Check the pulse of your HIPAA program
Whether you’re just getting started creating a HIPAA compliance plan for your organization, or checking the pulse of your current HIPAA program, a road map is always helpful.
The HIPAA requirements are deliberately vague because they need to be flexible and scalable enough to apply to a broad range of health care companies and anyone those companies contract with. This HIPAA compliance checklist aims to do several things.
- Introduce you to the language used in HIPAA so that you have a better grasp of the HIPAA Rules.
- Help you become more acquainted with the HIPAA rules and what they want you to do if you deal with Personal Health Information (PHI).
- Help you determine what areas your organization may need to focus on to become HIPAA compliant by providing a simplified checklist that can point your efforts in the right direction.
- Give you some additional tips on how to use the HIPAA Security Risk Assessment Tool to find weak areas in your HIPAA compliance program.
What is HIPAA trying to protect?
HIPAA wants to protect the security and privacy of patients’ Personal Health Information (PHI) that is used or shared in any form. When a patient’s Personal Health Information is in electronic form, it’s called ePHI.
As most health information is digitally managed these days, the handling of ePHI is critical. HIPAA wants healthcare companies to completely protect any ePHI that’s collected, processed, transmitted, or stored, and make sure that patients can access it and amend if it is incorrect or has become corrupted due to identity theft or errors.
This Compliance Checklist will walk you through the more critical aspects of the HIPAA so that you can determine what areas your organization needs to work on to get in HIPAA compliance.
What’s the difference between a Covered Entity and a Business Associate under HIPAA?
A Covered Entity (CE) is any health care provider, health plan, or health care clearinghouse that creates, maintains, stores, processes or transmits PHI or ePHI. Most health care organizations do business with 3rd parties that provide a service or perform a specific function or activity for a company that may involve having access to ePHI. Under HIPAA, these 3rd parties are called Business Associates (BA).
Before having access to ePHI, the Business Associate must sign a Business Associate Agreement (BAA) with the Covered Entity. While the ePHI is in the Business Associate’s possession, the Business Associate has the same HIPAA compliance obligations as a Covered Entity.
Check the boxes of the statements you agree with:
□ We have identified all of our Business Associates (BA) and vendors.
□ We have Business Associate Agreements (BAAs) in place with all of our BAs.
□ We have satisfactorily assessed all of our BA’s HIPAA compliance levels.
□ We monitor and revise our BAAs annually, and anytime there is a change in services.
□ We have Confidentiality Agreements in place with non-BA vendors.
The HIPAA Privacy Rule
The privacy rule provides the standards for people who are allowed to have access to PHI and governs the use and disclosure regulations of any PHI. If your organization has contact with PHI in any way, you have to develop privacy procedures and policies that adhere to the privacy rule and use authorizations as instructed by the HIPAA.
Use and Disclosure of PHI
□ We acquire and hold HIPAA authorizations for any uses and disclosures of PHI, which aren’t otherwise permitted by the HIPAA Privacy Rule.
□ Our authorizations are written in every day simple language (no legalese) and clearly explain the precise uses and disclosures of PHI.
□ Our authorizations accurately describe to whom we will disclose PHI.
□ Our authorizations include an expiration date.
□ Our authorizations are signed and dated by the patient.
Individuals Access to PHI
□ We have procedures for providing patients with access to their health information.
□ At an individual’s request, we provide access to and copies of their PHI.
□ We provide copies of an individual’s PHI in the format of their request.
□ We respond to an individual’s request for copies of any PHI within 30 days.
□ Our fees charged for requested copies of PHI by an individual are cost-based.
Notice of Privacy Practices (NPP)
The Privacy Rule gives people the right to information about an organization’s privacy practices. The HIPAA refers to this as Notice of Privacy Practices (NPP). While Covered Entities can use templates for their Notice of Privacy Practices, the notices should be customized to your organization.
□ We have created and customized a Notice of Privacy Practices (NPP)
□ We have provided a copy of our NPP to all patients.
□ All patients have confirmed in writing that they’ve received a copy of our NPP.
□ We have posted an NPP in a visible and prominent location on our website.
□ We have posted an NPP poster in a visible and prominent location visible to patients in our facility. (If applicable.)
□ We have procedures in place and have trained staff for dealing with complaints and any failures on our part to comply with our NPP.
The HIPAA Security rule
The Security Rule requires entities to evaluate risks and vulnerabilities and implement reasonable and appropriate security defences to protect against anticipated threats to the security and integrity of ePHI. There are three elements to the HIPAA Security Rule:
- technical safeguards
- physical safeguards
- administrative safeguards
These are areas that you need to assess yourself with an understanding of what could go wrong in either the technical, physical, or administrative functions of your organization that could make ePHI vulnerable to a breach. You’re basically looking at your IT set up, your office set up, and your staff policies.
HIPAA Technical Safeguards § 164.312
Technical Safeguards concern the technology used to both provide access to ePHI and protect it. The HIPAA won’t tell you how to prepare for compliance, but it will show you what outcome it expects.
This section deals with who has authorization to access PHI.
□ We have an identity management and access controls plan in place.
□ We assign unique IDs to all individuals authorized to access to ePHI.
□ We can confirm that access to ePHI is restricted to authorized individuals only for the purposes of their employment duties.
□ We vet all employees before providing authorization to access ePHI and can confirm authorization is appropriate.
□ We have procedures in place to terminate an employee’s access to ePHI if their position changes or they leave our company.
□ We have procedures in place to recover all devices and media holding ePHI if an employee’s position changes or they leave our company.
Track all users who access ePHI on your systems and monitor all activities and systems involving ePHI at all times.
□ All of our uses and disclosures of PHI/ePHI are limited to the minimum amount of PHI necessary for the purpose the PHI/ePHI is disclosed.
□ Our systems are set to log out any user after a period of inactivity automatically.
□ We have created ePHI access logs and monitor them consistently.
□ We have created ePHI access logs that track successful and unsuccessful login attempts.
□ ePHI access logs are monitored consistently for unauthorized access to ePHI.
Protect ePHI from being destroyed or altered in any way and be able to tell if it has.
□ We have controls in place to protect ePHI from being altered or destroyed unless authorized.
Make sure all ePHI – whether at rest or in transit – is encrypted to NIST standards once it moves outside your organization’s internal firewalled servers — so that patient data is unreadable, undecipherable, and unusable by any unauthorized employees or 3rd party contractors. Prevent unauthorized access to ePHI over any network communications such as public wifi.
□ We have assessed whether encryption of ePHI is necessary.
□ If encryption of ePHI is unnecessary, we have instead employed alternative and equally effective means to secure the integrity, confidentiality, and availability of all ePHI.
□ We have controls in place during electronic transmission to safeguard against any unauthorized access of ePHI.
□ We have documented our decisions regarding encryption and electronic transmission safeguards.
HIPAA Physical Safeguards § 164.310
Physical standards are designed to protect storage media and the physical places where ePHI is held in an organization.
□ We have procedures in place for the secure disposal of ePHI and PHI.
□ We have procedures in place to make physical PHI forever unreadable upon disposal.
□ We have procedures in place to permanently delete all ePHI stored on devices being prepared for disposal.
□ All devices that hold ePHI and PHI are secure at all times.
HIPAA Administrative Safeguards § 164.308
This section deals with your staff, employees, and any workforce member that comes into contact with ePHI, whether from your office or a 3rd party contractor. It also requires you to designate a Security Officer.
Assigned security responsibility
You need to designate a security official who will conduct risk analyses, monitor audit logs, train the workforce, manage security incidents, and update policies and procedures.
□ We have a designated HIPAA Security Officer.
Security awareness and training
Have a required security awareness training program for all employees.
□ All employees attend annual HIPAA training.
□ We keep documentation to substantiate that all employees attend annual HIPAA training.
□ All staff has received Security Awareness training.
□ We keep documentation to substantiate that all employees have received Security Awareness training.
□ We provide staff with periodic updates to reinforce Security Awareness training.
These are guidelines for emergencies.
□ We have a contingency plan set up for emergencies.
□ We have developed procedures for responding to emergency situations.
□ We keep an updated exact copy backup to recover all ePHI in the event of a disaster.
□ We have procedures in place in the event of operating in emergency mode to ensure that all critical business processes function.
□ Our contingency plans are updated and tested at regular intervals.
Security incident procedure
Security incidents require a response and reporting whether or not there is a data breach. You need to set up a system to audit and track any security events.
□ We have procedures in place for any security incidents and data breaches.
□ We have the capability to conduct and record investigations of all security incidents.
□ We are able to report all breaches or incidents.
□ Our employees can anonymously report any privacy or security incident and any potential HIPAA violation.
HIPAA Breach Notification Rule
The breach notification rule applies to unsecured ePHI, which is not encrypted and not destroyed, rendering it usable and readable. (The HHS states that encryption and destruction are the only two methods that will render ePHI unusable unreadable, and undecipherable.)
□ We have policies and procedures in place under HIPAA Privacy, Security, and Breach Notification Rules.
□ All employees have read and legally attested to the HIPAA policies and procedures.
□ We have documentation of all employees’ written legal confirmation of the HIPAA policies and procedures.
□ We keep documentation for our annual reviews of our policies and procedures.
Covered Entities and Business Associates must conduct their own periodical audits. There are six required annual self-audits for businesses. There are five required annual self-audits for Business Associates.
These audits are entirely self-conducted by Covered Entities and Business Associates. Only the Security Risk Assessment (SRA) has any guidelines in the form of an available tool on the HHS site. All other audits are up to you. Links are provided to the relevant rules for your reference.
□ We have completed the six annual audits required by the HIPAA compliance program.
□ Security Risk Assessment (SRA)
□ Security Standards Audit — Self-audit against the HIPAA Security Rule.
□ Asset and Device Audit — List all devices that hold ePHI and who uses them.
□ Physical Site Audit
□ HITECH Subtitle D Audit
□ Privacy Assessment (Not required for BAs) — Self-audit against the HIPAA Privacy Rule.
□ We have proof that we have conducted the six annual audits and assessments for the past six years.
□ We have identified any and all gaps revealed in the self-audits.
□ We have documented all areas with deficiencies or gaps.
□ We have created a remediation plan to correct any and all deficiencies or gaps found in the audits and risk assessments.
□ Our remediation plans are fully documented in writing.
□ We review and update our remediation plans annually.
□ We keep copies of our yearly remediation plan for six years.
What is a HIPAA Risk Assessment?
A risk analysis can help you establish the safeguards you need at your organization to protect patient data and comply with the HIPAA. This will allow you to identify risk and develop and put in place administrative safeguards and protections such as office rules and procedures that keep ePHI secure under the HIPAA Security Rule.
The US Department of Health & Human Services (HHS) offers guidance on risk self-assessment on its website as well as a Security Risk Assessment (SRA) Tool that you can download to guide you through the risk assessment process.
The SRA Tool walks you through potential threats and vulnerabilities and gives recommendations based on standards identified in the HIPAA Security Rule. Keep in mind that the SRA Tool only provides scoring in terms of risk, not compliance. Also, the SRA Tool is only available for Windows. (There’s an older version of the HHS SRA Tool for iPad in the App Store.)
How does a HIPAA Risk Assessment work?
A HIPAA Risk Assessment helps you identify any potential risks to the PHI that your company holds, transmits, creates, or receives from another party. It walks you through the required actions that you must be able to perform to be in compliance. It also helps you identify areas or gaps in security that you need to upgrade. The risk assessment for ePHI wants you to focus on several areas:
- Storage, processing, and transmission
- Potential threats and vulnerabilities
- Current security measures
- Proper use of security measures
It then asks you to make determinations based upon your assessment:
- What’s the likelihood of a reasonably anticipated threat?
- What’s the potential impact of a data breach involving ePHI?
- What are the risk levels for vulnerability and impact?
- What actions can be taken to improve the security features to mitigate any threats, breaches, or vulnerabilities?
HIPAA recommends that you perform risk assessments annually and anytime you implement new work procedures, update systems, or redesign programs.
Disclaimer: This checklist is merely a guide to direct you toward what you may need to work on to achieve HIPAA compliance. Completing this checklist does not in any way mean you are HIPAA compliant, nor does it give legal advice. Consult a HIPAA compliance professional to ensure your organization achieves and retains HIPAA compliance.