The Administrative Safeguards are the backbone of Security Rule compliance inasmuch as they require that a Security Officer is designated with responsibility for conducting risk analyses, implementing measures to reduce risks and vulnerabilities, workforce training, oversight of IT continuity, and Business Associate Agreements.
There is some crossover between the Security Officer and Privacy Officer roles inasmuch as both are required to develop a contingency plan to ensure business continuity and perform due diligence on Business Associates. This is likely because some Business Associates will not be subject to the Privacy Rule yet have to have to ensure business continuity and have Business Associate Agreements in place with subcontractors.
The Physical Safeguards focus on physical access to ePHI irrespective of its location. ePHI could be stored in a remote data center, in the cloud, or on servers which are located within the organization´s premises. The Physical Safeguards also stipulate how workstations and mobile devices should be secured against unauthorized access.
The Technical Safeguards are designed to make sure each person accessing ePHI is who they say they are, that they do what they are supposed to do; and that, if an issue manifests due to an accidental or malicious action, the issue is identified and rectified at the earliest possible opportunity.
There are several sections of the Administrative Simplification provisions entitled Organizational Requirements, but whereas the others relate to “non-general scenarios” (e.g., hybrid entities and health plan uses and disclosures), the Organizational Requirements of the Security Rule are relevant to most Covered Entities and Business Associates as they cover Business Associate Agreements.
Business Associate Agreements are also covered elsewhere in the Administrative Simplification provisions, but it is important for organizations in a business relationship in which ePHI is disclosed to be aware of this specific section because it stipulates:
There are additional requirements in the Organizational Requirements for when a health plan discloses ePHI to a plan sponsor, and these are very similar to the Organizational Requirements relating to hybrid entities. The Security Rule then concludes with standards relating to document retention which are discussed in further depth in the section explaining the HIPAA Audit Checklist.
Although no standard in the Security Rule is any more important than any other, some are key to a HIPAA Security Rule checklist because – without them – it would be difficult to comply with the Rule in its entirety. Consequently, we have compiled what we feel are the twelve essential components of a HIPAA security requirements checklist.
All organizations that create, receive, maintain, or transmit PHI or ePHI have to comply with the HIPAA Breach Notification Rule. This includes organizations not covered by the Privacy and Security Rules such as vendors of personal health records (“PHRs”), PHR-related entities (i.e., fitness tracker services that send data to or access data on a PHR), and third-party service providers.
Consequently, all organizations have to be prepared to notify individuals, the relevant federal agency, and – in some cases – local media when a breach of unsecured PHI/ePHI occurs. In such events, it is important to fulfil all the applicable requirements of the Breach Notification Rule, even if the breach relates to the health record of a single individual.
However, before actioning breach notification procedures, it is important for organizations to establish whether the breach is reportable or not. Unnecessarily reporting a data breach will likely result in an unnecessary investigation which, even if no violation is found, will result in some level of business disruption in addition to unnecessary concerns for the individual(s) affected.
Therefore, organizations should make sure that any breach is reportable by first conducting a risk assessment or taking advantage of a HIPAA breach decision tool/HIPAA breach risk assessment form to determine:
If a breach is reportable, individuals must be notified on the breach within sixty days. The breach notification must include information about what data has been disclosed, what the organization is doing to mitigate the effects of the breach and prevent further security incidents, and what the individual can do to best protect themselves from theft or fraud.
If the breach affects fewer than 500 individuals, organizations have until the end of each calendar year to notify HHS´ Office for Civil Rights or Federal Trade Commission. Breaches affecting 500 or more individuals must be notified to the appropriate agency and the local media within sixty days – the failure to do so attracting stiffer HIPAA violation penalties from HHS´ Office for Civil Rights or a fine of up to $46,517 per day from the Federal Trade Commission.
HIPAA IT compliance is sometimes confused with simply implementing the Safeguards of the Security Rule, but often much more is required for IT departments to be HIPAA IT compliant. For example, as most PHI is now maintained on electronic systems, IT departments have to consider how best to respond to individuals exercising their rights to access, correct, and transfer PHI.
Consequently, IT departments may be responsible for determining what data is maintained in a designated record set, what happens to data excluded from the designated record set, how information collected orally or on paper is added to the designated record set, and how the process for accounting of disclosures is managed – all Privacy Rule issues.
Due to likely being involved in the transfer of ePHI to or from Business Associates, IT departments may need to be involved in the due diligence process and will likely be the first port of call in the event of a Business Associate security incident – so therefore may need to know which party will be responsible for complying with the breach notification requirements.
It is also possible that representatives from the IT department will be involved in selected health care operations in which PHI is used or disclosed permissibly (i.e., provider or health plan evaluations, fraud and abuse detection, business planning, etc.). Consequently, they may need to be aware of the Minimum Necessary Standards and rules concerning incidental disclosures.
In addition to the above – and implementing the Safeguards of the Security Rule – additional HIPAA IT requirements may include updating existing security mechanisms to meet the requirements of a “recognized cybersecurity framework” (see “Updates to HIPAA Compliance” below), preparing legacy systems for migration to the cloud, and monitoring user activity.
Ultimately – once a recognized security framework in in place and legacy systems are migrated to the cloud – it may be possible to automate many monitoring tasks. However, due to the evolving nature of cyberthreats, it will not be possible to automate periodic risk assessments and analyses and may not be possible to adjust quickly to new forms of malware, ransomware, and phishing.
Additionally, cyberattacks are not the only things that are evolving. The healthcare and health insurance landscapes are also evolving with new rules and guidance frequently being issued by HHS´ Office for Civil Rights, CMS, and the FTC. Furthermore, it is not just federal laws that IT departments have to comply with, but state laws as well.
Consequently, many IT departments have compliance requirements additional to HIPAA. Most states have privacy laws with at least one element preempting HIPAA, while some state laws extend beyond borders to protect citizens wherever they are (i.e., Texas). Organizations that treat international patients may also have to comply with the EU´s General Data Protection Regulation.
Bearing in mind the Security Rule´s “flexibility of approach”, that some smaller organizations will have limited resources, and that some larger organizations will have unique compliance challenges, there is no one-size-fits-all HIPAA IT compliance checklist. Nonetheless, we have compiled a list of best practices that can help IT departments meet the HIPAA IT requirements.
The final HIPAA compliance checklist concerns HIPAA audits. While OCR´s audit program may not be as active as it was a few years ago, it is still beneficial to prepare for a compliance audit as the documentation requested in an audit is the same as requested in an investigation conducted by a federal agency in response to a data breach or complaint. As with the HIPAA IT compliance checklist, there is no one-size-fits-all HIPAA audit checklist.
In order to help HIPAA Covered Entities and Business Associates compile a checklist in preparation for the OCR audit program, the Department of Health and Human Services published audit protocols for the first two rounds of audits. You can find a link to OCR´s audit protocols in our dedicated HIPAA Audit Checklist page, along with suggestions for compiling internal HIPAA audit checklists.
It has been mentioned several times during this article that there is no one-size-fits-all HIPAA compliance checklist. However, although not all the Rules apply to all organizations, the basics of HIPAA compliance are the same for every type of Covered Entity, Business Associate, and PHR-related entity – protect the privacy of individually identifiable health information and ensure the confidentiality, integrity, and availability of ePHI.
Ultimately, it will likely be necessary for each Privacy Officer and each Security Officer to develop their own HIPAA compliance checklist in order to address unique challenges. We hope that this article has provided some pointers to what should be included on each type of checklist; but, if doubts exist about the comprehensiveness of an organization´s compliance efforts, it is in the organization´s best interest to speak with a professional HIPAA compliance advisor.
On January 5, 2020, President Trump signed bill HR 7898 into law, which amends the Health Information Technology for Economic and Clinical Health Act (HITECH Act) to create a safe harbor for healthcare organizations and business associates that have implemented recognized security best practices prior to experiencing a data breach. The aim of the bill is to encourage HIPAA-covered entities and their business associates to adopt a common security framework.
The update requires the HHS’ Office for Civil Rights to take security best practices, such as the adoption of a recognized cybersecurity framework, into consideration when deciding on penalties and sanctions related to data breaches. The bill also requires the HHS to decrease the extent and length of audits when an entity has achieved industry-standard security best practices.
On December 10, 2020, the HHS’ Office for Civil Rights published a Notice of Proposed Rulemaking (NPR) under the HHS’ Regulatory Sprint to Coordinated Care initiative. The NPR included several proposed modifications to the HIPAA Privacy Rule to strengthen individuals’ access to their own protected health information and to improve the sharing of PHI stored in EHRs between covered healthcare providers and health plans.
Comments on the proposed changes are being accepted for 60 days from the date of publication in the federal register and, after consideration of submitted feedback, a final rule will be published. While that may occur in 2021, HIPAA-covered entities and business associates will be given time to implement the changes before the new regulations will be enforced.
The update will see the addition of a definition of “electronic health record”, which is “an electronic record of health-related information on an individual that is created, gathered, managed, and consulted by authorized health care clinicians and staff. Such clinicians shall include, but are not limited to, health care providers that have a direct treatment relationship with individuals, as defined at [45 C.F.R.] § 164.501, such as physicians, nurses, pharmacists, and other allied health professionals.”
The proposed changes in the NPR are:
Healthcare organizations are having to deal with a nationwide public health crisis, the likes of which has never been seen. The 2019 Novel Coronavirus (SARS-CoV-2) that causes COVID-19 is forcing healthcare organizations to change normal operating procedures and workflows, reconfigure hospitals to properly segregate patients, open testing centers outside of their usual facilities, work with a host of new providers and vendors, and rapidly expand telehealth services and remote care.
This colossal extra burden makes HIPAA compliance even more difficult, yet even during public health emergencies such as the COVID-19 pandemic, health plans, healthcare providers, healthcare clearinghouses, and business associates and their subcontractors must still comply with the HIPAA Privacy, Security, Breach Notification, and Omnibus Rules.
HIPAA Rules have provisions covering healthcare operations during emergencies such as natural disasters and disease pandemics; however, the current COVID-19 nationwide public health emergency has called for the temporary introduction of unprecedented flexibilities with regards to HIPAA compliance.
The HHS’ Office for Civil Rights appreciates that during such difficult times, HIPAA compliance becomes even more of a strain. In order to ensure the flow of essential healthcare information is not impeded by HIPAA regulations, and to help healthcare providers deliver high quality care, OCR has announced that penalties and sanctions for noncompliance with certain provisions of HIPAA Rules will not be imposed on healthcare providers and their business associates for good faith provision of healthcare services during the COVID-19 public health emergency.
HIPAA Compliance Checklist 2023 If your organization is subject to the Administrative Simplification provisions of the Healthcare Insurance Portability and
Save my name, email, and website in this browser for the next time I comment.