Skip to content
Home » HIPAA Compliance Checklist

HIPAA Compliance Checklist

2022’s HIPAA Compliance Checklist 

If your firm is subject to the Healthcare Insurance Portability and Accountability Act (HIPAA), we recommend that you go through our HIPAA compliance checklist 2022 to verify that you are in compliance with HIPAA’s privacy and security regulations for Protected Health Information (PHI).

Even if no breach of PHI happens, failing to comply with HIPAA standards can result in significant fines, while breaches can result in criminal charges and civil action lawsuits. There are other steps to follow when it comes to reporting HIPAA Privacy and Security Rules violations and notifying patients of HIPAA breaches.

The Office for Civil Rights of the Department of Health and Human Services (OCR) does not regard ignorance of HIPAA compliance requirements to be a legitimate defense to penalty for HIPAA violations. Whether violations are unintentional or the consequence of purposeful negligence, the OCR will levy fines for non-compliance with HIPAA laws.

Checklist for HIPAA Compliance

The HIPAA Privacy and Security Rules, the HIPAA Omnibus Rule, the HIPAA Breach Notification Rule and the HIPAA Enforcement Rule were deconstructed to create our HIPAA compliance checklist. It’s worth noting that the Health Information Technology for Economic and Clinical Health (HITECH) Act 2009 has a vital role in HIPAA IT compliance as well.

In order for the firm to be HIPAA compliant, every aspect of the aforementioned Rules and Acts must be followed. There is no hierarchy in HIPAA laws in terms of one HIPAA Rule being more significant than another, and each of the requirements in our HIPAA compliance checklist must be followed if your firm is to achieve complete HIPAA compliance.

If you are unclear whether your firm is subject to HIPAA compliance rules, here is a preliminary HIPAA compliance checklist:

  • Determine which of the yearly audits and assessments are necessary for your organization.
  • Conduct the necessary audits and evaluations, examine the results, and identify any flaws.
  • Document your remediation strategies, put them into action, evaluate it annually, and reform them as needed.
  • Appoint a HIPAA Compliance, Privacy, and/or Security Officer if your firm hasn’t already.
  • Ensure that the authorized HIPAA Compliance Officer provides yearly HIPAA training to all employees.
  • Ensure that HIPAA training and staff member affirmation to HIPAA rules and procedures are documented.
  • Perform due diligence on Business Associates to ensure HIPAA compliance and review BAAs on a yearly basis.
  • Examine the systems in place for staff personnel to report breaches and how breaches are reported to HHS OCR.

About HIPAA Compliance

It’s recommended to answer the following question before going over the components of our HIPAA compliance checklist. What is HIPAA compliance, and why is it important: HIPAA Explained.

What is a Covered Entity?

A Covered Entity is a health care provider/health plan that produces, stores, or transmits PHI as part of its usual operations. There are a few exceptions. The vast number of healthcare providers recruited by hospitals are not Covered Entities. The hospital is the Covered Entity, and it is in charge of adopting and enforcing HIPAA-compliant procedures.

To know more about Covered Entities, click here.

What is a Business Associate?

A Business Associate is an individual or company that serves – or performs a specific job or task for – a Covered Entity and has access to PHI maintained by the Covered Entity. Auditors,  Attorneys, Tech consultants, cloud storage providers, email encryption services, and other professionals are examples of Business Associates.

To know more about Business Associates, click here.

HIPAA Regulations

Despite the intentionally vague HIPAA requirements, every Covered Entity and Business Associate with access to PHI must ensure that technical, physical, and administrative safeguards are in place and strictly followed to, that they comply with the HIPAA Privacy Rule in order to preserve the rights of PHI, and that they follow the procedure in the HIPAA Breach Notification Rule if a breach of PHI occurs.

In the event of a breach of PHI and an inquiry to determine how the breach occurred, all risk assessments, HIPAA-related rules, and reasons why applicable protections have not been implemented must be documented. Each HIPAA criterion is discussed in further depth below. Firms who are unclear if they must comply with HIPAA standards should seek expert assistance.

Security Measures under HIPAA 

The HIPAA Security Rule outlines the rules for securing PHI (ePHI) generated, accessed, processed, or stored electronically whether at rest or in transit. Anyone or any entity with access to personal patient data is subject to the regulation. In this situation, “access” involves having the ability to read, write, edit, or communicate ePHI, as well as any personal identifiers that may disclose an individual’s identity.

Technical safeguards, physical safeguards, and administrative safeguards are the three sections of the HIPAA Security Rule, and we’ll go over each one in our HIPAA compliance checklist in sequence.

HIPAA Technical Safety Measures

The Technical Safeguards are concerned with the technology utilized to safeguard ePHI and give access to the information. The sole stipulation is that once ePHI leaves a firm’s internal firewalled systems, data must be encrypted to NIST standards, whether at rest or in transit. This is done to ensure that any breach of confidential patient information is rendered unreadable, unintelligible, and useless.

HIPAA Physical Safety Measures

Physical Access to ePHI, regardless of location, is the subject of the Physical Safeguards. ePHI might be kept on servers on the HIPAA Covered Entity’s properties, in a distant data center, or on a cloud server. They also specify how unwanted access to workstations and portable devices should be prevented.

HIPAA Administrative Safety Measures

Administrative Security measures are rules and processes that integrate the Privacy Rule and the Security Rule. They are essential components of a HIPAA compliance checklist, requiring the appointment of a Privacy Officer and a Security Officer to implement safeguards for electronic protected health information (ePHI), as well as governing employee behavior.

Risk assessments were highlighted as a prominent area of Security Rule non-compliance during the OCR pilot audits. In successive audit phases, risk assessments will be extensively examined, not just to establish that the company in issue has executed one, but also to guarantee that they are comprehensive and continuous. A HIPAA-compliant risk analysis is not a one-time obligation, but rather a routine process that must be completed on a regular basis to maintain HIPAA compliance.

Privacy Regulations under HIPAA

The HIPAA Privacy Rule limits how electronic protected health information (ePHI) can be utilized and shared. The Privacy Rule, which has been in effect since 2003, is applicable to all healthcare systems, health plan providers (including employers), healthcare clearinghouses, and, since 2013, covered organizations’ Business Associates.

The Privacy Rule mandates the implementation of suitable safety measures to protect the privacy of Personal Health Data. It also imposes limits on the use and publication of the data without the consent of the patient. The Rule also offers patients – or their designated representatives – rights to their health data, such as the opportunity to receive a copy of their records, study them, and seek amendments if required.

Covered Organizations must respond to patient access permissions within 30 days under the Privacy Rule. Patients and plan members must also be provided with Notices of Privacy Practices (NPPs) that explain how their data will be handled and shared.

It is also recommended that covered organizations:

  • Employees should be trained to understand what information may – and cannot – be disclosed outside of an organization’s security process.
  • Ascertain that sufficient safeguards are in place to protect PHI and patients’ unique personal identifiers.
  • Obtain formal consent from patients before using their health information for marketing, research or fundraising reasons.

Patients’ approval forms should be updated to include the disclosure of immunization records to schools, the option for patients to confine disclosure of PHI to a health plan (if they have spent for a process discreetly), and the option of offering an electronic copy of healthcare data to a patient when sought.

Breach Notification Rule under HIPAA

When a patient’s PHI is breached, the HIPAA Breach Notification Rule requires Covered Entities to inform them. If a breach of PHI affects more than 500 patients, the Breach Notification Rule requires firms to quickly inform the Department of Health and Human Services and issue a notice to the media.

Smaller breaches impacting less than 500 people must also be reported using the OCR online site. After the first investigation has been completed, these minor breach reports should be filed. These reports must be submitted just once a year, according to the OCR.

The following information should be included in breach notifications:

  • The sorts of personal identifiers disclosed, as well as the nature of the PHI at hand.
  • The unauthorized individual who gained access to or used the PHI, or to whom the information was disclosed (if known).
  • Whether or not the PHI was actually obtained or seen (if known).
  • The measure to which the threat of harm has been reduced.

Breach notifications must be given without undue delay, and no later than 60 days after the breach is suspected. When informing a patient of a breach, the Covered Entity must advise them what they should do in order to protect themselves from damage, as well as a quick overview of what the covered entity is doing to investigate the breach and the efforts taken so far to avoid potential breaches and security events.

HIPAA’s Omnibus Rule

The HIPAA Omnibus Rule was created to address a variety of issues left unaddressed by earlier HIPAA amendments. Definitions were updated, processes and rules were clarified, and the HIPAA compliance checklist was extended to include Business Associates and their subcontractors.

To know more about HIPAA’s Omnibus Rule, click here.

HIPAA’s Enforcement Rule

The HIPAA Enforcement Rule oversees the investigations that follow a breach of PHI, as well as the fines that can be imposed on covered businesses that are accountable for an avoidable breach of PHI and the hearing processes. Covered companies should be aware of the following penalties, which are not included on a HIPAA compliance checklist:

  • An infringement caused by ignorance can result in a fine of $100 to $50,000.
  • A fine of $1,000 to $50,000 can be imposed for an infringement that occurred notwithstanding reasonable vigilance.
  • A fine of $10,000 to $50,000 will be imposed for a willful negligence violation that is resolved within thirty days.
  • A willful negligence offense that is not addressed within thirty days can result in a maximum fine of $50,000.

The quantity of records revealed in a breach, the risk caused by the release of that data, and the level of ignorance involved all factor into the fines. The maximum penalties for a single infraction is $1,500,000 per year. It’s worth noting that deliberate negligence can result in criminal prosecution. Victims of a breach may also seek a civil action for damages. Private medical practices (solo physicians or dentists, group practices, and so on), hospitals, outpatient facilities like pain clinics or rehab facilities, insurance companies, and pharmacies are the most usually targeted entities for sanctions. The following are the most common HHS disclosures:

  • Patient data have been misused and illicit disclosures have occurred.
  • There is no safeguard in place to secure patient data.
  • Patients are unable to obtain access to their medical records.
  • More than the bare minimum of protected health data is used or disclosed to other parties.
  • Electronic protected health data has no administrative or technical protections.

What Should Be Included in a HIPAA Risk Evaluation?

There is a paucity of advice in the HIPAA regulations on what a HIPAA risk assessment should include. The failure to establish a “particular risk analysis approach” is explained by OCR as a result of the diverse sizes, capacities, and complexity of Covered Entities and Business Associates. The Office of Civil Rights (OCR) does, however, provide guidance on the goals of a HIPAA risk assessment:

  • Identify the PHI that your firm generates, obtains, retains, and transmits, including PHI shared with advisers, suppliers, and Business Associates.
  • Identify the human, natural, and environmental hazards to the integrity of Protected Health Information, including both purposeful and inadvertent human threats.
  • Examine the safeguards in place to preserve PHI’s integrity, as well as the risk of a “reasonably foreseeable” breach occurring.
  • Calculate the probable impact of a PHI breach and give a risk level to each possible occurrence based on the average of the assigned likelihood and severity levels.
  • To check the boxes on the HIPAA compliance checklist and ensure HIPAA compliance, prepare a report and apply measures, practices, and policies as needed.
  • The HIPAA risk assessment, the justification for the ensuing measures, practices, and policies, as well as any policy documentation, must be retained for at least six years.

As previously stated, a HIPAA risk assessment is not a one-time obligation, but rather a routine operation that must be completed on a regular basis to guarantee HIPAA compliance. The HIPAA risk assessment and analysis of its findings will assist firms in complying with many other areas of our HIPAA compliance checklist, and it should be evaluated on a regular basis as the workforce, work processes, and technology evolve.

Compiling a fully thorough HIPAA risk assessment might take a long time depending on the size, competence, and intricacy of a Covered Entity. There are a number of online tools that can assist firms in compiling a HIPAA risk assessment; however, there is no versatile solution owing to the lack of a “particular risk analysis procedure.” 

Why is Data Encryption important?

The loss or theft of mobile devices carrying unencrypted data, as well as the transfer of insecure ePHI through open networks, account for a large proportion of ePHI intrusions.

This type of vulnerability may be readily avoided if all ePHI is encrypted. While existing HIPAA standards do not require encryption in all circumstances, it is a security safeguard that should be carefully considered and implemented. If data encryption is not employed, suitable alternatives should be used. In the case of a theft, data encryption makes stored and transmitted data incomprehensible and useless.

Data is initially transformed to an unreadable format known as ciphertext, which cannot be decrypted without a security key that restores the encrypted data to its original state. A HIPAA violation for the disclosure of patient data will not occur if an encrypted device is lost or stolen. On computer networks, data encryption is also critical to prevent hackers from gaining unauthorized access.

How to Comply with HIPAA Regulations

Several firms want to build applications, software, or services for the medical sector but don’t know how to comply with HIPAA. Although it is feasible using a HIPAA compliance checklist to ensure that all the requirements of HIPAA are addressed, developing a HIPAA compliance checklist and incorporating all applicable security and privacy controls can be a tricky task for organizations vaguely familiar with the intricate details of HIPAA Regulations.

Companies’ services and products cannot be employed by HIPAA Covered Entities unless they can assure that they have adopted all necessary measures to protect ePHI at rest and in transit, as well as policies and procedures in place to prevent and identify unlawful exposures. Hence, what’s the simplest method to comply with HIPAA?

To ensure that your business, product, or service integrates the suitable technology, administrative, and physical protections of the HIPAA Security Rule, you’ll need to employ a HIPAA compliance checklist. In addition, you must comply with the HIPAA Privacy and Breach Notification Rules.

If you make a mistake and fail to protect ePHI, the HHS’ Office for Civil Rights, state attorneys general, and other authorities can sanction you directly for HIPAA violations as a HIPAA business partner. Some infractions may also result in criminal prosecution. HIPAA compliance might be intimidating, but the potential rewards of entering the profitable medical industry for software suppliers are significant.

It is advisable to obtain expert help from HIPAA compliance specialists to make sure that you address all items on your HIPAA compliance checklist and leave no room for doubt. Several companies provide HIPAA compliance software to walk you through the HIPAA compliance checklist, guarantee consistent HIPAA compliance, and deliver HIPAA certification.

HIPAA Information Technology Compliance

HIPAA IT compliance mainly covers the verification of all of the provisions of the HIPAA Security Rule and addresses all of the areas on your HIPAA IT compliance checklist.

Two critical aspects of HIPAA IT security are Risk assessment and management. Adopting the NIST Cybersecurity Framework as part of your HIPAA IT compliance policy is one method to help make sure risks are recognised and appropriate controls are applied. The NIST Cybersecurity Framework will aid in the prevention of security breaches as well as the detection and response to attacks in a HIPAA-compliant way when they do take place.

Any systems that send, receive, store, or modify ePHI are covered under HIPAA IT compliance. Any system or application that comes into contact with ePHI must have sufficient security safeguards to maintain its privacy, authenticity, and accessibility.

Monitoring ePHI access logs on a regular basis is one area of the HIPAA compliance checklist that is frequently overlooked. Unauthorized access to ePHI by clinical staff is prevalent, but many Covered Organizations fail to undertake regular audits, so unlawful access might go undetected for months or even years.

IT HIPAA Compliance Checklist

There are various strategies that IT departments may adopt to strengthen the security of ePHI, in addition to the laws and policies that exist on our HIPAA compliance checklist and are derived from acts of law.

The implementation of an encrypted communication solution helps avoid any security breaches caused by the usage of personal mobile phones in the office. Authorized workforce can transmit ePHI – and send documents containing ePHI – using secure messaging systems that adhere to HIPAA’s physical, technological, and managerial protections.

Email is another place where there might be security holes. Emails containing ePHI should be encrypted before being forwarded outside of an internal firewalled server. Emails containing ePHI should also be considered part of a patient’s health data and should be securely kept in an encrypted manner for a minimum of six years.

Since patient records fetch a higher price on the black market than credit card information, safeguards should be put in place to avoid phishing assaults and spyware downloads. Criminals acquiring credentials to EMRs or other datasets have been blamed for some recent HIPAA breaches, and healthcare institutions may reduce the chance of this occurring to them by using an online content filter.

Auxiliary HIPAA IT Safeguards

In addition to the technology laws listed above, there are several HIPAA IT compliance safeguards that are easy to ignore, such as the facility access policies within the Physical Security Rule. These HIPAA IT compliance standards may be overlooked accidentally if the IT Department is not responsible for the physical security of its servers, and it will be the obligation of the HIPAA Security Officer to establish accountability.

Further HIPAA IT obligations that are often neglected include Business Associate Agreements with SaaS providers and hosting businesses that may have access to ePHI through the services they offer. This is also true for programmers who develop eHealth apps that will communicate PHI. To be HIPAA IT compliant, each health care facility providing the app must have a Business Associate Agreement in place.

Checklist for HIPAA Audits

The next section of our HIPAA compliance checklist is a HIPAA audit checklist. The adoption of the HIPAA Enforcement Rule established a feasible method for HHR to assess HIPAA compliance. If it was discovered that a Covered Entity or Business Associate had made no effort to comply with HIPAA, HHR might levy sanctions even if no PHI breach had occurred. HHR has issued audit guidelines for the first two rounds of audits to assist Covered Organizations and Business Associates in compiling a HIPAA audit checklist.