HIPAA Compliance Checklist
HIPAA Compliance Checklist
If your organization has access to electronic Protected Health Information (ePHI), it is recommended that you review our HIPAA compliance checklist. The purpose of our HIPAA compliance checklist is help ensure that your organization complies with the HIPAA regulations covering the security and privacy of confidential patient data.
Failure to comply with HIPAA regulations can result in substantial fines being issued and criminal charges and civil action lawsuits being filed should a breach of ePHI occur. There are also regulations you need to be aware of covering breach reporting to the OCR and the issuing of breach notifications to patients.
Ignorance of HIPAA regulations is not considered to be a justifiable defense by the Office for Civil Rights of the Department of Health and Human Services (OCR). The OCR will issue fines for non-compliance regardless of whether the violation was inadvertent or resulted from willful neglect.
Our HIPAA compliance checklist has been compiled by dissecting the HIPAA Security and Privacy Rules, the HIPAA Breach Notification Rule, HIPAA Omnibus Rule and the HIPAA Enforcement Rule. If you are unsure as to whether you need to comply with these HIPAA regulations you should refer to our “HIPAA Explained” page. For more information on the background to the regulations please review our “HIPAA History” page.
Our HIPAA Compliance Checklist
Our HIPAA compliance checklist has been divided into segments for each of the applicable rules. It should be pointed out that there is no hierarchy in HIPAA regulations, and even though privacy and security measures are referred to as “addressable”, this does not mean they are optional. Each of the criteria in our HIPAA compliance checklist has to be adhered to if your organization is to achieve full HIPAA compliance.
HIPAA Security Rule
The HIPAA Security Rule contains the standards that must be applied to safeguard and protect ePHI when it is at rest and in transit. The rules apply to anybody or any system that has access to confidential patient data. By “access” we mean having the means necessary to read, write, modify or communicate ePHI or personal identifiers which reveal the identity of an individual (for an explanation of “personal identifiers”, please refer to our “HIPAA Explained” page).
There are three parts to the HIPAA Security Rule – technical safeguards, physical safeguards and administrative safeguards – and we will address each of these in order in our HIPAA compliance checklist.
The Technical Safeguards concern the technology that is used to protect ePHI and provide access to the data. The only stipulation is that ePHI – whether at rest or in transit – must be encrypted to NIST standards once it travels beyond an organization´s internal firewalled servers. This is so that any breach of confidential patient data renders the data unreadable, undecipherable and unusable. Thereafter organizations are free to select whichever mechanisms are most appropriate to:
- Implement a means of access control (required) – This not only means assigning a centrally-controlled unique username and PIN code for each user, but also establishing procedures to govern the release or disclosure of ePHI during an emergency.
- Introduce a mechanism to authenticate ePHI (addressable) – This mechanism is essential in order to comply with HIPAA regulations as it confirms whether ePHI has been altered or destroyed in an unauthorized manner.
- Implement tools for encryption and decryption (addressable) – This guideline relates to the devices used by authorized users, which must have the functionality to encrypt messages when they are sent beyond an internal firewalled server, and decrypt those messages when they are received.
- Introduce activity audit controls (required) – The audit controls required under the technical safeguards are there to register attempted access to ePHI and record what is done with that data once it has been accessed.
- Facilitate automatic logoff (addressable) – This function – although only addressable – logs authorized personnel off of the device they are using to access or communicate ePHI after a pre-defined period of time. This prevents unauthorized access of ePHI should the device be left unattended.
The Physical Safeguards focus on physical access to ePHI irrespective of its location. ePHI could be stored in a remote data center, in the cloud, or on servers which are located within the premises of the HIPAA covered entity. They also stipulate how workstations and mobile devices should be secured against unauthorized access:
- Facility access controls must be implemented (addressable) – Procedures have to be introduced to record any person who has physical access to the location where ePHI is stored. This includes software engineers, cleaners and even a handyman coming to change a light bulb. The procedures must also include safeguards to prevent unauthorized physical access, tampering, and theft.
- Policies relating to workstation use (required) – Policies must be devised and implemented to restrict the use of workstations that have access to ePHI, to specify the protective surrounding of a workstation (so that the screen of a workstation cannot be overlooked from an unrestricted area) and govern how functions are to be performed on the workstations.
- Policies and procedures for mobile devices (required) – If mobile devices are to be allowed access to ePHI, policies must be devised and implemented to govern how ePHI is removed from the device before it is re-used.
- Inventory of hardware (addressable) – An inventory of all hardware must be maintained, together with a record of the movements of each item. A retrievable exact copy of ePHI must be made before any equipment is moved.
The Administrative Safeguards are the policies and procedures which bring the Privacy Rule and the Security Rule together. They are the pivotal elements of a HIPAA compliance checklist and require that a Security Officer and a Privacy Officer be assigned to put the measures in place to protect ePHI, while they also govern the conduct of the workforce.
The OCR pilot audits identified risk assessments as the major area of Security Rule non-compliance. Risk assessments are going to be checked thoroughly in the second phase of the audits; not just to make sure that the organization in question has conducted one, but to ensure to ensure they are comprehensive and ongoing. A risk assessment is not a one-time requirement, but a regular task necessary to ensure continued compliance.
The administrative safeguards include:
- Conducting risk assessments (required) – Among the Security Officer´s main tasks is the compilation of a risk assessment to identify every area in which ePHI is being used, and to determine all of the ways in which breaches of ePHI could occur.
- Introducing a risk management policy (required) – The risk assessment must be repeated at regular intervals with measures introduced to reduce the risks to an appropriate level. A sanctions policy for employees who fail to comply with HIPAA regulations must also be introduced.
- Training employees to be secure (addressable) – Training schedules must be introduced to raise awareness of the policies and procedures governing access to ePHI and how to identify malicious software attacks and malware. All training must be documented.
- Developing a contingency plan (required) – In the event of an emergency, a contingency plan must be ready to enable the continuation of critical business processes while protecting the integrity of ePHI while an organization operates in emergency mode.
- Testing of contingency plan (addressable) – The contingency plan must be tested periodically to assess the relative criticality of specific applications. There must also be accessible backups of ePHI and procedures to restore lost data in the event of an emergency.
- Restricting third-party access (required) – It is the role of the Security Officer to ensure that ePHI is not accessed by unauthorized parent organizations and subcontractors, and that Business Associate Agreements are signed with business partners who will have access to ePHI.
- Reporting security incidents (addressable) – The reporting of security incidents is different from the Breach Notification Rule (below) inasmuch as incidents can be contained and data retrieved before the incident develops into a breach. Nonetheless, all employees should be aware of how and when to report an incident in order that action can be taken to prevent a breach whenever possible.
The difference between the “required” safeguards and the “addressable” safeguards on the HIPAA compliance checklist is that “required” safeguards must be implemented whereas there is a certain amount of flexibility with “addressable” safeguards. If it is not reasonable to implement an “addressable” safeguard as it appears on the HIPAA compliance checklist, covered entities have the option of introducing an appropriate alternative, or not introducing the safeguard at all.
That decision will depend on factors such as the entity’s risk analysis, risk mitigation strategy and what other security measures are already in place. The decision must be documented in writing and include the factors that were considered, as well as the results of the risk assessment, on which the decision was based.
HIPAA Privacy Rule
The HIPAA Privacy Rule governs how ePHI can be used and disclosed. In force since 2003, the Privacy Rule applies to all healthcare organizations, the providers of health plans (including employers), healthcare clearinghouses and – from 2013 – the Business Associates of covered entities.
The Privacy Rule demands that appropriate safeguards are implemented to protect the privacy of Personal Health Information. It also sets limits and conditions on the use and disclosure of that information without patient authorization. The Rule also gives patients – or their nominated representatives – rights over their health information; including the right to obtain a copy of their health records – or examine them – and the ability to request corrections if necessary.
Under the Privacy Rule, covered entities are required to respond to patient access requests within 30 days. Notices of Privacy Practices (NPPs) must also be issued to advise patients and plan members of the circumstances under which their data will be used or shared.
Covered entities are also advised to:
- Provide training to employees to ensure they are aware what information may – and may not – be shared outside of an organization´s security mechanism.
- Ensure appropriate steps are taken to maintain the integrity of ePHI and the individual personal identifiers of patients.
- Ensure written permission is obtained from patients before their health information is used for purposes such as marketing, fundraising or research.
Covered entities should make sure their patient authorization forms have been updated to include the disclosure of immunization records to schools, include the option for patients to restrict disclosure of ePHI to a health plan (when they have paid for a procedure privately) and also the option of providing an electronic copy to a patient when it is requested.
The full content of the HIPAA Privacy Rules can be found on the Department of Health & Human Services website.
HIPAA Breach Notification Rule
The HIPAA Breach Notification Rule requires covered entities to notify patients when there is a breach of their ePHI. The Breach Notification Rule also requires entities to promptly notify the Department of Health and Human Services of such a breach of ePHI and issue a notice to the media if the breach affects more than five hundred patients.
There is also a requirement to report smaller breaches – those affecting fewer than 500 individuals – via the OCR web portal. These smaller breach reports should ideally be made once the initial investigation has been conducted. The OCR only requires these reports to be made annually.
Breach notifications should include the following information:
- The nature of the ePHI involved, including the types of personal identifiers exposed.
- The unauthorized person who used the ePHI or to whom the disclosure was made (if known).
- Whether the ePHI was actually acquired or viewed (if known).
- The extent to which the risk of damage has been mitigated.
Breach notifications must be made without unreasonable delay and in no case later than 60 days following the discovery of a breach. When notifying a patient of a breach, the covered entity must inform the individual of the steps they should take to protect themselves from potential harm, include a brief description of what the covered entity is doing to investigate the breach and the actions taken so far to prevent further breaches and security incidents.
HIPAA Omnibus Rule
The HIPAA Omnibus Rule was introduced to address a number of areas that had been omitted by previous updates to HIPAA. It amended definitions, clarified procedures and policies, and expanded the HIPAA compliance checklist to cover Business Associates and their subcontractors.
Business Associates are classed as any individual or organization that creates, receives, maintains or transmits Protected Health Information in the course of performing functions on behalf of a covered entity. The term Business Associate also includes contractors, consultants, data storage companies, health information organizations and any subcontractors used by Business Associates.
The Omnibus Rule amends HIPAA regulations in five key areas:
- Introduction of the final amendments as required under the Health Information Technology for Economic and Clinical Health (HITECH) Act.
- Incorporation of the increased, tiered civil money penalty structure as required by HITECH.
- Introduced changes to the harm threshold and included the final rule on Breach Notification for Unsecured Protected Health Information under the HITECH Act.
- Modification of HIPAA to include the provisions made by the Genetic Information Nondiscrimination Act (GINA) to prohibit the disclosure of genetic information for underwriting purposes.
- Prevented the use of ePHI and personal identifiers for marketing purposes.
Definition changes were also made to the term Business Associate, the term Workforce was amended to include employees, volunteers and trainees, and what material is now classified as Protected Health Information.
Covered entities must now:
- Update Business Associate Agreements – Old BA agreements must be updated to take the Omnibus Rule into account. Business Associates must be made aware that they are bound by the same Security Rule and Privacy Rule regulations as covered entities, and must similarly implement the appropriate technical, physical and administrative safeguards to protect ePHI and personal identifiers. Bas must comply with patient access requests for information and data breaches must be reported to the covered entity without delay, while assistance with breach notification procedures must also be provided.
- Issue new Business Associate Agreements – A new HIPAA-compliant agreement must be signed before the services provided by a BA are used.
- Update privacy policies – Privacy policies must be updated to include the Omnibus Rule definition changes. These include amendments relating to deceased persons, patient access rights to their ePHI and the response to access requests. Policies should also reflect the new limitations of disclosures to Medicare and insurers, the disclosure of ePHI and school immunizations, the sale of ePHI and its use for marketing, fundraising and research.
- Update Notices of Privacy Practices – NPPs must be updated to cover the types of information that require an authorization, the right to opt out of correspondence for fundraising purposes and must factor in the new breach notification requirements
- Train staff – Staff must be trained on the Omnibus Rule amendments and definition changes. All training must be documented.
HIPAA Enforcement Rule
The HIPAA Enforcement Rule governs the investigations that follow a breach of ePHI, the penalties that could be imposed on covered entities responsible for an avoidable breach of ePHI and the procedures for hearings. Although not part of a HIPAA compliance checklist, covered entities should be aware of the following penalties:
- A violation attributable to ignorance can attract a fine of $100 – $50,000.
- A violation which occurred despite reasonable vigilance can attract a fine of $1,000 – $50,000.
- A violation due to willful neglect which is corrected within thirty days will attract a fine of between $10,000 and $50,000.
- A violation due to willful neglect which is not corrected within thirty days will attract the maximum fine of $50,000.
Fines are imposed per violation category and reflect the number of records exposed in a breach, risk posed by the exposure of that data and the level of negligence involved. Penalties can easily reach the maximum fine of $1,500,000 per year, per violation category. It should also be noted that the penalties for willful neglect can also lead to criminal charges being filed. Civil lawsuits for damages can also be filed by victims of a breach.
What Should a HIPAA Risk Assessment Consist Of?
Throughout the HIPAA regulations, there is a lack of guidance about what a HIPAA risk assessment should consist of. OCR explains the failure to provide a “specific risk analysis methodology” is due to Covered Entities and Business Associates being of different sizes, capabilities and complexity. However, OCR does provide guidance on the objectives of a HIPAA risk assessment:
- Identify the PHI that your organization creates, receives, stores and transmits – including PHI shared with consultants, vendors and Business Associates.
- Identify the human, natural and environmental threats to the integrity of PHI – human threats including those which are both intentional and unintentional.
- Assess what measures are in place to protect against threats to the integrity of PHI, and the likelihood of a “reasonably anticipated” breach occurring.
- Determine the potential impact of a PHI breach and assign each potential occurrence a risk level based on the average of the assigned likelihood and impact levels.
- Document the findings and implement measures, procedures and policies where necessary to tick the boxes on the HIPAA compliance checklist and ensure HIPAA compliance.
- The HIPAA risk assessment, the rationale for the measures, procedures and policies subsequently implemented, and all policy documents must be kept for a minimum of six years.
As mentioned above, a HIPAA risk assessment is not a one-time requirement, but a regular task necessary to ensure continued compliance. The HIPAA risk assessment and an analysis of its findings will help organizations to comply with many other areas on our HIPAA compliance checklist, and should be reviewed regularly when changes to the workforce, work practices or technology occur.
Depending on the size, capability and complexity of a Covered Entity, compiling a fully comprehensive HIPAA risk assessment can be an extremely long-winded task. There are various online tools that can help organizations with the compilation of a HIPAA risk assessment; although, due to the lack of a “specific risk analysis methodology”, there is no “one-size-fits-all solution.
The Importance of Data Encryption
The vast majority of ePHI breaches result from the loss or theft of mobile devices containing unencrypted data and the transmission of unsecured ePHI across open networks.
Breaches of this nature are easily avoidable if all ePHI is encrypted. Although the current HIPAA regulations do not demand encryption in every circumstance, it is a security measure which should be thoroughly evaluated and addressed. Suitable alternatives should be used if data encryption is not implemented. Data encryption renders stored and transmitted data unreadable and unusable in the event of theft.
Data is first converted to an unreadable format – termed ciphertext – which cannot be unlocked without a security key that converts the encrypted data back to its original format. If an encrypted device is lost or stolen it will not result in a HIPAA breach for the exposure of patient data. Data encryption is also important on computer networks to prevent hackers from gaining unlawful access.
HIPAA Compliance Checklist for IT
In addition to the rules and regulations that appear on our HIPAA compliance checklist originating from acts of legislation, there are several mechanisms that IT departments can implement to increase the security of Protected Health Information.
Potential lapses in security due to the use of personal mobile devices in the workplace can be eliminated by the use of a secure messaging solution. Secure messaging solutions allow authorized personnel to communicate PHI – and send attachments containing PHI – via encrypted text messages that comply with the physical, technical and administrative safeguards of the HIPAA Security Rule.
Email is another area in which potential lapses in security exist. Emails containing PHI that are sent beyond an internal firewalled served should be encrypted. It should also be considered that emails containing PHI are part of a patient´s medical record and should therefore be archived securely in an encrypted format for a minimum of six years.
Finally, as medical records can attract a higher selling price on the black market than credit card details, defenses should be put in place to prevent phishing attacks and the inadvertent downloading of malware. Several recent HIPAA breaches have been attributed to criminals obtaining passwords to EMRs or other databases, and healthcare organizations can mitigate the risk of this happening to them with a web content filter.
Please review our infographic below to see the cost of failing to complete and implement a HIPAA compliance checklist.