HIPAA Compliance Checklist 2018-2019
If your group manages electronic Protected Health Information (ePHI), the best thing for you to do is to carefully consider all of the information included here in our HIPAA compliance checklist 2018-2019. The purpose of our HIPAA compliance checklist is help ensure that your organization complies with the HIPAA regulations covering the security and privacy of confidential patient data.
If you do not adhere with HIPAA regulations can result in massive fines being issued and criminal charges and civil action lawsuits being submitted if a breach of ePHI takes place. There are also regulations you need to be conscious of when reporting a breach to the OCR and the issuing of breach alerts to patients.
Not knowing HIPAA regulations is not thought of as a justifiable excuse by the Office for Civil Rights of the Department of Health and Human Services (OCR). The OCR will sanction fines for non-compliance regardless of whether the violation was inadvertent or happened due to willful neglect.
Our HIPAA compliance checklist 2018-2019 has been put together by dissecting the HIPAA Security and Privacy Rules, the HIPAA Breach Notification Rule, HIPAA Omnibus Rule and the HIPAA Enforcement Rule. If you are not certain as to whether you need to comply with these HIPAA regulations you should refer to our “HIPAA Explained” page. For more details on the background to the regulations please look over our “HIPAA History” section.
HIPAA Compliance Checklist
Our HIPAA compliance checklist has been split into segments for each of the applicable regulations. It should be remembered that there is no hierarchy in HIPAA regulations, and even though privacy and security measures are labelled as “addressable”, this does not mean they are optional. All of the elements in our HIPAA compliance checklist has to be adhered to if your group is to achieve full HIPAA compliance.
What is referred to as HIPAA Compliance?
Before talking about the elements of our HIPAA compliance checklist, it is best to consider the question “What is HIPAA compliance?” HIPAA compliance involves meeting the requirements of the Health Insurance Portability and Accountability Act of 1996, its thereafter amendments, and any linked legislation such as the Health Information Technology for Economic and Clinical Health (HITECH) Act.
Usually the question following “What is HIPAA compliance?” is “What are the HIPAA compliance requirements?” That question is not so easy to address as – in places – the requirements of HIPAA are intentionally not clear. This is so HIPAA can be applied equally to each different type of Covered Entity or Business Associate that comes into contact with Protected Health Information (PHI). For the sake of clarification:
What is referred to as a Covered Entity?
A covered entity is a health care supplier, a health plan or a healthcare clearing house who, in its normal duties, creates, maintains or shares PHI. There are some exceptions. Most health care providers employed by a hospital are not covered groups. The hospital is the covered entity and charged with implementing and enforcing HIPAA complaint policies.
Employers – even though they maintain health care information about their staff – are not generally covered entities unless they provide self-insured health cover or benefits such as an Employee Assistance Program (EAP). In these instances they are considered to be “hybrid entities” and any unauthorized disclosure of PHI may still be thought of a breach of HIPAA.
What is referred to as a Business Associate?
A “business associate” is a person or company that provides a service to – or performs a certain function or activity for – a covered entity when that service, function or activity involves the business associate having access to PHI managed by the covered entity. Examples of Business Associates include lawyers, accountants, IT contractors, billing companies, cloud storage services, email encryption services, etc.
Before being given access to PHI, the Business Associate must complete a Business Associate Agreement with the Covered Entity stating what PHI they can access, how it is to be used, and that it will be returned or terminated once the task it is needed for is completed. While the PHI is in the Business Associate´s possession, the Business Associate has the same HIPAA compliance obligations as a Covered Entity.
Despite the intentionally vague HIPAA requirements, every Covered Entity and Business Associate that has access to PHI must see to it that the technical, physical and administrative security measures are in place and adhered to, that they adhere with the HIPAA Privacy Rule in order to protect the integrity of PHI, and that – should a violation of PHI take place – they follow the procedure in the HIPAA Breach Notification Rule.
All risk assessments, HIPAA-related policies and reasons why addressable security measures have not been put in place must be chronicled in case a breach of PHI occurs and an investigation takes place to deduce how the breach happened. Each of the HIPAA requirements is outlined in moredetail below. Business unsure of their obligation to comply with the HIPAA requirements should seek professional guidance.
HIPAA Security Rule
The HIPAA Security Rule includes the standards that must be applied to secure and safeguard ePHI when it is at rest and on the move. The rules apply to anybody or any system that has access to private patient data. By “access” we mean having the means necessary to read, write, change or communicate ePHI or personal identifiers which reveal the identity of an individual (for an explanation of “personal identifiers”, please refer to our “HIPAA Explained” page).
There are three different parts to the HIPAA Security Rule – technical safeguards, physical security measures and administrative safeguards – and we will address each of these in order in our HIPAA compliance checklist.
Technical Security Measures
The Technical Safeguards relate to the technology that is used to safeguard ePHI and provide access to the data. The only stipulation is that ePHI – whether at rest or on the move – must be encrypted to NIST standards once it moves beyond an organization´s internal firewalled servers. This is so that any violation of confidential patient data renders the data unreadable, undecipherable and unusable. Thereafter groups are free to select whichever mechanisms are most appropriate to:
|Implementation Specification||Obligatory or Addressable||Additional Details|
|Implement a means of access control||Required||This not only refers to assigning a centrally-controlled unique username and PIN code for each user, but also creating procedures to govern the release or sharing of ePHI during an emergency.|
|Introduce a mechanism to authenticate ePHI||Addressable||This mechanism is vital in order to adhere with HIPAA regulations as it confirms whether ePHI has been altered or destroyed in an unauthorized fashion.|
|Implement tools for encryption and decryption||Addressable||This guideline refers to the devices used by authorized users, which must have the functionality to encrypt messages when they are sent beyond an internal firewalled server, and decrypt those specific messages when they are received.|
|Introduce activity logs and audit controls||Required||The audit controls necessary as per the technical safeguards are there to register attempted access to ePHI and record what is done with that data once it has been viewed or downloaded.|
|Facilitate automatic log-off of PCs and devices||Addressable||This function logs authorized personnel off of the device they are using to access or send ePHI after a pre-defined period of time. This stops unauthorized access of ePHI should the device be left unattended.|
Physical Security Measures
The Physical Safeguards focus on physical access to ePHI irrespective of its where it is. ePHI could be held in a remote data center, in the cloud, or on servers which are located inside the premises of the HIPAA covered entity. They also state how workstations and mobile devices should be safeguarded from unauthorized access:
|Implementation Specification||Required or Addressable||Additional Details|
|Facility access controls must be implemented||Addressable||Manages who has physical access to the location where ePHI is stored and incorporates software engineers, cleaners, etc. The processes must also include safeguards to stop unauthorized physical access, tampering, and theft.|
|Policies for the use/positioning of workstations||Required||Policies must be created and put in place to limit the use of workstations that have access to ePHI, to specify the protective surrounding of a workstation and govern how functions are to be carried out on the workstations.|
|Policies and procedures for mobile devices||Required||If users are permitted to access ePHI from their mobile devices, policies must be devised and pit in place to govern how ePHI is removed from the devices if the user leaves the group or the device is re-used, sold, etc.|
|Inventory of hardware||Addressable||An inventory of all hardware must be managed, along with a record of the movements of each item. A retrievable exact copy of ePHI must be made before any equipment is shifted.|
Administrative Security Measures
The Administrative Security Measures are the policies and processes which bring the Privacy Rule and the Security Rule together. They are the pivotal elements of a HIPAA compliance checklist and state that a Security Officer and a Privacy Officer be assigned to put the measures in place to safeguard ePHI, while they also govern the conduct of the workforce.
The OCR pilot audits identified risk assessments as the major area of Security Rule non-compliance. Risk assessments are going to be checked thoroughly in the second phase of the audits; not just to make sure that the organization in question has conducted one, but to ensure to ensure they are comprehensive and ongoing. A risk assessment is not a one-time obligation, but on ongoing task necessary to ensure continued compliance.
The administrative security measures include:
|Implementation Specification||Required or Addressable||Additional Data|
|Conducting risk assessments||Required||Included in the Security Officer’s main roles is the compilation of a risk assessment to identify every area in which ePHI is being used, and to determine all of the ways in which breaches of ePHI could take place.|
|Introducing a risk management policy||Required||The risk assessment must be conducted repeatedly at ongoing intervals with measures introduced to reduce the risks to an appropriate level. A sanctions policy for staff members who fail to adhere with HIPAA regulations must also be introduced.|
|Training employees to be secure||Addressable||Training schedules must be created to increase awareness of the policies and procedures governing access to ePHI and how to identify malicious software attacks and malware. All training must be recorded.|
|Developing a contingency plan||Required||Should an emergency take place, a contingency plan must be ready to enable the continuation of critical business processes while safeguarding the integrity of ePHI while a group operates in emergency mode.|
|Testing of contingency plan||Addressable||The contingency plan must be tested periodically to estimate the relative criticality of specific applications. There must also be accessible backups of ePHI and procedures available to restore lost data in the event of an emergency.|
|Restricting third-party access||Required||It is important to ensure ePHI is not accessed by unauthorized parent organizations and subcontractors, and that Business Associate Agreements are completed with business partners who will have access to ePHI.|
|Reporting security incidents||Addressable||The reporting of security incidents is not the same as the Breach Notification Rule (below) inasmuch as incidents can be contained and data retrieved before the incident becomes a breach.|
The difference between the “required” security measures and the “addressable” safeguards on the HIPAA compliance checklist is that “required” safeguards must be put in place whereas there is a certain amount of flexibility with “addressable” safeguards. If it is not reasonable to create an “addressable” safeguard as it appears on the HIPAA compliance checklist, covered entities have the choice to introduce an appropriate alternative, or not introducing the security measure at all.
That decision will depend on factors such as the group’s risk analysis, risk mitigation strategy and what other security measures are already established. The decision must be recorded in writing and include the factors that were taken into account, as well as the results of the risk assessment, on which the decision was based.
HIPAA Privacy Rule
The HIPAA Privacy Rule relates to how ePHI can be used and shared. In force since 2003, the Privacy Rule applies to all healthcare groups, the providers of health plans (including employers), healthcare clearinghouses and – from 2013 – the Business Associates of covered groups.
The Privacy Rule demands that appropriate security measures are implemented to protect the privacy of Personal Health Information. It also sets restricts and conditions on the use and disclosure of that information without patient authorization. The Rule also allows patients – or their nominated representatives – rights over their health information; including the right to obtain a copy of their health records – or review them – and the ability to request amendments if necessary.
Under the Privacy Rule, covered entities are necessary to respond to patient access requests within 30 days. Notices of Privacy Practices (NPPs) must also be made available to advise patients and plan members of the circumstances under which their data will be used or shared.
Covered entities should also:
- Conduct training to staff members to ensure they are aware what data may – and may not – be shared outside of an organization’s security mechanism.
- Ensure proper steps are taken to ensure the integrity of ePHI and the individual personal identifiers of patients.
- Make sure written permission is obtained from patients before their healthcare data is used for purposes such as marketing, fundraising or research.
Covered entities should make sure their patient authorization forms have been updated to include the sharing of immunization records to schools, include the option for patients to limit disclosure of ePHI to a health plan (when they have paid for a procedure privately) and also the option of supplying an electronic copy to a patient when it is needed.
The complete content of the HIPAA Privacy Rules can be located on the Department of Health & Human Services website.
HIPAA Breach Notification Rule
The HIPAA Breach Notification Rule states that covered entities to make patients aware when there is a breach of their ePHI. The Breach Notification Rule also requires entities to quickly alertthe Department of Health and Human Services of such a breach of ePHI and release a notice to the media if the breach affects more than 500 patients.
There is also an obligation to report smaller breaches – those affecting fewer than 500 people – via the OCR web portal. These smaller breach reports should ideally be made once the initial investigation has been carried out. The OCR only requires these reports to be made annually.
Breach alerts should include the following details:
- The nature of the ePHI involved, including the range of personal identifiers exposed.
- The unauthorized individual who used the ePHI or to whom the PHI was shared with (if known).
- If the ePHI was specifically acquired or viewed (if known).
- The extent to which the risk of damage has been addressed.
Breach alerts must be made without unreasonable delay and in no case later than 60 days following the identification of a breach. When alerting a patient of a breach, the covered entity must inform the individual of the steps they should take to protect themselves from possible damage, include a short description of what the covered entity is doing to investigate the breach and the actions taken so far to stop further breaches and security incidents.
HIPAA Omnibus Rule
The HIPAA Omnibus Rule was passed to address a number of areas that had been omitted by previous updates to HIPAA. It changed definitions, clarified procedures and policies, and expanded the HIPAA compliance checklist to include Business Associates and all their subcontractors.
Business Associates are classed as any person or group that creates, receives, maintains or shares Protected Health Information in the course of performing functions on behalf of a covered group. The term Business Associate also includes contractors, consultants, data storage firmss, health information groups and any subcontractors used by Business Associates.
The Omnibus Rule alter sHIPAA regulations in five key sections:
- Bringing in the final amendments as required under the Health Information Technology for Economic and Clinical Health (HITECH) Act.
- Including the higher, tiered civil money penalty structure as required by HITECH.
- Introduced amendments to the harm threshold and included the final rule on Breach Notification for Unsecured Protected Health Information under the HITECH Act.
- Changing HIPAA to include the provisions made by the Genetic Information Nondiscrimination Act (GINA) to prohibit the sharing of genetic information for underwriting reasons.
- Stopped the use of ePHI and personal identifiers for marketing reasons.
Definition amendments were also introduced to the term Business Associate, the term Workforce was amended to include employees, volunteers and trainees, and what material is now defined as Protected Health Information.
Covered groups must now:
- Update Business Associate Agreements – Old BA agreements must be amended to take the Omnibus Rule into account. Business Associates must be made aware that they are bound by the same Security Rule and Privacy Rule regulations as covered groups, and must similarly put in place the proper technical, physical and administrative safeguards to protect ePHI and personal identifiers. Bas must adhere with patient access requests for information and data breaches must be reported to the covered entity without delay, while assistance with breach notification procedures must also be supplied.
- Complete new Business Associate Agreements – A new HIPAA-compliant agreement must be completed before the services provided by a BA begin.
- Bring up to date privacy policies – Privacy policies must be brought up to date to include the Omnibus Rule definition changes. These include changes relating to deceased persons, patient access rights to their ePHI and the reacton to access requests. Policies should also reflect the new limitations of sharing Medicare and insurers, the disclosure of ePHI and school immunizations, the sale of ePHI and its implementation for marketing, fundraising and research reasons.
- Update Notices of Privacy Practices – NPPs must be amended to account for the range of information that require an authorization, the right to opt out of correspondence for fundraising purposes and must factor in the new breach notification obligations.
- Train employees – Staff must be trained on the Omnibus Rule amendments and definition amendments. All training must be officially recorded.
HIPAA Enforcement Rule
The HIPAA Enforcement Rule relates to the investigations that follow a breach of ePHI, the penalties that could be imposed on covered groups responsible for an avoidable breach of ePHI and the procedures for hearings. Although not part of a HIPAA compliance checklist, covered groups should be aware of the following fines:
- A violation attributable to ignorance can results in a fine of $100 – $50,000.
- A violation which occurred despite reasonable vigilance can result in a fine of $1,000 – $50,000.
- A violation due to willful neglect which is corrected within thirty days will result in a fine of between $10,000 and $50,000.
- A violation due to willful neglect which is not corrected within thirty days will result in the maximum fine of $50,000.
Fines are imposed per violation category and take into account the number of records exposed in a breach, risk posed by the exposure of that data and the level of negligence involved. Fines can easily reach the maximum fine of $1,500,000 per year, per violation category. It should also be remembered that the fines for willful neglect can also lead to criminal charges being filed. Civil legal actions for damages can also be submitted by victims of a breach. The groups most commonly subject to enforcement action are private medical clinics (solo doctors or dentists, group practices, and so on), hospitals, outpatient facilities such as pain clinics or rehabilitation centers, insurance groups, and pharmacies. The most common sharing to the HHS include:
- Misuse and unauthorized sharing of patient records.
- No security in place for patient records.
- Patients unable to view their patient records.
- Using or sharing to third parties more than the minimum required protected health information
- No administrative or technological security measures for electronic protected health information.
What Should a HIPAA Risk Assessment Include?
Throughout the HIPAA legislation, there no guidance about what a HIPAA risk assessment should include. OCR explains the failure to provide a “specific risk analysis methodology” is due to Covered Entities and Business Associates being of different sizes, capabilities and complexity. However, OCR does share guidance on the objectives of a HIPAA risk assessment:
- Spot the PHI that your organization creates, receives, stores and shares – including PHI shared with consultants, vendors and Business Associates.
- Establish the human, natural and environmental dangers to the integrity of PHI – human threats including those which are both intentional and unintentional.
- Assess what measures are in place to protect against threats to the integrity of PHI, and the likelihood of a “reasonably anticipated” breach occurring.
- Deduce the possible impact of a PHI breach and assign each potential occurrence a risk level based on the average of the assigned likelihood and impact levels.
- Record the findings and implement measures, processes and policies where necessary to tick the boxes on the HIPAA compliance checklist and ensure HIPAA compliance is in place.
- The HIPAA risk assessment, the basis for the measures, processes and policies subsequently put in place, and all policy documents must be kept for at least six years.
As referred to earlier, a HIPAA risk assessment is not a one-time obligation, but a regular task necessary to make sure continued compliance. The HIPAA risk assessment and a review of its findings will help groups to adhere with many other areas on our HIPAA compliance checklist, and should be reviewed regularly when changes to the workforce, work practices or technology happen.
Depending on the size, capability and complexity of a Covered Entity, putting together a thorough HIPAA risk assessment can be an extremely long-winded task. There are different online tools that can help groups with the compilation of a HIPAA risk assessment; although, due to the lack of a “specific risk analysis methodology”, there is no “one-size-fits-all solution.
Most ePHI breaches result from the loss or theft of mobile devices including unencrypted data and the transmission of unprotected ePHI across open networks.
Breaches of this manner are easily avoidable if all ePHI is encrypted. Although the current HIPAA regulations do not demand encryption in every instance, it is a security measure which should be thoroughly evaluated and tackled. Suitable alternatives should be used if data encryption is not used. Data encryption renders stored and transmitted data unreadable and unusable in the event of it being stolen.
Data is first changed to an unreadable format – termed ciphertext – which cannot be unlocked without a security key that changes the encrypted data back to its original format. If an encrypted device is lost or stolen it will not lead to a HIPAA breach for the exposure of patient data. Data encryption is also important on computer networks to prevent hackers from gaining illegal access.
Becoming HIPAA Compliant
Many suppliers would love to develop apps, software, or services for the healthcare industry, although they are not sure how to become HIPAA compliant. While it is possible to use a HIPAA compliance checklist to make sure all aspects of HIPAA are addressed, it can be a difficult process for groups unfamiliar with the intricacies of HIPAA Rules to develop a HIPAA compliance checklist and put in place all appropriate privacy and security measures.
Until suppliers can confirm they have created all the appropriate security measures to secure ePHI at rest and in transit, and have policies and procedures in place to stop and detect unauthorized disclosures, their products and services cannot be used by HIPAA-covered groups. So, what is the simplest way to become HIPAA compliant?
You will certainly have to use a HIPAA compliance checklist to make sure your group, product, or service incorporates all of the technical, administrative, and physical security measures of the HIPAA Security Rule. You must also adhere to the legal obligations of the HIPAA Privacy and Breach Notification Rules.
Get anything wrong and fail to secure ePHI and, as a HIPAA business associate, you can be fined directly for HIPAA breaches by the HHS’ Office for Civil Rights, state attorneys general and other regulators. Criminal sanctions may also be applicable for some breaches. HIPAA compliance can therefore be daunting, although the possible benefits of moving into the healthcare market are massive.
To ensure you cover all aspects on your HIPAA compliance checklist and leave nothing missed, it is worthwhile seeking expert guidance from HIPAA compliance experts. Many businesses provide HIPAA compliance software to guide you through your HIPAA compliance checklist, ensure constant compliance with HIPAA Rules, and award you HIPAA certification.
HIPAA IT Compliance
HIPAA IT compliance is chiefly concerned with seeing to it that all the provisions of the HIPAA Security Rule are followed and all elements on your HIPAA compliance checklist are addressed.
Risk assessment and management is an important consideration for HIPAA IT compliance. One way to help ensure danger points are identified and appropriate controls are implemented as part of your HIPAA IT compliance program is to adopt the NIST Cybersecurity Framework. The NIST Cybersecurity Framework will help you to eliminate data breaches, and detect and respond to attacks in a HIPAA compliant manner when attacks do happen.
HIPAA IT compliance concerns all systems that are used to transmit, receive, store, or alter electronic protected health information. Any system or software that ‘touches’ ePHI must incorporate appropriate security protections to ensure the confidentiality, integrity, and availability of ePHI.
One part of the HIPAA compliance checklist that is often far down on the priority list is reviewing ePHI access logs regularly. Inappropriate accessing of ePHI by healthcare staff is common, yet many covered entities fail to complete regular audits and inappropriate access can go on for months or sometimes years before it is discovered.
HIPAA Compliance Checklist for IT
Along with the rules and regulations that are included on our HIPAA compliance checklist originating from acts of legislation, there are several mechanisms that IT departments can implement to grow the security of Protected Health Information.
Possible flaws in security due to the use of personal mobile devices in the workplace can be eliminated by the use of a secure messaging solution. Secure messaging solutions allow designated personnel to share PHI – and send attachments containing PHI – through encrypted text messages that comply with the physical, technical and administrative security measures of the HIPAA Security Rule.
Email is another part of HIPAA in which potential lapses in security are present. Emails including PHI that are sent beyond an internal firewalled network should be encrypted. It should also be taken into account that emails containing PHI are part of a patient’s medical record and should therefore be archived safely in an encrypted format for at least six years.
As medical histories can result in a higher selling price on the black market than credit card information, security measures should be created to stop phishing attacks and the inadvertent downloading of malware. Several recent HIPAA breaches have been blamed on criminals obtaining passwords to EMRs or other databases, and healthcare groups can address the danger of this occurring with a web content filter.
Additional HIPAA IT Obligations
Along with the technological regulations mentioned above, there are many other HIPAA IT requirements that are easy to miss – for example the facility access rules within the physical security measures of the Security Rule. These HIPAA IT requirements may inadvertently be missed if the IT Department has no responsibility for the physical security of its servers, and it will be the HIPAA Security Officer’s duty to establish responsibility.
Other parts of the HIPAA IT requirements frequently forgotten include Business Associate Agreements with SaaS providers and hosting firms who may have access to PHI via the services they allow. The same applies to software developers who build eHealth apps that will transmit PHI. There has to be a Business Associate Agreement in place with any health care provider distributing the app in order to be compliant with the HIPAA IT obligations.