HIPAA Compliance Checklist 2023

If your organization is subject to the Administrative Simplification provisions of the Healthcare Insurance Portability and Accountability Act (HIPAA), it is recommended you review our 2023 HIPAA compliance checklist in order to ensure you comply with the provisions applicable to your organization´s operations.

The purpose of a HIPAA compliance checklist is to ensure that organizations subject to the Administrative Simplification provisions are aware of which provisions they are required to comply with, and how best to achieve – and maintain – HIPAA compliance. It can also be important for organizations to understand the compliance obligations of business partners to ensure they are HIPAA compliant when necessary.

Being aware of your compliance obligations and those of your business partners can be vital because, in the event of a HIPAA violation, ignorance of the HIPAA requirements is not an acceptable defense against enforcement action. Although the majority of enforcement actions do not result in civil monetary penalties, complying with a corrective action plan (the most common violation resolution) will incur indirect costs and disrupt business activities.

HIPAA Compliance Checklist for Organizations

The first issue to address is whether or not your organization is subject to the Administrative Simplification provisions of HIPAA; and, if so, which provisions apply. Generally, organizations subject to all the Administrative Simplification provisions are health plans, health care clearing houses, and healthcare providers that transmit health information in electronic form in connection with a transaction for which a HIPAA standard exists.

Organizations that meet these criteria are referred to in HIPAA as Covered Entities. However, it is important to note there are multiple exceptions to the criteria. For example, health plans that provide “excluded benefits” are not Covered Entities, on-campus health centers that only provide medical services for students are not Covered Entities, and paper-to-paper non-digital fax communications are not considered electronic transmissions.

Business partners (referred to as Business Associates in HIPAA) are generally subject to some – but not all – of the Administrative Simplification provisions depending on the type of service they perform for, or on behalf of, a Covered Entity. Generally, Business Associates are required to comply with the Security Rule and Breach Notification provisions, §164.500(c) of the Privacy Rule, and any parts of the Administrative Requirements or Privacy Rule provisions stipulated in a Business Associate Agreement.

Not every business partner is a Business Associate. A business partner is only a Business Associate if it creates, receives, maintains, or transmits Protected Health Information (PHI) for a function or activity regulated by HIPAA. Business partners providing services for, or on behalf, of Covered Entities that do not involve a use or disclosure of PHI are not subject to the Administrative Simplification provisions of HIPAA.

Other exceptions exist with regards to members of a Covered Entity´s or Business Associate´s workforce. Workforce members under “the direct control” of a Covered Entity or Business Associate – whether paid or not – are not Business Associates but are required to comply with provisions relevant to their roles via policies and procedures implemented by the Covered Entity or Business Associate for whom they work.

Finally, if a health plan or healthcare provider does not qualify as a Covered Entity (because of an exception) but provides a service to or on behalf of an organization that does qualify as a Covered Entity, the exempted organization must comply with the Security Rule provisions and Breach Notification provisions, and any parts of the Privacy Rule provisions stipulated in a Business Associate Agreement.

If you are already confused, our first HIPAA compliance checklist will help you determine whether or not your organization is subject to the Administrative Simplification provisions of HIPAA; and, if so, which provisions apply.

If you have ticked any of the boxes in the above HIPAA compliance checklist for organizations, your organization is a Covered Entity and required to comply with the applicable Administrative Simplification provisions of the Privacy, Security, and Breach Notification Rules.

If you have ticked any of the boxes in the above HIPAA compliance checklist – and you have not already qualified as a Covered Entity – you or your organization are a Business Associate. As such, your organization must respect HIPAA requirements to comply with the applicable Administrative Simplification provisions of the Security and Breach Notification Rules and any Administrative Requirements or Privacy Rule provisions stipulated in a Business Associate Agreement.

If you have ticked none of the boxes in the above HIPAA compliance checklists, this does not necessarily mean you are not required to comply with some Administrative Simplification provisions of HIPAA. For example, vendors of personal health records (“PHRs”) and PHR-related entities are required to comply with the HIPAA Breach Notification Rule even though neither a Covered Entity nor a Business Associate.

HIPAA Privacy Rule Checklist

The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other individually identifiable health information (defined as PHI when maintained or transmitted by a Covered Entity) in whatever format it is created, received, maintained, or transmitted (e.g., oral, written, or electronic). The Rule requires appropriate safeguards to protect the privacy of PHI and sets limits on the uses and disclosures that may be made of such information without an individual’s authorization.

The Privacy Rule also gives individuals rights over their PHI – including the right to obtain a copy of PHI maintained in a designated record set, request corrections if errors exist, and transfer some or all the PHI maintained in the record set to another provider. Individuals also have the right to request an accounting of disclosures – a record of uses or disclosures of PHI over the previous six years except certain permissible or authorized disclosures.

Although the Privacy Rule applies to fewer organizations than the Security Rule, it is best to start on the path to compliance with a HIPAA requirement checklist that relates to privacy and individuals´ rights. This is because the Privacy Rule is the foundation for every other HIPAA Rule; and, even if your organization is not required to comply with the Privacy Rule provisions, an understanding of what they are and their purpose is virtually essential for compliance with HIPAA´s other Rules.

Consequently, the following HIPAA Privacy Rule checklist should be regarded as a starting point for any subsequent HIPAA compliance checklist that may be more appropriate for your organization.

• Step 1. Designate a HIPAA Privacy Officer responsible for the development, implementation, and enforcement of HIPAA-compliant policies.
• Step 2. Understand what PHI is, how it can be used and disclosed in compliance with HIPAA, and when an individual´s authorization is required.
• Step 3. Identify risks to the privacy of PHI and implement safeguards to minimize risks to a “reasonable and appropriate” level.
• Step 4. Develop policies and procedures for using and disclosing PHI in compliance with HIPAA and for preventing HIPAA violations.
• Step 5. Develop policies and procedures for obtaining authorizations and for giving individuals an opportunity to agree or object when required.
• Step 6. Develop and distribute a Notice of Privacy Practices explaining how the organization uses and discloses PHI and outlining individuals´ rights.
• Step 7. Develop policies and procedures for managing patient access requests (to their PHI), correction requests, and data transfer requests.
• Step 8. Develop procedures for members of the workforce to report HIPAA violations and for the organization to fulfil its breach notification requirements.
• Step 9. Train members of the workforce on the policies and procedures relevant to their roles and on general HIPAA compliance.
• Step 10. Develop and distribute a sanctions policy outlining the sanctions for non-compliance with the organization´s HIPAA policies.
• Step 11. Perform due diligence on Business Associates, review existing Business Associate Agreements, and revise as necessary.
• Step 12. Develop and document a contingency plan for responding to an emergency that damages systems or physical locations in which PHI is maintained.

What Should a HIPAA Risk Assessment Consist Of?

Before moving ahead with other types of HIPAA compliance checklist, it is worth discussing what a HIPAA risk assessment should consist of. This is because there is a lack of guidance as to what risks should be assessed and how risk assessments should be analyzed. The Department of Health and Human Services (HHS) has explained that the failure to provide a “specific risk analysis methodology” is due to Covered Entities and Business Associates being of different sizes, capabilities, and complexity. However, HHS does provide guidance on the objectives of a HIPAA risk assessment:

• Identify the PHI that your organization creates, receives, stores, and transmits – including PHI shared with consultants, vendors, and Business Associates.
• Identify the human, natural, and environmental threats to the integrity of PHI – human threats including those which are both intentional and unintentional.
• Assess what measures are in place to protect against threats to the integrity of PHI, and the likelihood of a “reasonably anticipated” breach occurring.
• Determine the potential impact of a PHI breach and assign each potential occurrence a risk level based on the average of the assigned likelihood and impact levels.
• Document the findings and implement measures, procedures, and policies where necessary to tick the boxes on the HIPAA compliance checklist and ensure HIPAA compliance.
• The HIPAA risk assessment, the rationale for the measures, procedures, and policies subsequently implemented, and all policy documents must be retained for a minimum of six years.

As mentioned above, a HIPAA risk assessment is not a one-time requirement, but a regular task necessary to ensure continued HIPAA compliance. The HIPAA risk assessment and an analysis of its findings will help organizations to comply with many other areas on our HIPAA compliance checklist and should be reviewed whenever changes to the workforce, work practices, or technology occur.

Depending on the size, capability, and complexity of an organization, compiling a fully comprehensive HIPAA risk assessment can be an extremely long-winded task. There are various online tools that can help organizations with the compilation of a HIPAA risk assessment; although, due to the lack of a “specific risk analysis methodology”, there is no one-size-fits-all solution.

HIPAA Security Rule Checklist

The HIPAA Security Rule contains standards designed to ensure the confidentiality, integrity, and availability of PHI created, received, maintained, or transmitted electronically (ePHI). The Rule consists of five sections – each of which is described in detail below, along with a HIPAA Security Rule Checklist that summarizes the key Security Rule requirements.

The General Rules

This first section of the Security Rule is frequently overlooked, yet it contains a number of key instructions to Covered Entities and Business Associates about their compliance obligations. For example, the General Rules stipulate that Covered Entities and Business Associates must:

• Protect against any reasonably anticipated threats or hazards to the security or integrity of ePHI.
• Protect against any reasonably anticipated uses or disclosures of PHI that are not permitted by the Privacy Rule.
• Ensure compliance with the Security Rule by workforce members.

These are not lightweight instructions and imply organizations must identify reasonably anticipated threats and hazards, and potential impermissible uses and disclosures, implement measures to protect against them, and then monitor user activity to ensure workforces comply with Security Rule policies and procedures implemented by the organization.

The Security Rule safeguards (in sections two, three, and four) provide the minimum measures that must implement to comply with these instructions, but it is important to be aware that if a reasonably anticipated threat or hazard exists that is not covered by these minimum measures, organizations are responsible for developing and implementing additional measures.

In this respect, the General Rules allow for a “flexibility of approach”. The flexibility of approach clause gives organizations leeway to determine what security measures are suitable to mitigate threats, hazards, and the risk of impermissible uses and disclosures depending on their size, existing security capabilities, and the criticality of identified risks.

However, the flexibility of approach does not excuse Covered Entities and Business Associates from complying with all the Security Rule safeguards unless an implementation specification is “addressable” and either the safeguard is not reasonable or appropriate or an equivalent alternative measure would be equally – or more – effective.