HIPAA Compliance Checklist (2)

The Administrative Safeguards

The Administrative Safeguards are the backbone of Security Rule compliance inasmuch as they require that a Security Officer is designated with responsibility for conducting risk analyses, implementing measures to reduce risks and vulnerabilities, workforce training, oversight of IT continuity, and Business Associate Agreements.

There is some crossover between the Security Officer and Privacy Officer roles inasmuch as both are required to develop a contingency plan to ensure business continuity and perform due diligence on Business Associates. This is likely because some Business Associates will not be subject to the Privacy Rule yet have to have to ensure business continuity and have Business Associate Agreements in place with subcontractors.

The Physical Safeguards

The Physical Safeguards focus on physical access to ePHI irrespective of its location. ePHI could be stored in a remote data center, in the cloud, or on servers which are located within the organization´s premises. The Physical Safeguards also stipulate how workstations and mobile devices should be secured against unauthorized access.

The Technical Safeguards

The Technical Safeguards are designed to make sure each person accessing ePHI is who they say they are, that they do what they are supposed to do; and that, if an issue manifests due to an accidental or malicious action, the issue is identified and rectified at the earliest possible opportunity.

Organizational Requirements

There are several sections of the Administrative Simplification provisions entitled Organizational Requirements, but whereas the others relate to “non-general scenarios” (e.g., hybrid entities and health plan uses and disclosures), the Organizational Requirements of the Security Rule are relevant to most Covered Entities and Business Associates as they cover Business Associate Agreements.

Business Associate Agreements are also covered elsewhere in the Administrative Simplification provisions, but it is important for organizations in a business relationship in which ePHI is disclosed to be aware of this specific section because it stipulates:

• Business Associate Agreements must provide that the Business Associate complies with the applicable parts of the Security Rule,
• Business Associates that subcontract services in which ePHI is disclosed must enter into an Agreement with the subcontractor, and
• Business Associates will report any security incident – including, but not limited to, breaches of unsecured ePHI – to the Covered Entity the Agreement is with.

There are additional requirements in the Organizational Requirements for when a health plan discloses ePHI to a plan sponsor, and these are very similar to the Organizational Requirements relating to hybrid entities. The Security Rule then concludes with standards relating to document retention which are discussed in further depth in the section explaining the HIPAA Audit Checklist.

HIPAA Security Requirements Checklist

Although no standard in the Security Rule is any more important than any other, some are key to a HIPAA Security Rule checklist because – without them – it would be difficult to comply with the Rule in its entirety. Consequently, we have compiled what we feel are the twelve essential components of a HIPAA security requirements checklist.

• Step 1. Designate a HIPAA Security Officer. The role can be assigned to the HIPAA Privacy Officer; but in larger organizations, it is best to designate the role to a member of the IT team.
• Step 2. Determine which systems create, receive, maintain, or transmit ePHI and protect them from unauthorized access from other parts of the organization´s IT infrastructure.
• Step 3. Implement measures that mitigate the threats from malware, ransomware, and phishing. For example, advanced email and Internet filters with malicious URL detection capabilities.
• Step 4. Establish which workforce members should have access to ePHI and implement Role-Based Access Controls to prevent users accessing more ePHI than they are supposed to.
• Step 5. Implement a system for verifying the identity of workforce members to comply with the physical access, workstation security, and event logging requirements of the Security Rule.
• Step 6. Conduct an inventory of devices used to access ePHI and the media on which it is stored. Ensure a system is in place to record any movement of devices and media.
• Step 7. Ensure all devices used to access ePHI – including remote and personal devices – are PIN-locked and have automatic logoff capabilities activated to prevent unauthorized access.
• Step 8. Put processes in place for authorized workforce members to report security incidents or escalate security concerns to the Security Officer or Security Operations Center.
• Step 9. Implement a security awareness training program for all members of the workforce that incorporates how to escalate security concerns and incident reporting procedures.
• Step 10. Develop a sanctions policy explaining the sanctions for violating the organization´s security policies and distribute it among all members of the workforce (even those with no access to ePHI).
• Step 11. Develop a contingency plan for foreseeable events that may threaten the confidentiality, integrity, and availability of ePHI, and test the plan against each type of event.
• Step 12. Review existing Business Associate Agreements relating to disclosures of ePHI and replace any that fail to comply with the Organizational Requirements of the HIPAA Security Rule.

The HIPAA Breach Notification Rule

All organizations that create, receive, maintain, or transmit PHI or ePHI have to comply with the HIPAA Breach Notification Rule. This includes organizations not covered by the Privacy and Security Rules such as vendors of personal health records (“PHRs”), PHR-related entities (i.e., fitness tracker services that send data to or access data on a PHR), and third-party service providers.

Consequently, all organizations have to be prepared to notify individuals, the relevant federal agency, and – in some cases – local media when a breach of unsecured PHI/ePHI occurs. In such events, it is important to fulfil all the applicable requirements of the Breach Notification Rule, even if the breach relates to the health record of a single individual.

However, before actioning breach notification procedures, it is important for organizations to establish whether the breach is reportable or not. Unnecessarily reporting a data breach will likely result in an unnecessary investigation which, even if no violation is found, will result in some level of business disruption in addition to unnecessary concerns for the individual(s) affected.

Therefore, organizations should make sure that any breach is reportable by first conducting a risk assessment or taking advantage of a HIPAA breach decision tool/HIPAA breach risk assessment form to determine:

• Was ePHI encrypted and therefore unreadable, undecipherable, and unusable?
• If not, what health information and identifiers were exposed in the breach?
• Who (if known) acquired, accessed, or viewed PHI/ePHI impermissibly?
• What is the likelihood of the data being further used or disclosed?
• What measures are in place to mitigate the effect of the breach?

If a breach is reportable, individuals must be notified on the breach within sixty days. The breach notification must include information about what data has been disclosed, what the organization is doing to mitigate the effects of the breach and prevent further security incidents, and what the individual can do to best protect themselves from theft or fraud.

If the breach affects fewer than 500 individuals, organizations have until the end of each calendar year to notify HHS´ Office for Civil Rights or Federal Trade Commission. Breaches affecting 500 or more individuals must be notified to the appropriate agency and the local media within sixty days – the failure to do so attracting stiffer HIPAA violation penalties from HHS´ Office for Civil Rights or a fine of up to $46,517 per day from the Federal Trade Commission.

HIPAA IT Compliance

HIPAA IT compliance is sometimes confused with simply implementing the Safeguards of the Security Rule, but often much more is required for IT departments to be HIPAA IT compliant. For example, as most PHI is now maintained on electronic systems, IT departments have to consider how best to respond to individuals exercising their rights to access, correct, and transfer PHI.

Consequently, IT departments may be responsible for determining what data is maintained in a designated record set, what happens to data excluded from the designated record set, how information collected orally or on paper is added to the designated record set, and how the process for accounting of disclosures is managed – all Privacy Rule issues.

Due to likely being involved in the transfer of ePHI to or from Business Associates, IT departments may need to be involved in the due diligence process and will likely be the first port of call in the event of a Business Associate security incident – so therefore may need to know which party will be responsible for complying with the breach notification requirements.

It is also possible that representatives from the IT department will be involved in selected health care operations in which PHI is used or disclosed permissibly (i.e., provider or health plan evaluations, fraud and abuse detection, business planning, etc.). Consequently, they may need to be aware of the Minimum Necessary Standards and rules concerning incidental disclosures.

Additional HIPAA IT Requirements

In addition to the above – and implementing the Safeguards of the Security Rule – additional HIPAA IT requirements may include updating existing security mechanisms to meet the requirements of a “recognized cybersecurity framework” (see “Updates to HIPAA Compliance” below), preparing legacy systems for migration to the cloud, and monitoring user activity.

Ultimately – once a recognized security framework in in place and legacy systems are migrated to the cloud – it may be possible to automate many monitoring tasks. However, due to the evolving nature of cyberthreats, it will not be possible to automate periodic risk assessments and analyses and may not be possible to adjust quickly to new forms of malware, ransomware, and phishing.

Additionally, cyberattacks are not the only things that are evolving. The healthcare and health insurance landscapes are also evolving with new rules and guidance frequently being issued by HHS´ Office for Civil Rights, CMS, and the FTC. Furthermore, it is not just federal laws that IT departments have to comply with, but state laws as well.

Consequently, many IT departments have compliance requirements additional to HIPAA. Most states have privacy laws with at least one element preempting HIPAA, while some state laws extend beyond borders to protect citizens wherever they are (i.e., Texas). Organizations that treat international patients may also have to comply with the EU´s General Data Protection Regulation.

HIPAA IT Compliance Checklist

Bearing in mind the Security Rule´s “flexibility of approach”, that some smaller organizations will have limited resources, and that some larger organizations will have unique compliance challenges, there is no one-size-fits-all HIPAA IT compliance checklist. Nonetheless, we have compiled a list of best practices that can help IT departments meet the HIPAA IT requirements.

• Step 1. Understand which international, federal, and state laws your organization has to comply with and develop policies and procedures accordingly.
• Step 2. Enforce a password policy that requires the use of unique, complex passwords for each account and support the policy with mandatory MFA where practical.
• Step 3. Automate monitoring and reporting as much as possible to reduce the administrative burden of user compliance and threat management.
• Step 4. Test incident response and disaster recovery plans for every conceivable event. Ensure all team members understand their roles during such events.
• Step 5. Separate the infrastructure into a data layer and system layer to support the integrity of the system and isolate attacks on the system.
• Step 6. Implement encoding or blockchain technologies to prevent tampering and support compliance efforts to ensure the integrity of ePHI.
• Step 7. Prepare for the possibility that account credentials may be compromised and have processes ready to shut down compromised accounts remotely.
• Step 8. Map data flows – including those to/from Business Associates – to simplify risk assessments and analyses and more efficiently identify threats to ePHI.
• Step 9. Don´t assume all users have the same level of knowledge, awareness, or susceptibility. Identify where user weaknesses exist to build stronger defenses against cyberattacks.
• Step 10. Connect with third party compliance experts if you need assistance completing a HIPAA IT compliance checklist. You cannot leave security to chance!

HIPAA Audit Checklist

The final HIPAA compliance checklist concerns HIPAA audits. While OCR´s audit program may not be as active as it was a few years ago, it is still beneficial to prepare for a compliance audit as the documentation requested in an audit is the same as requested in an investigation conducted by a federal agency in response to a data breach or complaint. As with the HIPAA IT compliance checklist, there is no one-size-fits-all HIPAA audit checklist.

In order to help HIPAA Covered Entities and Business Associates compile a checklist in preparation for the OCR audit program, the Department of Health and Human Services published audit protocols for the first two rounds of audits. You can find a link to OCR´s audit protocols in our dedicated HIPAA Audit Checklist page, along with suggestions for compiling internal HIPAA audit checklists.

How to Become HIPAA Compliant

It has been mentioned several times during this article that there is no one-size-fits-all HIPAA compliance checklist. However, although not all the Rules apply to all organizations, the basics of HIPAA compliance are the same for every type of Covered Entity, Business Associate, and PHR-related entity – protect the privacy of individually identifiable health information and ensure the confidentiality, integrity, and availability of ePHI.

Ultimately, it will likely be necessary for each Privacy Officer and each Security Officer to develop their own HIPAA compliance checklist in order to address unique challenges. We hope that this article has provided some pointers to what should be included on each type of checklist; but, if doubts exist about the comprehensiveness of an organization´s compliance efforts, it is in the organization´s best interest to speak with a professional HIPAA compliance advisor.

Updates to HIPAA Compliance in 2021

On January 5, 2020, President Trump signed bill HR 7898 into law, which amends the Health Information Technology for Economic and Clinical Health Act (HITECH Act) to create a safe harbor for healthcare organizations and business associates that have implemented recognized security best practices prior to experiencing a data breach. The aim of the bill is to encourage HIPAA-covered entities and their business associates to adopt a common security framework.

The update requires the HHS’ Office for Civil Rights to take security best practices, such as the adoption of a recognized cybersecurity framework, into consideration when deciding on penalties and sanctions related to data breaches. The bill also requires the HHS to decrease the extent and length of audits when an entity has achieved industry-standard security best practices.

On December 10, 2020, the HHS’ Office for Civil Rights published a Notice of Proposed Rulemaking (NPR) under the HHS’ Regulatory Sprint to Coordinated Care initiative. The NPR included several proposed modifications to the HIPAA Privacy Rule to strengthen individuals’ access to their own protected health information and to improve the sharing of PHI stored in EHRs between covered healthcare providers and health plans.

Comments on the proposed changes are being accepted for 60 days from the date of publication in the federal register and, after consideration of submitted feedback, a final rule will be published. While that may occur in 2021, HIPAA-covered entities and business associates will be given time to implement the changes before the new regulations will be enforced.

The update will see the addition of a definition of “electronic health record”, which is “an electronic record of health-related information on an individual that is created, gathered, managed, and consulted by authorized health care clinicians and staff. Such clinicians shall include, but are not limited to, health care providers that have a direct treatment relationship with individuals, as defined at [45 C.F.R.] § 164.501, such as physicians, nurses, pharmacists, and other allied health professionals.”

The proposed changes in the NPR are:

• Restricting the right of individuals to transfer ePHI to a third party to ePHI that is maintained in an EHR
• Allowing patients to inspect their PHI in person, take notes, and take photographs of their health records.
• Reducing the timeframe for providing access to PHI or copies of an individual’s PHI from 30 days to 15 days
• The creation of a pathway for individuals to direct the sharing of PHI maintained in an EHR among covered entities.
• Clarification that an individual is permitted to direct a covered entity to provide their ePHI to a personal health application
• Eliminating the requirement for HIPAA-covered entities to obtain written acknowledgment from an individual that they have received the Notice of Privacy Practices.
• A requirement for HIPAA-covered entities to post estimated fee schedules on their websites for PHI access and disclosures consistent with a valid authorization and to provide individualized estimates for fees for providing an individual with a copy of their own PHI.
• Amending the definition of healthcare operations to broaden the scope of care coordination and case management that constitute health care operations.
• Specifying when ePHI must be provided to an individual free of charge.
• Covered entities will be required to inform individuals that they retain their right to obtain or direct copies of PHI to a third party when a summary of PHI is offered rather than a copy.
• Covered health care providers and health plans will be required to respond to certain records requests received from other covered health care providers and health plans, when directed by individuals pursuant to the HIPAA right of access.
• Permitting covered entities to make certain uses and disclosures of PHI based on their good faith belief that it is in the best interests of the individual.
• The creation of an exception to the “minimum necessary” standard for individual-level care coordination and case management uses and disclosures, irrespective of whether the activities constitute treatment or health care operations.
• Expanding the Armed Forces permission to use or disclose PHI to all uniformed services.
• Expansion of the ability of covered entities to disclose PHI to avert a threat to health or safety when a harm is “seriously and reasonably foreseeable,” rather than the current definition of “serious and imminent.”

Temporary Changes to HIPAA Compliance Checklists During the COVID-19 Pandemic

Healthcare organizations are having to deal with a nationwide public health crisis, the likes of which has never been seen. The 2019 Novel Coronavirus (SARS-CoV-2) that causes COVID-19 is forcing healthcare organizations to change normal operating procedures and workflows, reconfigure hospitals to properly segregate patients, open testing centers outside of their usual facilities, work with a host of new providers and vendors, and rapidly expand telehealth services and remote care.

This colossal extra burden makes HIPAA compliance even more difficult, yet even during public health emergencies such as the COVID-19 pandemic, health plans, healthcare providers, healthcare clearinghouses, and business associates and their subcontractors must still comply with the HIPAA Privacy, Security, Breach Notification, and Omnibus Rules.

HIPAA Rules have provisions covering healthcare operations during emergencies such as natural disasters and disease pandemics; however, the current COVID-19 nationwide public health emergency has called for the temporary introduction of unprecedented flexibilities with regards to HIPAA compliance.

The HHS’ Office for Civil Rights appreciates that during such difficult times, HIPAA compliance becomes even more of a strain. In order to ensure the flow of essential healthcare information is not impeded by HIPAA regulations, and to help healthcare providers deliver high quality care, OCR has announced that penalties and sanctions for noncompliance with certain provisions of HIPAA Rules will not be imposed on healthcare providers and their business associates for good faith provision of healthcare services during the COVID-19 public health emergency.