HIPAA Compliance Checklist: A 10-point checklist to make sure your Organisation achieves HIPAA Complaince! Before we get into the checklist, let us first see what exactly is HIPAA Compliance.
What is HIPAA compliance?
HIPAA stands for Health Insurance Portability and Accountability Act of 1996 which is a Federal Law that sets the rules for how health care providers, insurers, and administrators must handle Protected Health Information [PHI]. The HIPAA Privacy Rule and the HIPAA Security Rule are the most well-known regulations.
HIPAA applies to any person who transmits or receives Protected Health Information [PHI] electronically, in any form or media, including oral communication. HIPAA also applies to those who obtain PHI from another person or entity under certain conditions (covered entities).
HIPAA Compliance means that a person or Organisation is in compliance with the HIPAA Privacy Rule and the HIPAA Security Rule. It means that they have taken the necessary steps to ensure their information systems are secure, and that they are only using their PHI for purposes specified by their business associate agreement.
Who is required to comply with HIPAA?
HIPAA applies to all health care providers, including hospitals, doctors, pharmacies, and insurance companies. It also applies to all health care clearinghouses. HIPAA does not apply to businesses that do not provide health care services. A broad category of people/industry that needs to be compliant with the HIPAA Regulations are:
- Any healthcare providers or Organisations that transmit health information electronically, such as doctors, hospitals, and health plans.
- A business associate who is a person or Organisation that performs services for covered entities, including billing services and IT companies.
- Healthcare providers who don’t qualify as a covered entity may still be required to follow HIPAA if they transmit health information electronically.
- Health plans insurers such as Medicare and HMOs [Health Maintenance Organisations].
The HIPAA Compliance Checklist:
Here’s a 10-point checklist of important steps to take if you want your business to be HIPAA compliant.
1. Learn about the privacy and security rules that protect health care information:
The Privacy Rule and Security Rule are the main components of HIPAA. The Privacy Rule deals with how covered entities protect Personally Identifiable Health information [PHI]. The Security Rule addresses the safeguards healthcare providers must implement to safeguard PHI from unauthorised disclosure or use.
2. Understand if your business is applicable to the Privacy Rule:
The Privacy Rule applies to a variety of healthcare providers, including doctors, hospitals, and health plans. It also applies to business associates of these entities. A business associate is any person or Organisation that performs services on behalf of covered entities such as data analysis and processing claims
3. Appoint a designated HIPAA Privacy Officer to oversee and manage HIPAA compliance efforts:
A HIPAA Privacy Officer is a person who has been appointed by the Organisation to oversee and manage HIPAA compliance efforts. The Privacy Officer must be given access to all relevant information regarding your Organisation’s HIPAA compliance program.
4. Establish security management policies and standards:
Security management policies and standards are essential for managing the security of electronic protected health information. Security management policies should address issues such as user authentication, access control, data encryption, and system integrity.
5. Put in place the necessary protections to comply with Security Rule standards:
The Security Rule requires that covered entities use appropriate administrative, technical and physical safeguards to ensure the confidentiality, integrity and availability of electronic protected health information. The security standards include requirements for disaster recovery and business continuity plans; access controls; data encryption; passwords; firewall protection systems; maintenance of logs; policies on disposal of EPHI; incident reporting requirements; training of workforce members on security awareness issues (including a process for handling breaches); and other technical safeguards.
6. Conduct HIPAA Risk Assessments to evaluate compliance with the regulation.
Create a risk assessment of PHI that you store, transmit or disclose: A risk assessment is a process used to determine if the current level of protection for PHI is adequate. This can be done through a variety of methods, including interviews with staff members and management as well as reviewing policies and procedures related to the storage and transmission of health data.
7. Train employees on how to comply with HIPAA privacy procedures.
Make sure everyone at your company understands what HIPAA compliance means before they start working there. People who are new in their roles should be trained properly so they know exactly what information needs to be protected at all times (and how). This includes educating medical professionals about patient privacy laws in addition to other workers like receptionists and janitors who might handle sensitive data every day without knowing it!
8. Learn from mistakes and other people’s violations:
The best way to ensure that your Organisation stays compliant with HIPAA is by learning from other people’s mistakes. If you hear about a breach or privacy violation, make sure to investigate how it happened so you can prevent similar incidents from happening at your company!
9. Continuously review compliance policies as your Organisation grows and changes:
As your company grows and changes, you will likely find that some of your policies need to be updated. This can include a lot of different things, like adding new employees or changing the way your facility is organised. It’s important to make sure that everyone on staff knows about any changes so they can keep themselves compliant with HIPAA!
10. Stay up-to-date with all the regular changes that HIPAA regulation undergoes:
HIPAA regulations change a lot, and it’s important to stay up-to-date on all the changes. You can do this by keeping an eye out for updates on the HHS website or by following them on social media sites like Twitter and YouTube. The more you know about how HIPAA applies to your Organisation, the better able you are to keep yourself compliant!
Privacy Rule under HIPAA
The HIPAA Privacy Rule is a federal law that protects the privacy of individually identifiable health information and it applies to all forms of health care, including hospitals, doctors, dentists, mental health providers, and health insurance companies. The Privacy Rule gives patients rights over their own medical records and restricts others’ access to them.
In addition to protecting patient privacy, the HIPAA Security Rule sets national standards for how healthcare Organisations must safeguard electronic Protected Health Information [ePHI].
HIPAA helps patients’ privacy and records by:
- Helping to ensure the security of patient information.
- Keeping equipment safe and secured at all times.
- Ensuring that doctors, nurses, and other medical professionals keep all patient information confidential.
Security Rule under HIPAA
HIPAA Security Rule is a set of federal standards for protecting electronic health information. HIPAA Security Rule applies to all HIPAA-covered entities and their business associates, which are required to abide by the security rule when they handle or store Protected Health Information [PHI].
The rule contains specific requirements for protecting information that is transmitted, received or stored in any form or medium. It also requires covered entities to have a set of administrative, physical, and technical safeguards that are required to protect the confidentiality, integrity, and availability of electronic protected health information [ePHI] in order to prevent its loss or misuse as well as unauthorised access, disclosure, modification or destruction.
As part of administering its HIPAA compliance program, a covered entity must:
- perform an accurate risk analysis
- implement policies and procedures to prevent unauthorised access to ePHI
- use appropriate methods to destroy or dispose of ePHI once it’s no longer needed
Breach Notification Rule under HIPAA
In a nutshell, the Breach Notification Rule requires covered entities to notify individuals of certain breaches involving their Protected Health Information [PHI]. The rule does not require notification for all breaches or for every unauthorised use or disclosure of PHI; rather, it requires that covered entities and business associates take steps to:
- Identify which patients have been affected by a breach
- Notify those patients about the breach without unreasonable delay and no later than 60 calendar days after discovery unless you can demonstrate a reasonable risk of harm to more than 500 people from providing notice within 60 days.
Organisations are not required to send breach notifications in cases where:
- There is evidence of fraud.
- Law enforcement has requested that you not report the incident.
- Your obligation to report would impede an investigation.
- There was no impermissible use or disclosure but only impermissible acquisition or access due to software malfunctioning as part of an Information Technology system used by multiple persons with varying access rights.
- You did not become aware that there was possible unauthorised acquisition/access until over 180 days after discovery (or whenever your next annual assessment is due).
- You are unable to contact the individual at risk because they are deceased.
- The unauthorised person has been arrested before receiving notice from you then notification may be delayed until law enforcement completes its investigation into whether any crime has occurred.
Omnibus HIPAA Rule
The HIPAA Omnibus Rule was introduced in 2013 to update the privacy and security provisions of HIPAA. The Omnibus Rule introduced the concept of a “business associate” to HIPAA. Business associates were defined as individuals or Organisations who handled PHI on behalf of covered entities, such as health care providers and their employees. Business associates are directly responsible for maintaining the privacy and security of PHI under HIPAA and must enter into agreements with covered entities that specify what access they have to PHI. The rule also clarified that notification may be delayed if law enforcement is investigating whether there has been any type of criminal activity involving the breach.
The Omnibus Rule is a compilation of updates that apply to a broad range of healthcare operations, including:
- Withholding payment for failure to sign business associate agreements;
- Requiring covered entities to provide breach notification within 60 days of discovery of a breach; and
- Prohibiting certain uses and disclosures of protected health information without authorization.
How does Neumetric assist?
Neumetric, a cyber security product and services company, can help your Organisation become HIPAA Compliant by helping you meet all of the new regulations. We will walk you through each step and make sure that your information security program is up-to-date with the latest technology, policies and procedures by providing a HIPAA Security Risk Assessment and Cyber Security Audit.
Our team of experts will perform an in-depth assessment of your Organisation’s security measures and create a plan to help you become compliant with the rule. Neumetric can help your Organisation identify any gaps in security that may put protected health information at risk. For more details on our HIPAA Compliance Program, visit our HIPAA Compliance Service page by clicking here.
Conclusion
HIPAA compliance is a must-have for any healthcare business, as the law mandates that companies that handle patient information must abide by certain rules.
This checklist will help you understand what HIPAA compliance is and how to implement it. HIPAA compliance can be a difficult task for your Organisation, but it is not impossible to achieve. By understanding the rules and regulations of HIPAA, you can make sure that you are complying with all relevant laws. Neumetric can be your partner to make sure that you become HIPAA Compliant and remain in compliance.
FAQs
What is needed for HIPAA compliance?
HIPAA compliance is not a one-step process. It is a series of steps that can be broken down into different categories. You will need to implement a Security Management Program, which involves:
- A security policy
- Risk analysis
- Physical and technical safeguards
- Privacy training for employees
What are the 10 most common HIPAA violations?
The most common violations include:
- Sharing protected health information (PHI) without authorization.
- Disclosing PHI to unauthorised individuals.
- Failing to get proper consent for treatment and payment purposes.
- Using unsecured emails for PHI data.
- Loss of PHI due to a security breach.
- Inadequate physical safeguards such as locks on doors or cabinets.
- Improper disposal of paper records or files that contain sensitive information.
- Failure to train employees on privacy policies and procedures.
- Failing to conduct an initial risk assessment and an annual security risk analysis.
- Failing to document privacy policies and procedures in writing.
What are the four HIPAA standards?
The HIPAA Security Rule establishes four standards for protecting PHI:
- Administrative safeguards
- Physical safeguards
- Technical safeguards
- Organisational policies and procedures.
What are the conditions for HIPAA compliance?
In order to be compliant with HIPAA, healthcare providers must meet the following conditions:
- A covered entity or business associate must have a written security policy in place that addresses how they will protect PHI.
- The security policy should include administrative, physical and technical safeguards.
- The Organisation must be able to document that they meet the HIPAA security standards, among other conditions.
What must be on a HIPAA checklist?
The ten-point checklist to obtain HIPAA Compliance is mentioned above. In summary:
- Learn about the privacy and security rules that protect health care information.
- Understand if your business is applicable to the Privacy Rule.
- Appoint a designated HIPAA Privacy Officer to oversee and manage HIPAA compliance efforts.
- Establish security management policies and standards
- Put in place the necessary protections to comply with Security Rule standards.
- Conduct HIPAA Risk Assessments to evaluate compliance with the regulation.
- Train employees on how to comply with HIPAA privacy procedures.
- Learn from mistakes and other people’s violations.
- Continuously review compliance policies as your Organisation grows and changes.
- Stay up-to-date with all the regular changes that HIPAA regulation undergoes.
How can I be sure my paperwork is enough to pass the HIPAA compliance audit?
The truth is, you can’t be sure without doing an audit. It’s a good idea to have your paperwork reviewed by a HIPAA compliance attorney before filing it with the Department of Health and Human Services (HHS). If you don’t have access to an attorney who specialises in this area and can review your paperwork for free or at a reduced rate. One of the best ways to ensure that your documentation is sufficient is to ask for feedback from someone who has been through the process already.
What occurs if you don’t pass the HIPAA audit?
If you don’t pass the HIPAA audit, then you will be required to take corrective actions. This could include updating your policies and procedures or even changing the way that you operate. The bottom line is that if you don’t pass the audit, then your business could be at risk of fines or being shut down completely.
What aspect of a HIPAA audit is most important?
The most important aspect of a HIPAA audit is that it ensures that your business is compliant with the HIPAA Security Rule. This means that you will need to make sure that all of your policies and procedures are up-to-date, as well as implement new ones if needed. It’s also important to make sure that everyone who needs access to patient information has been properly trained on how to handle this data responsibly.
