HIPAA Compliance Checklist

The HIPAA compliance checklist is divided into segments for each of the applicable rules. One important point is that there is no hierarchy in HIPAA regulations, and even though privacy and security measures are referred to as “addressable”. It does not imply that they are optional. Any organization must adhere to each of the criteria in the HIPAA compliance checklist to achieve full HIPAA compliance.

It is necessary for organizations having electronic Protected Health Information (ePHI) to read through this HIPAA compliance checklist. The primary motive of this HIPAA compliance checklist is to help organizations comply with HIPAA regulations. Failing to this breaches the security and privacy of confidential patient data and results in substantial fines and even criminal charges.

Ignorance of HIPAA regulations is not considered to be a justifiable defense by the Office for Civil Rights of the Department of Health and Human Services (OCR). The OCR will issue fines for non-compliance regardless of whether the violation was inadvertent or resulted from willful neglect.

What is HIPAA compliance?

The Health Insurance Portability and Accountability Act (HIPAA) sets the standard for sensitive patient data protection. Companies that deal with PHI must have physical, network, and process security measures in place and follow them to ensure HIPAA Compliance. Covered entities (anyone providing treatment, payment, and operations in healthcare) and business associates (anyone who has access to patient information and provides support in treatment, payment, or operations) must meet HIPAA Compliance. Other entities, such as subcontractors and any other related business associates must also be in compliance.

HIPAA Requirements

Every Covered Entity and Business Associate that has access to PHI must ensure that they should

  • Adhere to the technical, physical and administrative safeguards
  • Comply with the HIPAA Privacy Rule to protect the integrity of PHI
  • follow the procedure in the HIPAA Breach Notification Rule in the event of PHI breach

All risk assessments, HIPAA-related policies and reasons why addressable safeguards are not implemented must be chronicled in case of PHI breach. An investigation will take place to establish how the breach happened. Each of the other HIPAA requirements is explained in detail below.

HIPAA Security Rule

The HIPAA Security Rule sets the standards for safeguarding and protecting ePHI when it is at rest and in transit. The rules apply to anybody or any system that has access to confidential patient data. By “access” it means necessary to read, write, modify or communicate ePHI or personal identifiers which reveal the identity of an individual.

There are three parts to the HIPAA Security Rule

  • Technical safeguards
  • Physical safeguards
  • Administrative safeguards

Let us address these in order, in our HIPAA compliance checklist.

Technical Safeguards

The Technical Safeguards is about the technology used to protect the ePHI. The important requirement is that ePHI must be encrypted to NIST standards once it is beyond an organization’s internal firewalled servers. This is to ensure that any breach of confidential patient data renders it unreadable, indecipherable and unusable.

Physical Safeguards

The Physical Safeguards focus on physical access to ePHI irrespective of its location. ePHI can be stored in a remote data center, in the cloud, or on servers located within the premises of the HIPAA covered entity.

Administrative Safeguards

The Administrative Safeguards are the policies and procedures which bring the Privacy Rule and the Security Rule together. They are the pivotal elements of a HIPAA compliance checklist. These require a Security Officer and a Privacy Officer to put the measures in place to protect ePHI.

HIPAA Privacy Rule

The HIPAA Privacy Rule governs how ePHI can be used and disclosed. In effect since 2003, the rule applies to all healthcare organizations. It demands that the implementation of appropriate safeguards to protect PHI. It also limits the use and disclosure of PHI without patient authorization. The Rule also gives patients or their nominated representatives,  rights over their PHI; including the right to

  • obtain a copy of their health records or examine them
  • to request corrections if necessary

HIPAA Breach Notification Rule

The HIPAA Breach Notification Rule authorizes the covered entities to notify patients when there is an ePHI breach. It also requires them to promptly notify the Department of Health and Human Services of such the breach of along with issue a notice to the media if it affects more than 500 patients.

There is also a necessity to report smaller breaches those affecting fewer than 500 individuals via the OCR web portal. These smaller breach reports should ideally be made once the initial investigation has been conducted. The OCR only requires these reports annually.

HIPAA Omnibus Rule

The HIPAA Omnibus Rule was introduced to address the areas that had been omitted by previous updates to HIPAA. It amended definitions, clarified procedures and policies, and expanded the HIPAA compliance checklist to cover Business Associates and their subcontractors.

HIPAA Enforcement Rule

The HIPAA Enforcement Rule governs the investigations that follow a breach of ePHI. It enforces penalties for covered entities responsible for an avoidable breach of ePHI and conducts the procedures for hearings.

What Should a HIPAA Risk Assessment Consist Of?

OCR provides guidance on the objectives of a HIPAA risk assessment:

  • Identify the PHI that your organization creates, receives, stores and transmits – including PHI shared with consultants, vendors, and Business Associates.
  • Identify the human, natural and environmental threats to the integrity of PHI – human threats including those which are both intentional and unintentional.
  • Assess what measures are in place to protect against threats to the integrity of PHI, and the likelihood of a “reasonably anticipated” breach occurring.
  • Determine the potential impact of a PHI breach and assign each potential occurrence a risk level based on the average of the assigned likelihood and impact levels.
  • Document the findings and implement measures, procedures and policies were necessary to tick the boxes on the HIPAA compliance checklist and ensure HIPAA compliance.

HealthViewX, a HIPAA compliant platform for Chronic Care Management and Patient Referral Management

How nice would it be if a solution like HealthViewX can protect all patient-related data securely? The practice need not worry as HealthViewX is a HIPAA compliant solution. We are passionate about making things easy for the healthcare industry. We offer three important solutions.

In this period, when the healthcare industry is experiencing its most drastic change, HealthViewX focuses on helping healthcare providers adapt and evolve to meet the changing needs of the industry and provide the best quality care for its patients.

Know more about our Care Orchestration Solutions to Improve Care, Performance, and Compliance! Partner with us for sustained healthcare outcomes, data insights and informed decision making!