due to willful neglect which is corrected within thirty days will attract a fine of between $10,000 and $50,000.
  • A violation due to willful neglect which is not corrected within thirty days will attract the maximum fine of $50,000.

Fines are imposed per violation category and reflect the number of records exposed in a breach, risk posed by the exposure of that data and the level of negligence involved. Penalties can easily reach the maximum fine of $1,500,000 per year, per violation category. It should also be noted that the penalties for willful neglect can also lead to criminal charges being filed. Civil lawsuits for damages can also be filed by victims of a breach.  The organizations most commonly subject to enforcement action are private medical practices (solo doctors or dentists, group practices, and so on), hospitals, outpatient facilities such as pain clinics or rehabilitation centers,  insurance groups, and pharmacies. The most common disclosures to the HHS are:

  • Misuse and unauthorized disclosures of patient records.
  • No protection in place for patient records.
  • Patients unable to access their patient records.
  • Using or disclosing to third parties more than the minimum necessary protected health information
  • No administrative or technological safeguards for electronic protected health information.

What Should a HIPAA Risk Assessment Consist Of?

Throughout the HIPAA regulations, there is a lack of guidance about what a HIPAA risk assessment should consist of. OCR explains the failure to provide a “specific risk analysis methodology” is due to Covered Entities and Business Associates being of different sizes, capabilities and complexity. However, OCR does provide guidance on the objectives of a HIPAA risk assessment:

  • Identify the PHI that your organization creates, receives, stores and transmits – including PHI shared with consultants, vendors and Business Associates.
  • Identify the human, natural and environmental threats to the integrity of PHI – human threats including those which are both intentional and unintentional.
  • Assess what measures are in place to protect against threats to the integrity of PHI, and the likelihood of a “reasonably anticipated” breach occurring.
  • Determine the potential impact of a PHI breach and assign each potential occurrence a risk level based on the average of the assigned likelihood and impact levels.
  • Document the findings and implement measures, procedures and policies where necessary to tick the boxes on the HIPAA compliance checklist and ensure HIPAA compliance.
  • The HIPAA risk assessment, the rationale for the measures, procedures and policies subsequently implemented, and all policy documents must be kept for a minimum of six years.

As mentioned above, a HIPAA risk assessment is not a one-time requirement, but a regular task necessary to ensure continued compliance. The HIPAA risk assessment and an analysis of its findings will help organizations to comply with many other areas on our HIPAA compliance checklist, and should be reviewed regularly when changes to the workforce, work practices or technology occur.

Depending on the size, capability and complexity of a Covered Entity, compiling a fully comprehensive HIPAA risk assessment can be an extremely long-winded task. There are various online tools that can help organizations with the compilation of a HIPAA risk assessment; although, due to the lack of a “specific risk analysis methodology”, there is no “one-size-fits-all solution.

The Importance of Data Encryption

The vast majority of ePHI breaches result from the loss or theft of mobile devices containing unencrypted data and the transmission of unsecured ePHI across open networks.

Breaches of this nature are easily avoidable if all ePHI is encrypted. Although the current HIPAA regulations do not demand encryption in every circumstance, it is a security measure which should be thoroughly evaluated and addressed.  Suitable alternatives should be used if data encryption is not implemented. Data encryption renders stored and transmitted data unreadable and unusable in the event of theft.

Data is first converted to an unreadable format – termed ciphertext – which cannot be unlocked without a security key that converts the encrypted data back to its original format. If an encrypted device is lost or stolen it will not result in a HIPAA breach for the exposure of patient data. Data encryption is also important on computer networks to prevent hackers from gaining unlawful access.

How to Become HIPAA Compliant

Many vendors would love to develop apps, software, or services for the healthcare industry, although they are unsure how to become HIPAA compliant. While it is possible to use a HIPAA compliance checklist to make sure all aspects of HIPAA are covered, it can be a difficult process for organizations unfamiliar with the intricacies of HIPAA Rules to develop a HIPAA compliance checklist and implement all appropriate privacy and security controls.

Until vendors can confirm they have implemented all the appropriate safeguards to protect ePHI at rest and in transit, and have policies and procedures in place to prevent and detect unauthorized disclosures, their products and services cannot be used by HIPAA-covered entities. So, what is the easiest way to become HIPAA compliant?

You will certainly need to use a HIPAA compliance checklist to make sure your organization, product, or service incorporates all of the technical, administrative, and physical safeguards of the HIPAA Security Rule.  You must also adhere to the requirements of the HIPAA Privacy and Breach Notification Rules.

Get anything wrong and fail to safeguard ePHI and, as a HIPAA business associate, you can be fined directly for HIPAA violations by the HHS’ Office for Civil Rights, state attorneys general and other regulators. Criminal charges may also be applicable for some violations. HIPAA compliance can therefore be daunting, although the potential benefits of moving into the healthcare market are considerable.

To ensure you cover all elements on your HIPAA compliance checklist and leave no stone unturned, it is worthwhile seeking expert guidance from HIPAA compliance experts. Many firms offer HIPAA compliance software to guide you through your HIPAA compliance checklist, ensure ongoing compliance with HIPAA Rules, and provide you with HIPAA certification.

HIPAA IT Compliance

HIPAA IT compliance is primarily concerned with ensuring all the provisions of the HIPAA Security Rule are followed and all elements on your HIPAA compliance checklist are covered.

Risk assessment and management is a key consideration for HIPAA IT compliance. One way to help ensure risks are identified and appropriate controls are implemented as part of your HIPAA IT compliance program is to adopt the NIST Cybersecurity Framework. The NIST Cybersecurity Framework will help you to prevent data breaches, and detect and respond to attacks in a HIPAA compliant manner when attacks do occur.

HIPAA IT compliance concerns all systems that are used to transmit, receive, store, or alter electronic protected health information. Any system or software that ‘touches’ ePHI must incorporate appropriate security protections to ensure the confidentiality, integrity, and availability of ePHI.

One element of the HIPAA compliance checklist that is often low down on the priority list is monitoring ePHI access logs regularly. Inappropriate accessing of ePHI by healthcare employees is common, yet many covered entities fail to conduct regular audits and inappropriate access can continue for months or sometimes years before it is discovered.

HIPAA Compliance Checklist for IT

In addition to the rules and regulations that appear on our HIPAA compliance checklist originating from acts of legislation, there are several mechanisms that IT departments can implement to increase the security of Protected Health Information.

Potential lapses in security due to the use of personal mobile devices in the workplace can be eliminated by the use of a secure messaging solution. Secure messaging solutions allow authorized personnel to communicate PHI – and send attachments containing PHI – via encrypted text messages that comply with the physical, technical and administrative safeguards of the HIPAA Security Rule.

Email is another area in which potential lapses in security exist. Emails containing PHI that are sent beyond an internal firewalled served should be encrypted. It should also be considered that emails containing PHI are part of a patient´s medical record and should therefore be archived securely in an encrypted format for a minimum of six years.

As medical records can attract a higher selling price on the black market than credit card details, defenses should be put in place to prevent phishing attacks and the inadvertent downloading of malware. Several recent HIPAA breaches have been attributed to criminals obtaining passwords to EMRs or other databases, and healthcare organizations can mitigate the risk of this happening to them with a web content filter.

Additional HIPAA IT Requirements

As well as the technological regulations mentioned above, there are many miscellaneous HIPAA IT requirements that are easy to overlook – for example the facility access rules within the physical safeguards of the Security Rule. These HIPAA IT requirements may inadvertently be discounted if the IT Department has no responsibility for the physical security of its servers, and it will be the HIPAA Security Officer´s role to establish responsibility.

Other areas of the HIPAA IT requirements frequently overlooked include Business Associate Agreements with SaaS providers and hosting companies who may have access to PHI via the services they provide. The same applies to software developers who build eHealth apps that will transmit PHI. There has to be a Business Associate Agreement in place with any health care provider distributing the app in order to be compliant with the HIPAA IT requirements.

HIPAA Audit Checklist

The final area of our HIPAA compliance checklist concerns a HIPAA audit checklist. The passage of the HIPAA Enforcement Rule created a viable way in which HHR could monitor HIPAA compliance. It was found that a Covered Entity or Business Associate had made no attempt to comply with HIPAA, HHR could issue fines even if no breach of PHI had occurred.

In order to help Covered Entities and Business Associates compile a HIPAA audit checklist, HHR has released audit protocols for the first two rounds of audits. You can find out more about the audit protocols on our dedicated HIPAA Audit Checklist page, and – if you scroll down to the bottom of the page – the latest updates on the audits and details about documentation requests.

2018 HIPAA Compliance

In March 2018, future changes to HIPAA regulations were hinted at by HHS’ Office for Civil Rights (OCR) director Roger Severino. Speaking at the National HIPAA Summit in Arlington, VA, Severino pointed to three areas of HIPAA compliance OCR was considering changing:

  • Restitution payments to individuals whose PHI had been disclosed in a breach of HIPAA.
  • The removal of the requirement to store forms acknowledging receipt of Privacy Notices.
  • Clarification of what are consider “good faith” disclosures when a patient is incapacitated.

Before implementing the proposed changes, OCR will seek feedback from Covered Entities by publishing the changes on its website and inviting comments. With regard to how long it may be before any changes are implemented, consultation periods are usually quite prolonged; so it will likely be the case there are no changes to the 2018 HIPAA compliance requirements in the near future.

The general trends in 2018 for HIPAA compliance seem to be that more Business Associates are paying attention to the HIPAA Privacy and Security Rules. This may be as a consequence of the EU´s General Data Protection Regulation (“we have to comply with GDPR, so we might as well comply with HIPAA”) or attributable to continued OCR enforcement actions and the message finally getting home.

Please review our infographic below to see the cost of failing to complete and implement a HIPAA compliance checklist.

HIPAA Compliance Infographics

HIPAA Resources

What are the Penalties for HIPAA Violations?

Penalties for HIPAA violations can be issued by the Department of Health and Human Services’ Office for Civil Rights (OCR) and state attorneys general. In addition to financial penalties, covered entities are required to adopt a corrective action plan to bring policies and procedures up to the standards demanded by HIPAA […]

Is Texting in Violation of HIPAA?

To say that texting is in violation of HIPAA is not strictly true. Depending on the content of the text message, who the text message is being sent to, or mechanisms put in place to ensure the integrity of Protected Health Information (PHI), texting can be in compliance with HIPAA in certain circumstances. Any misunderstanding surrounding texting being in violation of HIPAA comes from the complex language […]

FCC Confirms Rules Regarding HIPAA and Patient Telephone Calls

The Federal Communication Commission has issued a Declaratory Ruling and Order to clarify the rules regarding HIPAA and patient telephone calls. Some healthcare providers have had trouble understanding the rules regarding HIPAA and patient telephone calls, and how the rules comply with the Telephone Consumer Protection Act (TCPA). […]

HIPAA History

Our HIPAA history lesson starts on August 21, 1996, when the Healthcare Insurance Portability and Accountability Act (HIPAA) was signed into law, but why was the HIPAA act created? HIPAA was created to “improve the portability and accountability of health insurance coverage” for employees between jobs. Other objectives of the Act were to combat waste, fraud and abuse in health insurance and healthcare delivery. […]

Largest Healthcare Data Breaches of 2017

This article details the largest healthcare data breaches of 2017 and compares this year’s breach tally to the past two years, which were both record-breaking years for healthcare data breaches. 2015 was a particularly bad year for the healthcare industry, with some of the largest healthcare data breaches ever discovered. There was the massive data breach at Anthem Inc., the likes of which […]

What Happens if a Nurse Violates HIPAA?

What happens if a nurse violates HIPAA Rules? How are HIPAA violations dealt with and what are the penalties for individuals that accidentally or deliberately violate HIPAA and access, disclose, or share protected health information (PHI) without authorization? The Health Insurance Portability and Accountability Act (HIPAA) […]

HIPAA Encryption Requirements

The HIPAA encryption requirements have, for some, been a source of confusion. The reason for this is the technical safeguards relating to the encryption of Protected Health Information (PHI) are defined as “addressable” requirements. Furthermore, the HIPAA encryption requirements for transmission security state that covered entities should “implement a mechanism to encrypt PHI […]

The HIPAA Password Requirements and the Best Way to Comply With Them

The HIPAA password requirements stipulate procedures must be put in place for creating, changing and safeguarding passwords unless an alternative, equally-effective security measure is implemented. We suggest the best way to comply with the HIPAA password requirements is with two factor authentication. […]

Is Skype HIPAA Compliant?

Text messaging platforms such as Skype are a convenient way of quickly communicating information, but is Skype HIPAA compliant? Can Skype be used to send text messages containing electronic protected health information (ePHI) without risking violating HIPAA Rules? There is currently some debate surrounding Skype and HIPAA compliance. Skype includes security features to prevent unauthorized access of information transmitted via the platform […]

How Should You Respond to an Accidental HIPAA Violation?

The majority of HIPAA covered entities, business associates, and healthcare employees take great care to ensure HIPAA Rules are followed, but what happens when there is accidental HIPAA violation? How should healthcare employees, covered entities, and business associates respond? […]

What are the Duties of a HIPAA Compliance Officer?

The Healthcare Insurance Portability and Accountability Act requires that a person (or persons) within a Covered Entity or Business Associate is assigned the duties of a HIPAA Compliance Officer. This may be an existing employee or a new position can be created to meet the requirement. It is even possible to outsource the duties of a HIPAA compliance officer on a temporary or permanent basis. […]

HIPAA Explained

Our HIPAA Explained article provides information about the Healthcare Insurance Portability and Accountability Act (HIPAA), the most recent changes to the Act in 2013, and how provisions within the Act currently affect patients, the healthcare industry as a whole, and the individuals who work within it. Originally proposed in 1996 in order that workers could carry forward insurance and healthcare rights […]

The Most Common HIPAA Violations You Should Be Aware Of

The most common HIPAA violations that have resulted in financial penalties are the failure to perform an organization-wide risk analysis to identify risks to the confidentiality, integrity, and availability of protected health information (PHI); the failure to enter into a HIPAA-compliant business associate agreement; impermissible disclosures of PHI; delayed breach notifications; and the failure to safeguard PHI. […]

HIPAA Compliance for Email

HIPAA compliance for email has been a hotly debated topic since changes were enacted in the Health Insurance Portability and Accountability Act (HIPAA) in 2013. Of particular relevance is the language of the HIPAA Security Rule; which, although not expressly prohibiting the use of email to communicate PHI, introduces a number of requirements before email communications can be considered to be HIPAA compliant(*). […]

Is Google Drive HIPAA Compliant?

Google Drive is a useful tool for sharing documents, but can those documents contain PHI? Is Google Drive HIPAA compliant? The answer to the question, “Is Google Drive HIPAA compliant?” is yes and no. HIPAA compliance is less about technology and more about how technology is used. Even a software solution or cloud service that is billed as being HIPAA-compliant can easily be used in a manner […]

HIPAA Violation Cases

Detailed below is a summary of all HIPAA violation cases that have resulted in settlements with the Department of Health and Human Services’ Office for Civil Rights (OCR), including cases that have been pursued by OCR after potential HIPAA violations were discovered during data breach investigations, and investigations of complaints submitted by patients and healthcare employees. […]

Is Slack HIPAA Compliant?

Slack is a powerful communication tool for improving collaboration, but is Slack HIPAA compliant? Can Slack be used by healthcare organizations for sharing protected health information without risking a HIPAA violation? There has been considerable confusion about the use of Slack in healthcare and whether Slack is HIPAA compliant. […]

Can A Patient Sue for A HIPAA Violation?

Can a patient sue for a HIPAA violation? There is no private cause of action in HIPAA, so it is not possible for a patient to sue for a HIPAA violation. Even if HIPAA Rules have clearly been violated by a healthcare provider, and harm has been suffered as a direct result, it is not possible for patients to seek damages, at least not for the violation of HIPAA Rules. […]

Can E-Signatures Be Used Under HIPAA Rules?

The use of digital signatures in the healthcare industry has helped to improve the efficiency of many processes, yet the question still remains can e-signatures be used under HIPAA rules. Effectively the answer is “yes”, provided that mechanisms are put in place to ensure the legality and security of the contract, document, agreement or authorization, and there is no risk to the integrity of PHI. […]

Is WhatsApp HIPAA Compliant?

When WhatsApp announced it was introducing end-to-end encryption, it opened up the prospect of healthcare organizations using the platform as an almost free secure messaging app, but is WhatsApp HIPAA compliant? Many healthcare employees have been asking if WhatsApp is HIPAA compliant, and some healthcare professionals are already using the text messaging app to send protected health information (PHI). […]

Why is HIPAA Important?

The Health Insurance Portability and Accountability Act (HIPAA) is a landmark piece of legislation, but why is HIPAA important? What changes did HIPAA introduce and what are the benefits to the healthcare industry and patients? HIPAA was introduced in 1996, primarily to address one particular issue: Insurance coverage for individuals that are between jobs. […]

HIPAA Guidelines on Telemedicine

The HIPAA guidelines on telemedicine affect any medical professional or healthcare organization that provides a remote service to patients in their homes or in community centers. Many people mistakenly believe that communicating ePHI at distance is acceptable when the communication is directly between physician and patient – and this would be what the HIPAA Privacy Rule would imply. […]

How to Report a HIPAA Violation

It is important for all healthcare employees to know how to report a HIPAA violation, the correct person to direct the complaint to, and whether the incident should be directed to the Department of Health and Human Services’ Office for Civil Rights (OCR). […]

Mobile Data Security and HIPAA Compliance

Healthcare providers and other HIPAA-covered entities have embraced the mobile technology revolution, and are allowing the use of Smartphones, tablets and other portable devices in hospitals, clinics and other places of work; however, if mobile data security measures are insufficient, covered entities are at risk of violating HIPAA regulations. If that occurs, heavy fines can follow. […]

HIPAA Rules for Dentists

Although many dental offices are self-contained entities, the HIPAA rules for dentists apply to any dental office that may send claims, eligibility requests, pre-determinations, claim status inquiries or treatment authorization requests electronically. […]

Summary of the HIPAA Breach Notification Rule

The Health Insurance Portability and Accountability Act of 1996 is one of the most important pieces of legislation to affect the healthcare industry, yet many healthcare providers and insurers are unaware of HIPAA obligations, in particular those relating to the HIPAA Breach Notification Rule. […]

Is OneDrive HIPAA Compliant?

Many covered entities want to take advantage of cloud storage services, but can Microsoft OneDrive be used? Is OneDrive HIPAA compliant? Many healthcare organizations are already using Microsoft Office 365 Business Essentials, including exchange online for email. Office 365 Business Essentials includes OneDrive Online, which is a convenient platform for storing and sharing files. […]

HIPAA Violation Articles

Listed below are a selection of HIPAA articles providing further information and guidance on HIPAA compliance for healthcare providers, health plans, healthcare clearinghouses, and business associates of covered entities. […]

The Benefits of Using Blockchain for Medical Records

Blockchain is perhaps best known for keeping cryptocurrency transactions secure, but what about using blockchain for medical records? Could blockchain help to improve healthcare data security? The use of blockchain for medical records is still in its infancy, but there are clear security benefits that could help to reduce healthcare data breaches […]

Is Dropbox HIPAA Compliant?

Dropbox is a popular file hosting service used by many organizations to share files, but what about protected health information? Is Dropbox HIPAA compliant? Dropbox claims it now supports HIPAA and HITECH Act compliance but that does not mean Dropbox is HIPAA compliant. […]

Termination for Nurse HIPAA Violation Upheld by Court

A nurse HIPAA violation alleged by a patient of Norton Audubon Hospital culminated in the termination of the registered nurse’s employment contract. The nurse, Dianna Hereford, filed an action in the Jefferson Circuit Court alleging her employer wrongfully terminated her contract on the grounds that a HIPAA violation had occurred […]

Is Text Messaging HIPAA Compliant?

The answer to the question “is text messaging HIPAA compliant” is generally “no”. Although HIPAA does not specifically prohibit communicating Protected Health Information (PHI) by text, a system of administrative, physical and technical safeguards has to be in place to ensure the confidentiality and integrity of PHI when it is “in transit” – i.e. being communicated between medical professionals or covered entities. […]

Recent HIPAA Changes

The recent HIPAA changes extend the scope and extent of the Health Insurance Portability and Accountability Act and the Health Information Technology for Economic and Clinical Health Act (HITECH). Many of the new HIPAA rules for 2013 account for changes in working practices and advances in technology since the original legislation was enacted in 1996. […]

HIPAA Privacy Laws

The HIPAA privacy laws were first enacted in 2002 with the objective of protecting the confidentiality of patients´ healthcare information without handicapping the flow of information that was required to provide treatment. The HIPAA privacy laws control who can have access to Protected Health Information (PHI), the conditions under which it can be used, and who it can be disclosed to. […]

HIPAA Risk Assessment

The requirement for Covered Entities to conduct a HIPAA risk assessment is not a new provision of the Health Insurance Portability and Accountability Act. The requirement was first introduced in 2003 in the original HIPAA Privacy Rule, and subsequently extended to cover the administrative, physical and technical safeguards of the HIPAA Security Rule. […]

HIPAA Compliance for Call Centers

HIPAA compliance for call centers is an essential consideration for every company providing an answering service or call-forwarding service for the healthcare industry. Since the Final Omnibus Rule updated the Health Insurance Portability and Accountability Act (HIPAA) in 2013, all service providers processing, storing or transmitting ePHI directly or on behalf of a healthcare organization […]

HIPAA Regulations for SMS

The HIPAA regulations for SMS do not specifically prohibit the use of a “Short Message Service” to communicate Protected Health Information (PHI), but they do stipulate that certain conditions have to be in place before using SMS to communicate PHI is HIPAA compliant. Most SMS messages are not HIPAA compliant. […]

HIPAA Training Requirements

Because HIPAA applies to many different types of Covered Entity (CE) and Business Associate (BA), the HIPAA training requirements are best described as vague. Training is undoubtedly mandatory. It is an Administrative Requirement of the HIPAA Privacy Rule (45 CFR §164.530) and an Administrative Safeguard of the HIPAA Security Rule (45 CFR §164.308). […]

Amazon Alexa is Not HIPAA Compliant – But That Could Soon Change

Amazon Alexa is not HIPAA compliant, which limits its use in healthcare, although that could be about to change. Amazon already supports HIPAA compliance for its cloud platform AWS and is keen to see its voice recognition technology used more extensively in healthcare. However, before the true potential of Alexa can be realized, Amazon must first make Alexa HIPAA compliant. […]

Is Google Voice HIPAA Compliant?

Google Voice is a popular telephony service, but is Google Voice HIPAA compliant or can it be used in a HIPAA compliant way? Is it possible for healthcare organizations – or healthcare employees – to use the service without violating HIPAA Rules? Google Voice is a popular and convenient telephony service that includes voicemail, voicemail transcription to text […]

HIPAA Audit Checklist

In March 2013, the enactment of changes to the Health Insurance Portability and Accountability Act (HIPAA) made it advisable for healthcare organizations and other covered entities to compile a HIPAA audit checklist. The objective of a HIPAA audit checklist would be to identify any possible risks to the integrity of electronically-stored protected health information (ePHI). […]

HIPAA Encryption for iPhones and Android Phones

There is an understandable level of misunderstanding about HIPAA encryption for iPhones and Android phones. The misunderstanding arises because the HIPAA Security Rule categorizes the encryption of Protected Health Information (PHI) as an “addressable” requirement when PHI is communicated outside of a covered entity´s communications network. […]

HIPAA Compliance for Self-Insured Group Health Plans

HIPAA compliance for self-insured group health plans – or self-administered health group plans – is one of the most complicated areas of HIPAA legislation. The Administrative Simplification Rule of the Health Insurance Portability and Accountability Act (HIPAA) imposed obligations on health care clearinghouses, certain healthcare providers and health plans […]

Timeline of Important Events in the History of HIPAA

The Health Insurance Portability and Accountability Act of 1996 is widely accepted to be one of the most important pieces of healthcare legislation ever to be introduced in the United States. Next year will be the 20th Anniversary of the introduction of the act, and during that time there have been some major updates to that legislation. […]

How to Make Your Email HIPAA Compliant

Many healthcare organizations would like to be able to send protected health information via email, but how do you make your email HIPAA compliant? What must be done before electronic PHI (ePHI) can be sent via email to patients and other healthcare organizations? Whether you need to make your email HIPAA compliant will depend on how you plan to use email with ePHI. […]

Healthcare Professionals Violate HIPAA with Personal Phones

There is a worrying practice taking place in healthcare centers across the country: The use of personal mobile phones for communicating with care teams and sending patient data. The practice is a clear HIPAA violation, yet text messages, attachments and even photographs and test results are being shared over insecure networks without data encryption, albeit with individuals permitted to view the data. […]

Is FaceTime HIPAA Compliant?

Is FaceTime HIPAA compliant? Can FaceTime be used by HIPAA covered entities to communicate protected health information (PHI) without violating HIPAA Rules? In this article we will examine the protections in place to keep transmitted information secure, whether Apple will sign a business associate agreement for FaceTime, and if a BAA is necessary. […]

Is Microsoft Outlook HIPAA Compliant?

The latest in our series of posts on HIPAA compliant software and email services for healthcare organizations explores whether Microsoft Outlook is HIPAA compliant. Software or an email platform can never be fully HIPAA compliant, as compliance is not so much about the technology but how it is used. That said, software and email services can support HIPAA compliance. […]


The relationship between HIPAA and HITECH began in 2009 with the American Recovery and Reinvestment Act. Title XIII of the American Recovery and Reinvestment Act – the Health Information Technology for Economic and Clinical Health Act (HITECH) – set aside funds for the creation of a nationwide network of electronic health records and signaled the start of the Meaningful Use program. […]

De-identification of Protected Health Information: How to Anonymize PHI

Healthcare organizations and their business associates that want to share protected health information must do so in accordance with the HIPAA Privacy Rule, which limits the possible uses and disclosures of PHI, but de-identification of protected health information means HIPAA Privacy Rule restrictions no longer apply. […]

Is Google Hangouts HIPAA Compliant?

Healthcare organizations frequently ask about Google services and HIPAA compliance, and one product in particular has caused some confusion is Google Hangouts. Google Hangouts is the latest incarnation of the Hangouts video chat system, and has taken the place of Huddle (Google+ Messenger). […]

What are the HIPAA Breach Notification Requirements?

All HIPAA covered entities must familiarize themselves with the HIPAA breach notification requirements and develop a breach response plan that can be implemented as soon as a breach of unsecured protected health information is discovered. […]

Why Dental Offices Should be Worried About HIPAA Compliance

In 2015, Dr. Joseph Beck became the first dentist to be fined for a HIPAA violation, which sent a warning to dental offices about HIPAA compliance. Until that point, dental offices had avoided fines for noncompliance with HIPAA Rules. The penalty was not issued by the Department of Health and Human Services’ Office for Civil Rights (OCR), but by the Office of the Indiana attorney general. […]

Clarifying the HIPAA Retention Requirements

The subtle distinction between HIPAA medical records retention and HIPAA record retention can cause confusion when discussing HIPAA retention requirements. This article aims to clarify what records need to be retained under HIPAA, and what other retention requirements Covered Entities should consider. […]

HIPAA Compliant Email Providers

HIPAA-covered entities must ensure protected health information (PHI) transmitted by email is secured to prevent unauthorized individuals from intercepting messages, and many choose to use HIPAA compliant email providers to ensure appropriate controls are applied to ensure the confidentiality, integrity, and availability of PHI. […]

How Employees Can Help Prevent HIPAA Violations

Healthcare organizations and their business associates must comply with the HIPAA Privacy, Security, and Breach Notifications Rules and implement safeguards to prevent HIPAA violations. However, even with controls in place to reduce the risk of HIPAA violations, data breaches still occur. […]

Is Azure HIPAA Compliant?

Many healthcare organizations are considering moving some of their services to the cloud, and a large percentage already have. The cloud offers considerable benefits and can help healthcare organizations lower their IT costs, but what about HIPAA? […]

Is Facebook Messenger HIPAA Compliant?

Many doctors and nurses communicate using chat platforms, but is it acceptable to use the platforms for sending PHI? One of the most popular chat platforms is Facebook Messenger. To help clear up confusion we will assess whether Facebook Messenger is HIPAA compliant and if the platform can be used to send PHI. […]

What is the Purpose of HIPAA?

The Health Insurance Portability and Accountability Act – or HIPAA as it is better known – is an important legislative Act affecting the U.S. healthcare industry, but what is the purpose of HIPAA? Healthcare professionals often complain about the restrictions of HIPAA – Are the benefits of the legislation worth the extra workload? […]

Is HelloFax HIPAA Compliant?

Is HelloFax HIPAA compliant? Can HelloFax be used by healthcare organizations to send files containing protected health information, or would doing so be considered a violation of HIPAA Rules? In this post we explore the protections in place and attempt to determine whether HelloFax can be considered a HIPAA compliant fax service. […]

Who Enforces HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) introduced many new rules for healthcare organizations, but who enforces HIPAA? Which federal departments are responsible for ensuring HIPAA Rules are followed by covered entities and their business associates? […]

When Should You Promote HIPAA Awareness?

All employees must receive training on HIPAA Rules, but when should you promote HIPAA awareness? How often should HIPAA retraining take place? HIPAA-covered entities, business associates and subcontractors are all required to comply with HIPAA Rules, and all workers must receive training on HIPAA. […]

The Cost of HIPAA Non-Compliance

The Security Rule of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) demands that all covered entities implement the appropriate administrative, physical and technical safeguards to keep PHI secure. Failure to implement those basic minimum standards can lead to more than just a fine from the Department of Health and Human Services’ Office for Civil Rights (OCR). […]

Is G Suite HIPAA Compliant?

Is G Suite HIPAA compliant? Can G Suite be used by HIPAA-covered entities without violating HIPAA Rules? Google has developed G Suite to include privacy and security protections to keep data secure, and those protections are of a sufficiently high standard to meet the requirements of the HIPAA Security Rule. Google will also sign a business associate agreement (BAA) with HIPAA covered entities. […]

HIPAA Compliant Email Archiving

Although HIPAA compliant email archiving is not a requirement of the Security Standards for the Protection of Electronic Protected Health Information (the HIPAA “Security Rule”), there are valid reasons why healthcare organizations should consider archiving emails in compliance with HIPAA. […]

Is iCloud HIPAA Compliant?

Is iCloud HIPAA compliant? Can healthcare organizations use iCloud for storing files containing electronic protected health information (ePHI) or sharing ePHI with third-parties? This article assesses whether iCloud is a HIPAA compliant cloud service. Cloud storage services are a convenient way of sharing and storing data. […]

HIPAA Compliance and Pagers

HIPAA compliance and pagers have become a topic for discussion since the enactment of changes to the Privacy and Security Rules in the Health Insurance Portability and Accountability Act (HIPAA). Although not specifically mentioning pager communications, the changes to the Security Rule stipulate that a system of physical, administrative and technology safeguards must be introduced for any electronic communication to be HIPAA-compliant. […]

HIPAA Compliance and Medical Records

Stage 2 Meaningful Use raises the bar on the conditions that have to be fulfilled in terms of HIPAA compliance and medical records security. In order to qualify for Medicare and/or Electronic Health Record (EHR) incentive payments, eligible healthcare organizations must now meet a new range of demands. […]

The HIPAA Conduit Exception Rule and Transmission of PHI

The HIPAA Conduit Exception Rule is a source of confusion for many HIPAA covered entities, but it is essential that this aspect of HIPAA is understood. Failure to correctly classify a service provider as a conduit or a business associate could see HIPAA Rules violated and a significant financial penalty issued for noncompliance. […]

PCI and HIPAA Compliance Comparison

For organizations in healthcare-related industries, who both have access to PHI and accept credit card payments, a PCI and HIPAA compliance comparison can help find overlaps and similarities in their compliance obligations. These overlaps and similarities can assist organizations with their risk assessments in order to avoid duplication and better mitigate the risk of a data breach. […]

HIPAA Security Officer

All Covered Entities are required by 45 CFR 164.308 – the Administrative Safeguards of the HIPAA Security Rule – to identify a HIPAA Security Officer who is responsible for the development and implementation of policies and procedures to ensure the integrity of electronic Protected Health Information (ePHI). […]

Is WebEx HIPAA Compliant?

Is WebEx HIPAA compliant? Is the online meeting and web conferencing platform suitable for use by healthcare organizations or should the service be avoided? In this post we assess the security controls and features of the platform and determine whether use of WebEx could be considered a HIPAA violation. […]

What is a Limited Data Set Under HIPAA?

A limited data set under HIPAA is a set of identifiable healthcare information that the HIPAA Privacy Rule permits covered entities to share with certain entities for research purposes, public health activities, and healthcare operations without obtaining prior authorization from patients, if certain conditions are met. […]

HIPAA Compliant SFTP Server

If FTP is required to transfer protected health information, healthcare providers, health plans, healthcare clearinghouses and business associates of HIPAA-covered entities must ensure their service provider uses a HIPAA compliant sFTP server. […]

HIPAA Compliance for SaaS

HIPAA compliance for SaaS is one of the many HIPAA-related topics full of if, buts and maybes. In this case, the reason for there being so many possible answers to questions about cloud services is because the original Health Insurance Portability and Accountability of 1996 Act was enacted long before cloud services were commercially available. […]

Guidance on HIPAA and Cloud Computing Issued by HHS

The Department of Health and Human Services has released updated guidance on HIPAA and cloud computing to help covered entities take advantage of the cloud without risking a HIPAA violation. The main focus of the guidance is the use of cloud service providers (CSPs). […]

Is Zoom a HIPAA Compliant Video and Web Conferencing Platform?

Zoom is a popular video and web conferencing platform that has been adopted by more than 750,000 businesses, but is the service suitable for use by healthcare organizations for sharing PHI. Is Zoom HIPAA compliant? Zoom is a cloud-based video and web conferencing platform that allows workers across multiple locations to take part in meetings, share files, and collaborate. […]

Is AWS HIPAA Compliant?

Is AWS HIPAA compliant? Amazon Web Services has all the protections to satisfy the HIPAA Security Rule and Amazon will sign a business associate agreement with healthcare organizations. So, is AWS HIPAA compliant? Yes. And No. […]

Ransomware on Mobile Devices

Most IT professionals will already be conscious of the threat of ransomware on networked computers, but now a new threat is emerging – ransomware on mobile devices. The increase of ransomware on mobile devices is particularly disturbing for organizations that allow employees to use their personal mobile devices in the workplace (BYOD) […]

Is GoToMeeting HIPAA Compliant?

GoToMeeting is an online meeting and video conferencing solution offered by LogMeIn. The service is one of many conferencing and desktop sharing solutions that can improve communication and collaboration, with many benefits for healthcare organizations. […]

HIPAA Audit Protocols

The latest HIPAA audit protocols were published by the U.S. Department of Health and Human Services´ Office for Civil Rights (OCR) in March 2013 when the Final Omnibus Rule enacted provisions within the Health Insurance Portability and Accountability Act (HIPAA) to safeguard the integrity of protected health information (PHI). […]

HIPAA Texting Policy

A HIPAA texting policy is a document that should be compiled once a risk assessment has been conducted to identify any vulnerabilities in the way PHI is currently communicated between employees, medical professionals and Business Associates. […]

What is “HIPAA Certification”?

“HIPAA Certification” is not an officially-sanctioned qualification to show a Covered Entity or Business Associate is HIPAA compliant. It is simply a certificate indicating an individual or organization has undergone some level of training towards HIPAA compliance. […]

HIPAA Compliance Plan

The administrative requirements within the HIPAA Security Rule are quite clear about who has responsibility for creating a HIPAA compliance plan. Section §164.530 of the Security Rule states “A covered entity must designate a privacy official who is responsible for the development and implementation of the policies and procedures of the entity”. […]

What are the Differences Between a HIPAA Business Associate and HIPAA Covered Entity

The terms covered entity and business associate are used extensively in HIPAA legislation, but what are the differences between a HIPAA business associate and HIPAA covered entity? […]

What Are Covered Entities Under HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) applies to HIPAA-covered entities and their business associates, but what are covered entities under HIPAA, and what sort of companies are classed as business associates? […]

Small Businesses and GDPR Compliance

Small businesses have experienced some confusion since the announcement of the General Data Protection Regulation (GDPR). A large number of small business owners appear to have assumed that the GDPR is not applicable to them. Unfortunately, they may well be in for quite a shock on the 25th of May 2018 when the new Regulation comes into force. […]

HIPAA Compliance for Medical Software Applications

HIPAA compliance for medical software applications can be a complicated issue to understand. Some eHealth and mHealth apps are subject to HIPAA and medical software regulations issued by the FDA. Others are not. This article has been prepared with relevance to HIPAA and medical software. For information about FDA regulations, please visit the FDA´s “Device Advice” web page. […]

HIPAA Compliance for HR Departments

Businesses not directly involved in the healthcare or healthcare insurance industries should none-the-less pay close attention to HIPAA compliance for HR departments. It has been estimated a third of all workers and their dependents who receive occupation healthcare benefits do so through a self-insured group health plan. […]

HIPAA Compliance Guide

Compliancy Group’s software and compliance coach guidance allow you achieve, demonstrate, and maintain your HIPAA compliance no matter your organization’s size or level of expertise. […]

What is a HIPAA-Covered Entity?

The term “HIPAA Covered Entity” was not actually in the original Healthcare Insurance Portability and Accountability Act when it was originally enacted in August 1996. The term first appeared in the HHR´s proposed HIPAA Privacy Rule when the Rule was released for public comments in November 1999 and subsequently published after amendments had been made in December 2000. […]

HIPAA Compliance and Cloud Computing Platforms

Before cloud services can be used by healthcare organizations for storing or processing protected health information (PHI) or for creating web-based applications that collect, store, maintain, or transmit PHI, covered entities must ensure the services are secure. […]

HIPAA Release Form

A signed HIPAA release form must be obtained from a patient before their protected health information can be shared with other individuals or organizations, except in the case of routine disclosures for treatment, payment or healthcare operations permitted by the HIPAA Privacy Rule. […]

Who Does HIPAA Apply To?

Health Insurance Portability and Accountability Act (HIPAA) Rules cover the allowable uses and disclosures of protected health information secure and data security, but who does HIPAA apply to? Which types of organizations must implement HIPAA compliance programs? […]

Who Do You Report HIPAA Violations To?

The Health Insurance Portability and Accountability Act (HIPAA) requires HIPAA-covered entities and their business associates to implement safeguards to ensure the privacy of patients is protected and protected health information (PHI) is secured, but what happens when those rules are violated? Who do you report HIPAA violations to? […]

The Top HIPAA Threats Are Likely Not What You Think

Many articles listing the Top HIPAA threats pretty much follow a similar theme. Protect devices against theft, protect data against cybercriminals, and protect yourself against unauthorized third party disclosures by signing a Business Associate Agreement. Unfortunately these articles are way off the mark. […]

HIPAA Data Security Requirements

In order to comply with the HIPAA data security requirements, healthcare organizations should have a solid understanding of the HIPAA Security Rule. The HIPAA Security Rule contains the administrative, physical and technical safeguards that stipulate the mechanisms and procedures that have to be in place to ensure the integrity of Protected Health Information (PHI). […]

HIPAA Privacy Rule

The HIPAA Privacy Rule was first enacted in 2002 with the goal of protecting the confidentiality of patients and their healthcare information, while enabling the flow of patient healthcare information when it is needed. Also known as the “Standards for Privacy of Individually Identifiable Health Information”, the HIPAA Privacy Rule regulates who can have access to Protected Health Information (PHI) […]

Web Filtering for Hospitals

Web filtering for hospitals is a means of controlling access to Internet sites that potentially harbor viruses and infections. By implementing a hospital web filter, healthcare organizations mitigate the risk of a hacker gaining access to PHI via the installation of malware, or of a cybercriminal locking up a system with the installation of ransomware. […]

Insurance Industry compliance with GDPR

The General Data Protection Regulation (GDPR) is due to come into force on the 25th of May 2018. This short article is focused on the GDPR in the particular context of the Insurance Industry. Specialised consideration of the new Regulation is essential given that non-compliance with GDPR rules may lead to the imposition of heavy fines among a number of other sanctions. […]

HIPAA Compliant RDP Server

A HIPAA compliant RDP server allows healthcare professionals to work remotely and still have access to the same information they could view and update if they were working at a practice or hospital. Remote desktop access allows healthcare professionals to work efficiently from home and while travelling. […]

HIPAA Omnibus Rule Places Further Restrictions on Marketing

The introduction of the Omnibus Final Rule, also known as the HIPAA Mega Rule due to the extent of that it alters the current legislation, tightens up many loose ends that existed from the HIPAA Privacy Rule with regards to marketing. […]

Electronic Medical Records and HIPAA

The combination of Stage 2 Meaningful Use for Electronic Medical Records and HIPAA compliance provides an opportunity for healthcare organizations to change the way in which ePHI is stored and communicated and benefit from the Meaningful Use incentive program. […]

How to Prepare for a HIPAA Compliance Audit

In 2011 the Department of Health and Human Services’ Office for Civil Rights developed an audit program to assess the state of healthcare compliance. The pilot audits, which started in 2011 and were completed in 2012, uncovered numerous violations of HIPAA Privacy, Security and Breach Notification Rules. […]

Is SharePoint HIPAA Compliant?

Is SharePoint HIPAA compliant? Does the platform incorporate all the required administrative and technical controls to meet HIPAA requirements? This post explores whether SharePoint supports HIPAA compliance and its suitability for use in the healthcare industry. […]

HIPAA Compliance for Hospices

HIPAA compliance is rarely straightforward in the healthcare industry, and HIPAA compliance for hospices is one area in which it less straightforward than most. The rules regarding the disclosure of Protected Health Information limit conversations with family members if patients have not previously given their consent for the conversations to take place. […]

Does HIPAA Apply to Employers?

The question “Does HIPAA Apply to Employers” is one that has provoked many different responses due to the complicated nature of the HIPAA Privacy Rule. The HIPAA Privacy Rule is one of the most complicated pieces of legislation affecting the healthcare industry. […]

Is Hotmail HIPAA Compliant?

Many healthcare organizations are unsure whether Hotmail is HIPAA compliant and whether sending protected health information via a Hotmail account can be considered a HIPAA compliant method of communication. In this post we answer the question is Hotmail HIPAA compliant, and whether the webmail service can be used to send PHI. […]

HIPAA Compliant Messaging App

A HIPAA compliant messaging app is an integral part of a secure messaging solution that can help healthcare organizations and other covered entities comply with the technical requirements of the HIPAA Security Rule. […]

Protect Healthcare Data from Phishing

One of the key areas of online security that every HIPAA-covered entity should make its priority is to protect healthcare data from phishing. Phishing attacks are becoming a greater threat to the healthcare industry than any other attack vector. Recently almost 25,000 patient records were accessed by hackers as the result of a phishing attack on Saint Agnes Heath Care Inc. in Maryland. […]

What is Considered PHI Under HIPAA?

In a healthcare environment, you are likely to hear health information referred to as protected health information or PHI, but what is considered PHI under HIPAA? Under HIPAA Rules, PHI is considered to be any identifiable health information that is used, maintained, stored, or transmitted by a HIPAA-covered entity […]

Is Yammer HIPAA Compliant?

Is Yammer HIPAA compliant? Does the platform incorporate all the necessary administrative and technical controls to meet HIPAA requirements? This post explores whether Yammer supports HIPAA compliance and assesses whether the platform can be used by healthcare organizations without violating HIPAA Rules. […]

Is Citrix ShareFile HIPAA Compliant?

ShareFile was bought by Citrix Systems in 2011 and the platform is marketed as a suitable data sync, file sharing, and collaboration tool for the healthcare industry, but is Citrix ShareFile HIPAA compliant? Citrix ShareFile is a secure file sharing, data storage and collaboration tool that allows large files to be easily shared within a company, with remote workers, and with external partners. […]

Secure Text Messaging in Hospitals

Secure text messaging in hospitals is a cost-effective solution for healthcare organizations to comply with the Health Insurance Portability and Accountability Act (HIPAA). The solution works by maintaining encrypted PHI on a secure server, and allowing medical professionals to access and communicate sensitive patient data via secure messaging apps. […]

HIPAA Compliance for Dentists

The issue of HIPAA compliance for dentists is not one that should be taken lightly. Research conducted by the American Dental Association shows dental practices are increasing in number and increasing in size, and – according to the National Association of Dental Plans – the number of US citizens with access to commercially or publicly funded dental care increased from 170 million (2006) to 248 million (2016). […]

Do you need HIPAA Compliance Tips?

Compliancy Group’s software and compliance coach guidance allow you achieve, demonstrate, and maintain your HIPAA compliance no matter your organization’s size or level of expertise. […]

HIPAA Compliance Software

The terms “HIPAA compliant software” and “HIPAA compliance software” are frequently used interchangeably by software vendors – often causing confusion among Covered Entities and Business Associates searching for either specific or comprehensive solutions for complying with HIPAA. […]

Is IBM Cloud HIPAA Compliant?

Is IBM Cloud HIPAA compliant? Is the cloud platform suitable for healthcare organizations in the United States to host infrastructure, develop health applications and store files? In this post we assess whether the IBM Cloud supports HIPAA compliance and the platform’s suitability for use by healthcare organizations. […]

Is Google Sheets HIPAA Compliant?

Is Google Sheets HIPAA compliant? Can HIPAA-covered entities use Google Sheets to create, view, or share spreadsheets containing identifiable protected health information or would using Google Sheets violate HIPAA Rules? In this post we assess whether Google Sheets supports HIPAA compliance. […]

HITECH Compliance

Businesses within the healthcare industry (“Covered Entities”) should already be familiar with their HITECH compliance obligations, as they are closely related to HIPAA compliance and often referred to as HIPAA HITECH compliance obligations. However, following the passage of HITECH, third-party service providers (“Business Associates”) now have a legal requirement also to comply with HIPAA. […]

What Covered Entities Should Know About Cloud Computing and HIPAA Compliance

In this post we explain some important considerations for healthcare organizations looking to take advantage of the cloud, HIPAA compliance considerations when using cloud services for storing, processing, and sharing ePHI, and we will dispel some of the myths about cloud computing and HIPAA compliance. […]

What is the HITECH Act?

The HITECH Act – or Health Information Technology for Economic and Clinical Health Act – was part of an economic stimulus package introduced during the Obama administration. The HITECH Act was primarily created to promote and expand the adoption of health information technology, and the Department of Health & Human Services (HHS) was given a budget in excess of $25 billion to achieve its goals. […]

HIPAA and Healthcare Data Compliance

Access to healthcare can be considered a basic human right, although many counties have different views on the services that are provided by the state, and to whom. Privacy is also important and can also be considered a basic human right, with the rights of individuals showing just as much variation. In the UK, British citizens have access to the National Health Service. […]

HIPAA Privacy Guidelines

The HIPAA privacy guidelines were first introduced in 2002 with the aim of protecting the patient confidentiality without obstructing the flow of information required to provide treatment. The guidelines defined what data should be considered as Protected Health Information (PHI), who should be allowed access to it, when it could be disclosed, and for what purposes. […]