This HIPAA compliance checklist is for HIPAA Privacy Officers, HIPAA Security Officers and any other member of a Covered Entity´s or Business Associate´s workforce assigned the task of HIPAA compliance. The checklist can also be shared between departments if different departments are responsible for complying with specific areas of HIPAA.
A HIPAA compliance checklist consists of the basic compliance requirement of the HIPAA Privacy, Security, and Breach Notification Rules. Some areas of the checklist may not apply to some organizations depending on the nature of their activities, while some organizations will have to consider additional checklist items if they are involved in certain activities (i.e., psychiatrists).
There is no specific HIPAA compliance checklist for IT because the scale of IT operations can vary between different organizations depending on their size, complexity, and processes. If a HIPAA compliance checklist for IT is thought necessary, organizations are advised to conduct an IT compliance audit to see what items may be necessary to include.
HIPAA compliance means complying with the standards and implementation specifications of the HIPAA Privacy, Security, and Breach Notification Rules. However, it necessary to be aware that the General Rules of the Security Rule (§164.306) allow for a “flexibility of approach” Covered Entities and Business Associates should bear this clause in mind when reviewing HIPAA requirements.
The Department of Health and Human Services (HHS) is responsible for publishing the HIPAA Rules, while the agency´s Office for Civil Rights (OCR) is responsible for monitoring compliance and taking enforcement action when non-compliance is identified. An exception to this division of labor exists with regards to the Administrative Requirements of HIPAA. Compliance is monitored – and enforcement action taken – by the Centers for Medicare and Medicaid Services (CMS).
The key to HIPAA compliance is remembering that compliance is an ongoing process and not a one-off exercise. Therefore, it is important to have mechanisms in place to prevent shortcuts becoming the norm and developing into a culture of non-compliance – which then becomes harder to reverse and may lead to more noncompliant shortcuts being taken “to get the job done”.
All Covered Entities, Business Associates, and subcontractors with whom PHI is shared must comply with the Security Rule. Additionally, healthcare organizations and insurance companies that do not qualify as Covered Entities also have to comply with the HIPAA Security Rule when they provide a service for or on behalf of another Covered Entity as a Business Associate.
The Security Rule applies to all Protected Health Information that is created, collected, maintained, or transmitted electronically (ePHI). It is important to be aware that ePHI is a subset of PHI, and therefore some Privacy Rule requirements may also apply – especially those relating to permissible uses and disclosures and the Minimum Necessary Standard.
The Health Insurance Portability and Accountability Act is an Act passed in 1996 with the intention of reforming the health insurance industry. It facilitated the portability of health insurance from one employer to another to avoid workers being locked in an unsuitable job for fear of losing health coverage and stopped health plans discriminating against workers with pre-existing conditions.
To prevent the costs of increased portability and accountability being passed on to employers and plan members in the form of higher premiums, Title II of HIPAA introduced measures to reduce fraud against the health insurance industry and make the processing of health insurance claims more efficient. These measures led to the Administrative Simplification regulation which includes the Privacy, Security, and Breach Notification Rules.
Although HIPAA compliance requirements are mentioned periodically in the above HIPAA compliance checklist, there is no one-size-fits-all set of requirements. Each Covered Entity and Business Associate must determine its own HIPAA compliance requirements based on a risk assessment and what “reasonable and appropriate” measures are required to be compliant.
The term “guidelines” can be interpreted in several ways. For example, it can mean the standards of the Privacy, Security, and Breach Notification Rules, the safeguards of the Security Rule, or the policies developed by an organization´s HIPAA Privacy and Security Officers to ensure the organization and members of the organization´s workforce stay HIPAA compliant.
The most important thing to know about HIPAA is that ignorance of the HIPAA requirements is no defense against enforcement action. Therefore, if you are a HIPAA Covered Entity or a Business Associate with access to Protected Health Information, you need to understand what the rules are, how they apply to you, and what you need to do to become HIPAA compliant.
The penalties for breaching HIPAA vary according to the nature of the violation, the level of culpability, and the amount of assistance given to HHS during investigations into the breach. The current penalty structure was implemented in the HITECH Act 2009 and penalty amounts increase each year to account for inflation.
The steps you should take for HIPAA compliance depend on the nature of your business and your access to Protected Health Information. The HHS publishes several tools to help Covered Entities determine what steps to take for HIPAA compliance; but, if you are still unsure about HIPAA requirements, you should seek professional compliance advice.
The HIPAA Security Rule was enacted in 2004 to establish national standards for the protection of Protected Health Information when it is created, received, used, or maintained electronically by a Covered Entity. The Rule was introduced due to more Covered Entities adopting technology and replacing paper processes.
The HIPAA Privacy Rule – or “Standards for Privacy of Individually Identifiable Health Information” – was introduced to standardize a patchwork of state laws relating to how healthcare providers and insurers can use, share, and disclose Protected Health Information. It is important to note that where state laws provide stronger privacy protection, these laws continue to apply.
The HIPAA Breach Notification Rule requires Covered Entities and Business Associations to notify the Secretary of Health and Human Services of any impermissible use or disclosure of unsecured Protected Health Information. Different procedures apply depending on the nature of the breach and the number of records disclose without permission.
The HIPAA Omnibus Rule was enacted in 2013 to update elements of the Privacy, Security, Enforcement, and Breach Notification Rules, and activate elements of the HITECH Act. Significantly for Covered Entities and Business Associates, it gave the Department of Health and Human Services the resources to investigate breaches and impose fines for non-compliance.
The HIPAA Enforcement Rule explains the procedures under which the Department of Health and Human Services will conduct investigations, manage hearings, and impose penalties for HIPAA violation cases. It is important to note other agencies (for example Centers for Medicare and Medicaid Services) can take HIPAA enforcement actions, and these may have their own procedures.
The Minimum Necessary Rule – sometimes called the “Minimum Necessary Standard” or “Minimum Necessary Requirement” – is a key element of the HIPAA Privacy Rule. The Rule stipulates that HIPAA-covered entities make reasonable efforts to ensure access to PHI is limited to the minimum necessary to accomplish the intended purpose of a particular use, disclosure, or request – and nothing more.
The HIPAA retention requirements relate to how long Covered Entities must retain HIPAA-related procedures, policies, and other documentation. In states that do not require longer retention periods, the minimum length of time for HIPAA-related documentation to be retained is six years. You will find examples of what types of documentation should be retained in this article.
The HIPAA Privacy Rule was enacted many years before most social media platforms existed and therefore there are no specific HIPAA social media rules. However, except for permitted uses, the disclosure of personal identifiable information without a patient´s consent is a violation of HIPAA, and sharing PHI on social media would come into this category.
Although not a requirement of the HIPAA Privacy Rule, Covered Entities may wish to obtain a patient´s consent before – for example – providing treatment. By contrast, a Covered Entity has to obtain a patient´s authorization via a HIPAA Release Form before disclosing personal identifiable information other than for a permitted use.
This depends on pagers are being used for and what capabilities they have. If a pager is not being used to communicate ePHI, HIPAA compliance is not an issue. If a pager is being used to communicate ePHI, it has to have capabilities such as user authentication, remote wipe, and automatic log-off. You can find out more about pagers and HIPAA compliance in this article.
While the EU´s General Data Protection Regulation (GDPR) doesn´t affect HIPAA compliance in any way, it does introduce a further set of regulations for Covered Entities and Business Associates that collect, process, share, or store data relating to EU citizens – for example if an EU citizen receives medical treatment in the USA. This article provides more information about GDPR for US companies.
The Administrative Simplification provisions consist of the General Administrative Requirements (Part 160), the Transaction, Code Sets, and Identifier Standards (Part 162) and the Privacy, Security, and Breach Notification Rules (Part 164). The Department of Health and Human Services has combined the provisions into a single PDF for ease of reference.
Before a Covered Entity discloses PHI to a Business Associate, it is important to conduct due diligence on the Business Associate to ensure the privacy of the PHI is protected and safeguards are in place to ensure the confidentiality, integrity, and availability of PHI. It is not enough to rely on the undertakings of a Business Associate Agreement.
The benefits that exempt a health plan form being a Covered Entity are those listed in §300gg-91 of the Public Health Act (search for “benefits not subject to requirements”). This include, but are not limited to, workers´ compensation insurance, accident insurance that includes medical payment insurance, and automobile insurance in which benefits for medical care are included.
On-campus health centers that only provide medical services for students are exempted from HIPAA because students´ medical records are considered to be part of their educational records, which are protected by the Family Educational Rights and Privacy Act (FERPA). The HIPAA Privacy Rule specifically excludes records protected by FERPA from its definition of PHI, and therefore an on-campus health center that only provides medical services for students cannot “transmit PHI in connection with a transaction for which a HIPAA standard exists” because it does not have any PHI.
In the event that an on-campus health center treats both students and members of the public, the health center becomes a “hybrid entity”. In such circumstances, students´ medical (educational) records are still subject to FERPA and must be isolated from other patients´ PHI – which is subject to the protections of the Privacy and Security Rules; and, in the event of a data breach, the processes of the Breach Notification Rule.
Paper-to-paper, non-digital fax communications are not considered electronic transmissions when the information being exchanged did not exist in electronic format prior to the fax transmission. Therefore, if a healthcare provider only transmits health information for a HIPAA transaction by paper-to-paper non-digital fax, the healthcare provider is not a Covered Entity.
However, as well as paper-to-paper faxes being a poor data security practice, if the faxed health information was stored electronically prior to transmission (i.e., saved on a workstation) or any other electronic communication channel is used for any other HIPAA transaction, the healthcare provider is a Covered Entity, and all transmissions are subject to HIPAA compliance requirements.
There are several cases in which some of the Administrative Simplification provisions will not apply due to the nature of the Covered Entity´s operations. For example, health care clearinghouses are typically business-to-business operations, so there will be no need to develop and distribute a Notice of Privacy Practices to individuals. Similarly, sole medical practitioners will not have to develop and distribute a workforce sanctions policy.
Additionally, the “flexibility of approach” clause in the Security Rule (§164.306) allows Covered Entities to be flexible about what security measures are adopted according to their size, complexity and capabilities, the costs of the security measure, and the probability and criticality of risks to PHI. However, the decision not to apply a Security Rule standard has to be justified, documented, and periodically reviewed to determine whether the decision is still justified.
Neither the Privacy Rule nor the Security Rule define what an “appropriate level” is – nor provide guidance on how an appropriate level can be obtained. In its HIPAA Basics Guide, CMS states “what’s reasonable and appropriate depends on your business as well as its size, complexity, and resources”. However, this statement should not be construed as an excuse to take shortcuts with HIPAA compliance or omit Administrative Simplification provisions.
The primary tool in a Privacy Officer´s enforcement armory is the sanctions policy. This policy should stipulate the nature of punishments for HIPAA violations – which may range from a warning for minor violations to criminal proceedings and loss of license for serious violations. All members of an organization´s workforce should be provided with a copy of the sanctions policy regardless of whether they have access to PHI or not.
In most circumstances, uses and disclosures of PHI fall into the categories of required, permissible, or requiring authorization. Outside of these circumstances, there are scenarios in which it is preferable, but not necessary, to obtain an individual´s “informal consent”. For example, notifying family members of a patient´s admission into hospital. In such scenarios, the individual should be given the opportunity to agree or object to the disclosure of PHI unless the individual is unable to, in which case Covered Entities are allowed to use their professional judgement.
It is a best practice to encourage reports of HIPAA violations because, if the violations are not identified and addressed, they could continue and contribute towards a culture of non-compliance which ultimately results in data breaches. Ideally, Covered Entities and Business Associates should implement a process for reporting HIPAA violations that allows members of the workforce to report violations anonymously.
The Breach Notification Rule requirements vary depending on the type of organization at which a breach occurs. For example, Business Associates are required to notify Covered Entities of a breach, Covered Entities are required to notify affected individuals and HHS´ Office for Civil Rights of a breach, and organizations not covered by HIPAA are required to notify affected individuals and the FTC of a breach. State laws may also require breaches are notified to local authorities.
Because the Breach Notification Rule requirements vary, we have produced a comprehensive article explaining what organizations should do following a data breach. Alternatively, you can review the HIPAA Breach Notification standards at §164.400 of the Code of Federal Regulations.
The Administrative Simplification requirements (Part 160, 162, and 164 of 45 CFR Subtitle A, Subchapter C), are enforced by two agencies within the Department of Health and Human Services – the Centers for Medicare and Medicaid Services (CMS) and the Office for Civil Rights (OCR).
Compliance with Part 162 – the Transaction Rules, Operating Rules, Code Set Rules, etc.) – is enforced exclusively by CMS, while compliance with Part 164 – the General Rules, Privacy Rule, Security Rule, etc. – is enforced exclusively by OCR – unless a violation involves a criminal activity, in which case the violation is referred to the Department of Justice.
Generally, most health plans, health care clearinghouses, healthcare providers (including pharmacies) and business associates that provide a service for or on behalf of these organizations are required to follow the HIPAA requirements – but there are exceptions.
For example, insurance companies that provide health coverage as a secondary benefit to (say) auto insurance are not required to follow HIPAA requirements, nor are healthcare providers that do not conduct transactions for which HHS has developed standards (i.e., a counselling service that only accepts direct payments from clients).
Further information about HIPAA requirements that coudld help with the compilation of a HIPAA compliance checklist can be found throughout the HIPAAJournal.com website. However, in order to assist organizations looking for quick answers to complex questions, we have listed a selection of HIPAA compliance resources below.
SEO is important. Here’s how to get the most out of it. With the latest figures showing the largest
Save my name, email, and website in this browser for the next time I comment.