Revised and updated for 2022.
If your organization has access to electronic Protected Health Information (ePHI), you should review your Health Insurance Portability and Accounting Act (HIPAA) compliance checklist. The purpose of a HIPAA compliance checklist is to ensure that your organization complies with the HIPAA regulations covering the security and privacy of confidential patient data.
Failure to comply with HIPAA regulations can result in substantial fines being issued. In addition, criminal charges and civil action lawsuits can be filed should a breach of ePHI occur. Complying with the HIPAA requirements is challenging already, let alone by combining these challenges with the sophistication of attacks targeting medical data.
Despite advances in security technology and increased governmental cybersecurity initiatives, threat actors will not abandon their pursuit of patient data. Patient data is valuable. It can be used to file false claims, acquire prescription drugs, or receive medical care. Patient data often includes enough information to steal a person’s entire identity, allowing threat actors to open credit accounts, file fraudulent tax returns, or receive government-issued ID cards.
In light of recent data breaches, it’s clear that the healthcare industry is less prepared with HIPAA compliance than patients would expect. Security measures provided by HIPAA compliance have never been more necessary, as the value of patient data continues to rise on the dark web. Data breaches are often caused by simple, easy-to-correct things that go unnoticed and create vulnerabilities. Even organizations with layers of sophisticated IT and cybersecurity defenses can be exploited by an employee opening a malicious email or using a simple password.
What is HIPAA Compliance?
The HIPAA Act sets the standard for protecting sensitive patient data. Companies that deal with Protected Health Information (PHI) must establish and enforce have physical, network, and process security controls to ensure HIPAA Compliance.
To start your compliance efforts, you need to know where your organization fits in with HIPAA requirements. A covered entity is any healthcare provider that electronically transmits health information. A business associate is a person or an entity that has access to patient information and provides certain services to a covered entity. Covered entities and business associates must meet HIPAA Compliance. The question that typically follows is “What are the HIPAA compliance requirements?” Unfortunately, that question is not as easy to answer. This is because the requirements of HIPAA are intentionally vague in certain places so HIPAA can be applied equally to every different type of covered entity or business associate that handles PHI.
The HIPAA Privacy and Security Rules
The Privacy Rule establishes standards to protect an individual’s medical records and other protected health information (PHI). It concerns the uses and disclosures of PHI and defines the right for individuals to understand, access, and regulate how their medical information is used. The Privacy Rule strives to assure that an individual’s health information is properly protected. At the same time, it allows access to information needed to ensure high-quality health care and to protect the public.
While the Privacy Rule outlines what information needs to be protected, the Security Rule operationalizes the protections contained in the Privacy Rule. It does this by addressing the technical and non-technical safeguards that organizations must put in place to secure individuals’ ePHI.
The Security Rule protects a subset of information covered by the Privacy Rule. The Privacy Rule includes all individually identifiable health information, while the Security Rule includes any data a covered entity creates, receives, maintains, or transmits in electronic form
What are the HIPAA safeguards?
The Security Rule defines three categories of safeguards – technical, physical, and administrative – that covered entities and business associates need to address in their HIPAA compliance checklist.
The technical safeguards describe the technology used to protect ePHI and provide access to the data. The only defined requirement is that ePHI – whether at rest or in transit – must be encrypted to ensure the information is unreadable, undecipherable, and unusable should a data breach occurs. Thereafter, organizations are free to select whichever controls are adequate to their operating environment, including:
- Inventory your PHI
- Email security
- Cloud security
- Network segmentation
- Role-based access control
- Secure remote access
- Enable multi-factor authentication (MFA)
- Continuous monitoring and log management
The physical safeguards focus on physical access to ePHI, irrespective of its location. ePHI could be stored in a remote data center, in the cloud, or on-premises. The safeguards also dictate how workstations and mobile devices should be secured against unauthorized access by employing:
- Facility access controls
- Policies for the use and positioning of workstations
- Policies and procedures for mobile devices
- Inventory of hardware
The administrative safeguards are the policies and procedures which bring the Privacy Rule and the Security Rule together. They are the pivotal elements of a HIPAA compliance checklist and require that a Security Officer and a Privacy Officer be assigned to put the measures in place to protect ePHI, while they also govern the conduct of the workforce.
The audits conducted by OCR have identified that risk assessments are the major area of Security Rule non-compliance. Healthcare providers need not only conduct an assessment, but they must ensure these assessments are comprehensive and ongoing. This means that a risk assessment is not just a one-time requirement, but a regular task necessary to ensure continued compliance.
HHS states that “conducting a risk analysis is the first step in identifying and implementing safeguards that comply with and carry out the standards and implementation specifications in the Security Rule. Therefore, a risk analysis is foundational.” HHS recommends that organizations follow industry-standard risk analysis protocols, such as NIST SP 800-30.
Incident Reporting: Breach Notification Rule
The HIPAA Breach Notification Rule requires HIPAA-covered entities and their business associates to provide notification following a breach of unsecured patient data.
If you’re a covered entity, your notifications must be sent to affected patients by first-class mail (or email if the affected individuals agreed to receive notices) as soon as reasonably possible. This notification must be no later than 60 days after breach discovery.
If ten or more individuals’ information is out of date, insufficient, or the breach affects more than 500 residents of a state or jurisdiction, post the statement on your website for at least 90 days and/or provide notice in major print or broadcast media in affected areas.
Covered entities also need to notify the Secretary of HHS about the breach. If a breach affects fewer than 500 individuals, the covered entity notify the Secretary of such breaches on an annual basis. But if a breach affects 500 or more individuals, covered entities are required to notify the Secretary of HHS within 60 days following a breach (if not immediately).
To Become HIPAA Compliant Practice Good Cyber Hygiene
While every organization is different, the end goal of a cyber hygiene program is to identify vulnerabilities, minimize risk exposure, and reduce the potential for a breach. Cyber hygiene is about consistently performing activities that minimize risk, day-to-day. If everyone in an organization is aware of cyber security, you can better develop a security culture.
The following includes some good cyber hygiene practices that can help HIPAA covered entities and businesses associates become HIPAA compliant:
- Minimize the pathways that lead to your ePHI – secure remote access with MFA, and use data blocking USB drives.
- Be cautious of public Wi-Fi networks when using your mobile device.
- Include in your security awareness training the responsible use of social media – social engineers seek personal information to launch phishing attacks.
- Secure your remote workers.
- Establish a strong policy that includes frequent drills of best practices assessments to mitigate misconfigurations and known vulnerabilities.
- Secure your supply chain by performing risk assessments on all third-party relationships and partners.
- Examine your business continuity and disaster recovery plans annually.
- Involve your organization’s Board to keep security risks as a top priority. Executive buy-in will help strengthen the overall security posture.
As technology continues to advance, especially in the healthcare industry, and the value of data continues to rise, organizations need to anticipate security risks before they occur. The best way to achieve this is by consistently monitoring for the spread of PHI and other forms of personal data-using regular data discovery scans that can locate data wherever it rests. To ensure you cover all elements on your HIPAA compliance checklist, it is worthwhile seeking expert guidance from HIPAA compliance experts.