Revised and updated for 2021.

If your organization has access to electronic Protected Health Information (ePHI), you should review your Health Insurance Portability and Accounting Act (HIPAA) compliance checklist. The purpose of a HIPAA compliance checklist is to ensure that your organization complies with the HIPAA regulations covering the security and privacy of confidential patient data.

Failure to comply with HIPAA regulations can result in substantial fines being issued, criminal charges and civil action lawsuits being filed should a breach of ePHI occur. Complying with the HIPAA requirements is challenging already, let alone by combining these challenges with the coronavirus global pandemic.

Dramatic shifts in virtual work and a rise in telehealth happened overnight, leaving many healthcare providers and related organizations unprepared. These types of unprecedented events and changes can leave both small and large organizations vulnerable to a myriad of external and inside threats, as well as reputation-damaging fines. Now is the time to get a better understanding of compliance and continuity across the organization. Let’s explore how to achieve this.

The HIPAA sets the standard for protecting sensitive patient data. Companies that deal with Protected Health Information (PHI) must establish and enforce have physical, network, and process security controls to ensure HIPAA Compliance. Covered entities (anyone providing treatment, payment, and operations in healthcare) and business associates (anyone who has access to patient information and provides certain services to a covered entity) must meet HIPAA Compliance. Other entities, such as subcontractors and any other related business associates must also comply.

The question that typically follows is “What are the HIPAA compliance requirements?”. Unfortunately, that question is not as easy to answer. This is because the requirements of HIPAA are intentionally vague in certain places so HIPAA can be applied equally to every different type of covered entity or business associate that handles PHI.

The HIPAA Privacy Rule establishes national standards for the protection of certain health information, while the Security Rule establishes a national set of security standards for protecting specific health information that is stored or transferred in electronic form.

The Security Rule operationalizes the Privacy Rule’s protections by addressing the technical and non-technical safeguards that covered entities must put in place to secure individuals’ ePHI. Despite the intentionally vague HIPAA requirements, every covered entity and business associate that has access to PHI must ensure not only that the technical, physical, and administrative safeguards are in place but also that they are being enforced.  Moreover, these entities must comply with the HIPAA Privacy Rule in order to protect the integrity of PHI, and – if a breach of PHI should occur – that they follow the procedure in the HIPAA Breach Notification Rule.

In March, the U.S. Department of Health and Human Services (HHS) chose not to impose penalties for non-compliance around telehealth during COVID-19. While this has allowed healthcare providers to deliver care from wherever they are, organizations that handle PHI must remain vigilant. Telehealth services have been critical to providing continuity of care but this efficiency can put personal patient information at higher risk of unauthorized access leading to a greater number of data breaches.

The urgency to manage COVID-19 has created an environment where organizations may be moving too fast for their own good. For example, a business may have the best intentions by creating a customer sign-in register with a temperature check before they enter the premises, but where is this data being stored? And more importantly, who has access to it? These are questions some organizations may have never had to consider, but now, it is at the forefront of every compliance officer’s mind.

Businesses should be hyper-aware of the value, location, and security measures to protect PHI. While the long-term effects of COVID-19 remain to be seen, the collection of PHI may become more prevalent.

The Security Rule defines three categories of safeguards – technical, physical, and administrative – that covered entities and business associates need to address in their HIPAA compliance checklist.

Technical Safeguards

The technical safeguards describe the technology used to protect ePHI and provide access to the data. The only defined requirement is that ePHI – whether at rest or in transit – must be encrypted to the NIST standards to ensure the information is unreadable, undecipherable, and unusable should a data breach occurs. Thereafter, organizations are free to select whichever controls are adequate to their operating environment, including:

  • Access control
  • Strong authentication
  • Continuous monitoring and auditing
  • Automatic log-off of PCs and devices

Physical Safeguards

The physical safeguards focus on physical access to ePHI, irrespective of its location. ePHI could be stored in a remote data center, in the cloud, or on servers that are located within the premises of the HIPAA covered entity. They also dictate how workstations and mobile devices should be secured against unauthorized access by employing:

  • Facility access controls
  • Policies for the use/positioning of workstations
  • Policies and procedures for mobile devices
  • Inventory of hardware

Administrative Safeguards

The administrative safeguards are the policies and procedures which bring the Privacy Rule and the Security Rule together. They are the pivotal elements of a HIPAA compliance checklist and require that a Security Officer and a Privacy Officer be assigned to put the measures in place to protect ePHI, while they also govern the conduct of the workforce.

The audits conducted by OCR have identified that risk assessments are the major area of Security Rule non-compliance. Healthcare providers need not only conduct an assessment, but they must ensure these assessments are comprehensive and ongoing. This means that a risk assessment is not just a one-time requirement, but a regular task necessary to ensure continued compliance.

The administrative safeguards include:

  • Conducting risk assessments
  • Introducing a risk management policy
  • Training employees to be secure
  • Developing a contingency plan
  • Testing of contingency plan
  • Restricting third-party access
  • Reporting security incidents

Incident Reporting: Breach Notification Rule

The HIPAA Breach Notification Rule requires covered entities to notify patients when there is a breach of their ePHI. The Breach Notification Rule also requires entities to promptly notify the HHS of such a breach and issue a notice to the media if the breach affects more than 500 patients.

There is also a requirement to report smaller breaches – those affecting fewer than 500 individuals – via the OCR web portal. These smaller breach reports should ideally be made once the initial investigation has been conducted. The OCR only requires these reports to be made annually.

Breach notifications to patients should include the following information:

  • Brief description of the breach, including date of breach and date of discovery.
  • Types of unsecured PHI that were involved.
  • Steps individuals should take to protect themselves from harm resulting from the breach.
  • Description of what the entity is doing to investigate the breach, mitigate harm, and protect against further breaches.
  • Contact information for individuals to ask questions or learn about the breach.

Breach notifications must be made without unreasonable delay and in no case later than 60 days following the discovery of a breach. When notifying a patient of a breach, the covered entity must inform the individual of the steps they should take to protect themselves from potential harm, include a brief description of what the covered entity is doing to investigate the breach and the actions taken so far to prevent further breaches and security incidents.

Penalties: HIPAA Enforcement Rule

The HIPAA Enforcement Rule governs the investigations that follow a breach of ePHI, the penalties that could be imposed on covered entities responsible for an avoidable breach of ePHI and the procedures for hearings. Although not part of a HIPAA compliance checklist, covered entities should be aware of the following penalties:

  • A violation attributable to ignorance can attract a fine of $100 – $50,000.
  • A violation that occurred despite reasonable vigilance can attract a fine of $1,000 – $50,000.
  • A violation due to willful neglect which is corrected within thirty days can attract a fine of between $10,000 and $50,000.
  • A violation due to willful neglect which is not corrected within thirty days can attract a fine of $50,000. Fines can amount to as much as $1,500,000 for additional identical violations within the same year.

It should be noted that the penalties for willful neglect can also lead to criminal charges being filed. The most common causes of ePHI breach are:

  • Misuse and unauthorized disclosures of patient records.
  • No protection in place for patient records.
  • Patients are unable to access their patient records.
  • Using or disclosing to third parties more than the minimum necessary protected health information
  • No administrative or technological safeguards for electronically protected health information.

What is the easiest way to become HIPAA compliant?

You will certainly need to use a HIPAA compliance checklist to make sure your organization, product, or service incorporates all the technical, administrative, and physical safeguards of the HIPAA Security Rule.  You must also adhere to the requirements of the HIPAA Privacy and Breach Notification Rules.

The good news is that in order to assist entities that need to comply with HIPAA, NIST has published SP 800-66 REV1, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. This publication provides mapping with other NIST publications. More specifically, for the requirement of data encryption, either in transit or at rest, maps with the NIST SP 800-53, Recommended Security Controls for Federal Information Systems and Organizations, SC-12 and SC-13.

Furthermore, organizations that are required to be HIPAA compliant, can also consult the HIPAA Security Rule Crosswalk to NIST Cybersecurity Framework. This crosswalk maps each administrative, physical and technical safeguard standard and implementation specification in the HIPAA Security Rule to a relevant NIST Cybersecurity Framework Subcategory. Organizations that have already aligned their security programs to either the NIST Cybersecurity Framework or the HIPAA Security Rule may find this crosswalk helpful as a starting place to identify potential gaps in their programs. Addressing these gaps can bolster their compliance with the Security Rule and improve their ability to secure ePHI and other critical information and business processes. This mapping document also allows organizations to communicate activities and outcomes internally and externally regarding their cybersecurity program by utilizing the Cybersecurity Framework as a common language.

As technology continues to advance, especially in the healthcare industry, and the value of data continues to rise, organizations need to anticipate security risks before they occur. The best way to achieve this is by consistently monitoring for the spread of PHI and other forms of personal data-using regular data discovery scans that can locate data wherever it rests.

To ensure you cover all elements on your HIPAA compliance checklist, it is worthwhile to seek expert guidance from HIPAA compliance experts. Find out how ITEGRITI can help your company become HIPAA compliant.