IDC Names Securiti a Worldwide Leader in Data Privacy

View

HIPAA Compliance Checklist : All You Need to Know

Published January 16, 2024

Listen to the content

One of the pillars of legal compliance and healthcare cybersecurity is the United States legislation known as the Health Insurance Portability and Accountability Act (HIPAA). It is intended to safeguard the privacy of people's medical information and health records.

On August 21, 1996, President Bill Clinton signed the legislation. To protect private and sensitive patient data, healthcare organizations, including hospitals, insurance providers, and health plan providers, must all adhere to a HIPAA compliance checklist.

Since its enactment, the law has gained widespread recognition, particularly in the wake of numerous health data breaches resulting from cyber attacks and ransomware attacks targeting health insurers and providers in recent years. These attacks have resulted in substantial losses, inflicting billions of dollars in damages on affected companies.

Between 2009 and 2021, 4,419 healthcare data breaches involving 500 or more records have taken place. This has resulted in millions of healthcare records being lost, stolen, exposed, or improperly disclosed.

HIPAA Scope & Applicability

HIPAA applies to covered entities that can be classified into four main categories, i.e. health plans, health care providers, health care clearinghouses, and business associates.

1. Health Plans

These include Individual or group plans that provide or pay the cost of medical care. The health plans may include the following:

  • Health insurance companies.
  • Health maintenance organizations.
  • Employer-sponsored health plans.
  • Government programs that pay for health care, like Medicare, Medicaid, and military and veterans’ health programs.

2. Healthcare Providers

These individuals or entities who electronically transmit health information in connection with certain transactions. These transactions include claims, benefit eligibility inquiries, referral authorization requests, or other transactions for which the US Department of Health and Human Services (HHS) has established standards under the HIPAA Transactions Rule. The health care providers include but are not limited to doctors, psychologists, dentists, clinics, pharmacies, nursing homes, etc.

3. Healthcare Clearinghouses

Entities that process nonstandard information they receive from another entity into a standard format or data content, or vice versa. Healthcare clearinghouses may include billing services, repricing companies, community health management information systems, and value-added networks and switches if these entities perform clearinghouse functions.

4. Business Associates

A ‘business associates’ refers to an individual or entity that performs certain functions on behalf of a covered entity that entails the use or disclosure of personal health information (PHI).

What is HIPAA Compliance?

HIPAA compliance refers to the rules and regulations outlined in the law, which governs the privacy and security of PHI in the United States. Covered entities and their business associates are required to implement various safeguards and measures to PHI.

It takes a combination of internal procedures, the appropriate technology, and deliberate external collaborations to meet all HIPAA regulations. To make sure your company complies with HIPAA rules for the privacy and security of PHI, it is advised to carefully review the HIPAA compliance checklist.

Understanding HIPAA Rules

HIPAA Privacy Rule

The Privacy Rule defines when and how an authorized staff can access PHI. This Rule outlines the national standard for the protection of PHI and individually identifiable health information collected or shared by a covered entity or its business associate through any medium.

It also regulates the use and disclosure of PHI. However, covered entities may disclose the PHI of an individual if its use or disclosure is permitted under the Privacy Rule or the data subject has authorized the use and disclosure of such information in writing.

Required Disclosure

It is mandatory for covered entities to disclose the PHI of individuals in these two situations:

  1. Covered entities are required to disclose PHI to individuals (or their personal representatives) upon request. Individuals have the right to access their own health information and can request copies of their PHI.
  2. Covered entities must disclose PHI to HHS when it is undertaking a compliance investigation, review, or enforcement action

Permitted Disclosure

Covered entities are allowed to use or disclose the PHI of an individual without his consent in the following cases:

  1. To the individual who is subject of the PHI.
  2. For treatment, payment, and health care operations.
  3. For the provision of an opportunity to agree or object.
  4. In matters of public interest and benefit.
  5. For a purpose incident to an otherwise permitted use and disclosure.
  6. Use and disclosure of limited data sets for the purposes of research, public health or health care operations.

Principle of Minimum Necessary

Under this principle, the covered entities must take reasonable measures to use, disclose, or request only the minimum amount of PHI required to fulfill the intended purpose. Therefore, covered entities shall use, disclose, or request the entire medical record unless it specifically justifies the purpose of the whole medical record. The following situations are exempted from the minimum necessary principle:

  1. Disclosure or request by a health care provider for treatment.
  2. Disclosure to an individual who is subject of the information.
  3. Use or disclosure pursuant to an authorization.
  4. Disclosure to HHS for complaint investigation, compliance review, or enforcement.
  5. Use of disclosure required by law.
  6. Use or disclosure for compliance with the HIPAA transaction rules or other HIPAA administrative rules.

Apart from the above-mentioned requirements, covered entities shall comply with the following obligations:

Access and Uses of PHI

Covered entities for internal purposes are required to develop policies and procedures to provide only the necessary access to their members based on their specific roles. These policies shall identify the individuals or classes of individuals in the workforce who need access to PHI to carry out their duties.

Disclosures and Requests for Disclosures of PHI

Covered entities are also required to implement policies and procedures for routine, recurring disclosures or requests for disclosures that limit the disclosure to reasonably necessary information to achieve the intended purpose. On the other hand, for non-routine, non-recurring disclosures or requests for disclosures, the covered entities must undertake an individual review of each disclosure to limit the PHI disclosed to the minimum amount reasonably necessary to achieve the purpose of the disclosure.

Designate a Privacy Officer

Covered entities shall designate a privacy officer responsible for developing policies and procedures in accordance with the law and a contact person who will be responsible for receiving complaints and providing information to individuals about the privacy practices of an organization.

Workplace Training

Covered entities shall arrange for their staff members about the organization’s privacy practices and apply appropriate sanctions against staff members in case of non-compliance.

Documentation and Record Retention

The covered entities are required to maintain, until six years after the date of their creation or last effective date, their privacy policies and procedures, their privacy practices notices, disposition of complaints, and other actions, activities, and designations that the Privacy Rule requires to be documented.

Develop Privacy Notices and Procedures

Covered entities are obliged to provide a privacy notice to the individuals about the organization’s privacy policies. The notice shall also contain policies about the use and disclosure of PHI. It shall also inform the individual about his right to complain to HHS and covered entities in case of any violation of his privacy rights.

Amendment of PHI

In case of any inaccurate or incomplete information, the individual has the right to amend that information in the designated record of the covered entity.

Accounting of Disclosures of PHI

The individuals have the right to an accounting of the disclosures of PHI by covered entities or their business associates. The maximum period for disclosure accounting is six years preceding the accounting request.

Restrict Use or Disclosure

The individuals have the right to restrict the use or disclosure of their PHI for treatment, payment, or health care operations, or disclosure to notify family members about the individuals’ health. However, covered entities are under no obligation to entertain the request.

HIPAA Security Rule

The HIPAA Security Rule establishes national standards to protect the accuracy of Electronic Protected Health Information(ePHI) and guarantee their confidentiality and accessibility. HIPAA Security Rules consist of technical safeguards, physical safeguards, and administrative safeguards concerning ePHI.

Risk Analysis and Management

The Security Rule requires the covered entities to perform risk analysis as part of their security management processes, which includes, but is not limited to, the following activities:

  • Evaluation of the likelihood and impact of potential risks to e-PHI;
  • Implementation of appropriate security measures to address the risks identified in the risk analysis;
  • Documentation of the chosen security measures and, where required, the rationale for adopting those measures; and
  • Maintaining continuous, reasonable, and appropriate security protections.

Through an ongoing risk analysis process, the covered entities must regularly review their records to track access to e-PHI and detect security incidents, periodically evaluate the effectiveness of security measures put in place, and regularly reevaluate potential risks to e-PHI.

Technical Safeguards

The technology utilized to safeguard ePHI and provide access to the data is known as technical safeguards. The only requirement is that once ePHI leaves an organization's internal firewalled servers, it must be encrypted to National Institute of Standards and Technology (NIST) standards, whether at rest or in transit. This is done to ensure that any compromise of private patient information renders the information useless. The technical safeguards under the Security Rule may include:

  1. Policies to control access to ePHI.
  2. Audits to record and examine access and other activities in the information security system.
  3. Measures to keep ePHI safe from any kind of alteration or destruction.
  4. Measures to ensure the safety of the ePHI during its transmission.

Physical Safeguards

No matter where the ePHI is located, the Physical Safeguards concentrate on physical access. ePHI may be kept on servers housed inside the HIPAA-Covered Entity's building, in a remote data center, or in the cloud. They also prescribe how workstations and mobile devices should be safeguarded against unwanted access. The physical safeguards under the Security Rule include:

  1. Limit physical access to only relevant persons.
  2. Implementing policies and procedures for the proper use of workstations and electronic devices to ensure the protection of ePHI.

Administrative Safeguards

The Administrative Safeguards are the rules and processes that bring the Privacy and Security Rules together. They are the critical components of a HIPAA compliance checklist.

  • A covered entity must designate a security official who is responsible for developing and implementing its security policies and procedures.
  • Consistent with the minimum necessary principle, a covered entity must implement policies and procedures for authorizing access to e-PHI only when such access is appropriate based on the user or recipient's role.
  • A covered entity must provide for appropriate authorization and supervision of workforce members who work with e-PHI. A covered entity must train all workforce members regarding its security policies and procedures and must have and apply appropriate sanctions against workforce members who violate its policies and procedures.
  •  A covered entity must perform a periodic assessment of how well its security policies and procedures meet the requirements of the Security Rule.

HIPAA Breach Notification Rule

The HIPAA Breach Notification Rule requires covered entities and their business associates to inform affected persons, the Secretary, and, in some cases, the media when they incur a breach of PHI. The HIPAA Breach Notification Rule mandates explicitly:

Individual Notice

If a PHI breach is discovered, covered entities are required to notify the affected individuals. The individual notice shall be provided in written form by first-class mail or, alternatively, by email if the affected individual has agreed to receive such notices electronically. It shall be provided immediately and not later than 60 days following the discovery of a breach. The notice shall include the following:

  1. Brief description of the breach.
  2. Types of information affected by the breach.
  3. Steps that the affected individuals shall take to protect themselves from potential harm.
  4. Steps taken by the covered entity to mitigate harm.
  5. Contact information for the covered entity.

Media Notice

The responsible covered entities are required to notify well-known media outlets serving the state or jurisdiction if it is determined that the breach affected more than 500 citizens of the state or jurisdiction. It shall be served within 60 days following the discovery of a breach and shall contain the same details as required for the individual notice.

Notice to Secretary

A PHI breach must be reported to the Secretary of HHS by covered entities. The Secretary can either be informed by visiting the HHS website or submitting an electronic breach report form. If a breach affects 500 or more individuals, covered entities shall inform the Secretary within 60 days following the discovery of a breach. If a breach affects less than 500 individuals, covered entities may notify the Secretary on an annual basis.

Notification by a Business Associate

If a breach occurs by the end of a business associate, it shall notify the covered entity immediately and not later than 60 days following the discovery of a breach. The business associate shall assist the covered entity in identifying the affected individuals along with other information that is to be provided in a breach notice.

HIPAA Omnibus Rule

The HIPAA Omnibus Rule was created to cover several topics left out by earlier revisions to the HIPAA law. Definitions were changed, policies and procedures were made more transparent, and the HIPAA compliance checklist was expanded to include business associates and their subcontractors. The Omnibus Rule improves HIPAA rules in the following areas:

  • The introduction of the final changes mandated by the Health Information Technology for Economic and Clinical Health Act (HITECH Act).
  • The implementation of the HITECH-mandated civil money penalty structure.
  • The Genetic Information Non-discrimination Act (GINA), which forbids the disclosure of genetic information for underwriting reasons, is added to HIPAA, modifying it to reflect its requirements.
  • Prohibits using PHI and personal identifiers for marketing activities.

To be HIPAA compliant with the adoption of the HIPAA Omnibus Rule, covered entities must ensure:

  • Entities must agree to a new HIPAA-compliant Business Associate Agreement before using their services.
  • Existing Business Associate Agreements must be updated, and a new HIPAA-compliant agreement must be established before using the services offered by a Business Associate.
  • Privacy policies must be revised. These consist of changes regarding departed individuals, individuals' access rights (to their PHI), and responses to access requests.
  • Updated notice of privacy practices must consider the new breach notification standards, the opportunity to opt-out of engagement for fundraising reasons, and the categories of information that need authorization.
  • The Omnibus Rule revisions and definition changes require staff training. Documenting all training is required.

HIPAA Enforcement Rule

The HIPAA Enforcement Rule sets down the processes for hearings, the penalties that may be imposed on covered entities or business associates that fail to prevent a breach of PHI, and the following investigations.

The HIPAA Privacy & Security Rules place extensive requirements on organizations subject to them. These are covered in extensive detail here & here.

HIPAA Compliance Checklist for Organizations

The following checklist can assist your business in ensuring HIPAA compliance.

1. Regular Audits and Assessments

  • Conduct internal audits, security evaluations, and privacy regularly audits to support utmost data security.
  • Discover which of the annual audits and assessments apply to your organization.
  • Conduct the necessary audits and evaluations, evaluate the findings, and note any problems or shortcomings.
  • Execute the plans, evaluate the outcomes, and amend the plan if the expected outcomes are not achieved.
  • Make detailed remediation strategies and document them to remedy those problems and vulnerabilities.

2. Conducting a Risk Analysis

NIST recommends conducting a regular risk analysis. This includes:

  • Conducting an entity-level risk analysis.
  • Performing risk analyses for the systems that contain ePHI.
  • Creating and putting into effect a risk management strategy.
  • Considering the impact and possibility of various dangers to ePHI.
  • Taking the proper security precautions for the identified threats and sensitive documents.
  • Establishing security guidelines for maintenance and best practices.

3. Revising Policies and Procedures

The HIPAA Privacy Rule, the HIPAA Security Rule, and the HIPAA Breach Notification Rule must all be adhered to by your organization’s policies and practices. Make sure to keep records so you can do yearly reviews. Additionally, develop and implement:

  • Updated privacy policies
  • Amend existing contracts and agreements
  • Before utilizing or releasing PHI for treatment, payment, or other healthcare operations, be careful to secure the patient's written consent.

4. Ensuring Data Safeguards

Put data protection measures in place to secure data confidentiality, availability, and integrity. Refer to technical safeguards, physical safeguards, and administrative safeguards mentioned earlier.

5. Conducting Employee Training

All staff should receive proper cybersecurity training, and members should be made aware of the significance of HIPAA compliance. This can be done by:

  • Circulating updated privacy policies and procedures for staff members,
  • Assuring that every employee has read and agreed to your HIPAA policies and procedures,
  • Verifying that all employees have received introductory HIPAA compliance training,
  • Keeping records of all HIPAA compliance training and staff members' HIPAA rules and regulations certifications, and
  • Creating disciplinary measures, fines, and rules for privacy infractions.

6. Designating a Privacy Professional

Organizations can appoint a person or office in charge of privacy-related issues by designating a person in charge of creating and implementing your privacy policy, such as a security, privacy, or HIPAA compliance officer. The appointed HIPAA compliance officer should provide annual training for all staff members.

7. Collaborating with Business Associates

Ensure all business associates abide by HIPAA rules by reviewing their operations and procedures annually.

Conclusion

Even if there is no PHI breach, failure to comply with HIPAA standards can result in significant fines, while breaches can lead to criminal charges and civil lawsuits.

The Office for Civil Rights (OCR) of the Department of Health and Human Services does not regard ignorance of the HIPAA compliance standards as a valid defense against penalties for HIPAA violations. Whether infractions are due to careless negligence or deliberate error, the OCR will impose fines for non-compliance with HIPAA laws.

Frequently Asked Questions

The HIPAA Security Rule is part of the HIPAA and outlines specific requirements for safeguarding electronic protected health information (ePHI). It establishes standards for protecting the confidentiality, integrity, and availability of ePHI through administrative, physical, and technical safeguards.

HIPAA (Health Insurance Portability and Accountability Act) is a federal law that sets privacy and security standards for protecting patient health information. HITECH (Health Information Technology for Economic and Clinical Health Act) is an amendment to HIPAA that focuses on promoting the adoption of electronic health records and strengthens HIPAA's enforcement, imposing stricter penalties for violations.

HIPAA consists of three main rules:

  1. Privacy Rule: Regulates the use and disclosure of protected health information (PHI) and gives individuals control over their PHI;
  2. Security Rule: Establishes safeguards for ePHI to protect its confidentiality, integrity, and availability;
  3. Breach Notification Rule: Requires covered entities and business associates to notify individuals, the Secretary of HHS, and in some cases, to media in the event of a breach of PHI.

HIPAA doesn't directly regulate social media usage. However, healthcare professionals and organizations must be cautious when using social media to ensure they don't share protected health information without authorization, which could lead to HIPAA violations.

Yes, HIPAA requires covered entities and their business associates to provide regular training to employees who handle protected health information. This training is essential to ensure that employees understand their responsibilities in protecting patient privacy and data security.

Join Our Newsletter

Get all the latest information, law updates and more delivered to your inbox

Share


More Stories that May Interest You

Follow