If your organization is subject to the Administrative Simplification provisions of the Healthcare Insurance Portability and Accountability Act (HIPAA), it is recommended you review our 2023 HIPAA compliance checklist in order to ensure you comply with the provisions applicable to your organization´s operations.
The purpose of a HIPAA compliance checklist is to ensure that organizations subject to the Administrative Simplification provisions are aware of which provisions they are required to comply with, and how best to achieve – and maintain – HIPAA compliance. It can also be important for organizations to understand the compliance obligations of business partners to ensure they are HIPAA compliant when necessary.
Being aware of your compliance obligations and those of your business partners can be vital because, in the event of a HIPAA violation, ignorance of the HIPAA requirements is not an acceptable defense against enforcement action. Although the majority of enforcement actions do not result in civil monetary penalties, complying with a corrective action plan (the most common violation resolution) will incur indirect costs and disrupt business activities.
The first issue to address is whether or not your organization is subject to the Administrative Simplification provisions of HIPAA; and, if so, which provisions apply. Generally, organizations subject to all the Administrative Simplification provisions are health plans, health care clearing houses, and healthcare providers that transmit health information in electronic form in connection with a transaction for which a HIPAA standard exists.
Organizations that meet these criteria are referred to in HIPAA as Covered Entities. However, it is important to note there are multiple exceptions to the criteria. For example, health plans that provide “excluded benefits” are not Covered Entities, on-campus health centers that only provide medical services for students are not Covered Entities, and paper-to-paper non-digital fax communications are not considered electronic transmissions.
Business partners (referred to as Business Associates in HIPAA) are generally subject to some – but not all – of the Administrative Simplification provisions depending on the type of service they perform for, or on behalf of, a Covered Entity. Generally, Business Associates are required to comply with the Security Rule and Breach Notification provisions, §164.500(c) of the Privacy Rule, and any parts of the Administrative Requirements or Privacy Rule provisions stipulated in a Business Associate Agreement.
Not every business partner is a Business Associate. A business partner is only a Business Associate if it creates, receives, maintains, or transmits Protected Health Information (PHI) for a function or activity regulated by HIPAA. Business partners providing services for, or on behalf, of Covered Entities that do not involve a use or disclosure of PHI are not subject to the Administrative Simplification provisions of HIPAA.
Other exceptions exist with regards to members of a Covered Entity´s or Business Associate´s workforce. Workforce members under “the direct control” of a Covered Entity or Business Associate – whether paid or not – are not Business Associates but are required to comply with provisions relevant to their roles via policies and procedures implemented by the Covered Entity or Business Associate for whom they work.
Finally, if a health plan or healthcare provider does not qualify as a Covered Entity (because of an exception) but provides a service to or on behalf of an organization that does qualify as a Covered Entity, the exempted organization must comply with the Security Rule provisions and Breach Notification provisions, and any parts of the Privacy Rule provisions stipulated in a Business Associate Agreement.
If you are already confused, our first HIPAA compliance checklist will help you determine whether or not your organization is subject to the Administrative Simplification provisions of HIPAA; and, if so, which provisions apply.
If you have ticked any of the boxes in the above HIPAA compliance checklist for organizations, your organization is a Covered Entity and required to comply with the applicable Administrative Simplification provisions of the Privacy, Security, and Breach Notification Rules.
If you have ticked any of the boxes in the above HIPAA compliance checklist – and you have not already qualified as a Covered Entity – you or your organization are a Business Associate. As such, your organization must respect HIPAA requirements to comply with the applicable Administrative Simplification provisions of the Security and Breach Notification Rules and any Administrative Requirements or Privacy Rule provisions stipulated in a Business Associate Agreement.
If you have ticked none of the boxes in the above HIPAA compliance checklists, this does not necessarily mean you are not required to comply with some Administrative Simplification provisions of HIPAA. For example, vendors of personal health records (“PHRs”) and PHR-related entities are required to comply with the HIPAA Breach Notification Rule even though neither a Covered Entity nor a Business Associate.
The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other individually identifiable health information (defined as PHI when maintained or transmitted by a Covered Entity) in whatever format it is created, received, maintained, or transmitted (e.g., oral, written, or electronic). The Rule requires appropriate safeguards to protect the privacy of PHI and sets limits on the uses and disclosures that may be made of such information without an individual’s authorization.
The Privacy Rule also gives individuals rights over their PHI – including the right to obtain a copy of PHI maintained in a designated record set, request corrections if errors exist, and transfer some or all the PHI maintained in the record set to another provider. Individuals also have the right to request an accounting of disclosures – a record of uses or disclosures of PHI over the previous six years except certain permissible or authorized disclosures.
Although the Privacy Rule applies to fewer organizations than the Security Rule, it is best to start on the path to compliance with a HIPAA requirement checklist that relates to privacy and individuals´ rights. This is because the Privacy Rule is the foundation for every other HIPAA Rule; and, even if your organization is not required to comply with the Privacy Rule provisions, an understanding of what they are and their purpose is virtually essential for compliance with HIPAA´s other Rules.
Consequently, the following HIPAA Privacy Rule checklist should be regarded as a starting point for any subsequent HIPAA compliance checklist that may be more appropriate for your organization.
Before moving ahead with other types of HIPAA compliance checklist, it is worth discussing what a HIPAA risk assessment should consist of. This is because there is a lack of guidance as to what risks should be assessed and how risk assessments should be analyzed. The Department of Health and Human Services (HHS) has explained that the failure to provide a “specific risk analysis methodology” is due to Covered Entities and Business Associates being of different sizes, capabilities, and complexity. However, HHS does provide guidance on the objectives of a HIPAA risk assessment:
As mentioned above, a HIPAA risk assessment is not a one-time requirement, but a regular task necessary to ensure continued HIPAA compliance. The HIPAA risk assessment and an analysis of its findings will help organizations to comply with many other areas on our HIPAA compliance checklist and should be reviewed whenever changes to the workforce, work practices, or technology occur.
Depending on the size, capability, and complexity of an organization, compiling a fully comprehensive HIPAA risk assessment can be an extremely long-winded task. There are various online tools that can help organizations with the compilation of a HIPAA risk assessment; although, due to the lack of a “specific risk analysis methodology”, there is no one-size-fits-all solution.
The HIPAA Security Rule contains standards designed to ensure the confidentiality, integrity, and availability of PHI created, received, maintained, or transmitted electronically (ePHI). The Rule consists of five sections – each of which is described in detail below, along with a HIPAA Security Rule Checklist that summarizes the key Security Rule requirements.
This first section of the Security Rule is frequently overlooked, yet it contains a number of key instructions to Covered Entities and Business Associates about their compliance obligations. For example, the General Rules stipulate that Covered Entities and Business Associates must:
These are not lightweight instructions and imply organizations must identify reasonably anticipated threats and hazards, and potential impermissible uses and disclosures, implement measures to protect against them, and then monitor user activity to ensure workforces comply with Security Rule policies and procedures implemented by the organization.
The Security Rule safeguards (in sections two, three, and four) provide the minimum measures that must implement to comply with these instructions, but it is important to be aware that if a reasonably anticipated threat or hazard exists that is not covered by these minimum measures, organizations are responsible for developing and implementing additional measures.
In this respect, the General Rules allow for a “flexibility of approach”. The flexibility of approach clause gives organizations leeway to determine what security measures are suitable to mitigate threats, hazards, and the risk of impermissible uses and disclosures depending on their size, existing security capabilities, and the criticality of identified risks.
However, the flexibility of approach does not excuse Covered Entities and Business Associates from complying with all the Security Rule safeguards unless an implementation specification is “addressable” and either the safeguard is not reasonable or appropriate or an equivalent alternative measure would be equally – or more – effective.
Every organization, large or small, requires unique software to meet its individual business objectives. To gain a competitive advantage, you
Save my name, email, and website in this browser for the next time I comment.