“Getting into the healthcare business is really easy,” said no one, ever.
HIPAA is a critical and comprehensive safeguard for healthcare organizations and businesses that work with healthcare information. But, there is a lot of conflicting HIPAA information out there. Compliance with HIPAA can feel like quite an uphill battle. If you work with healthcare information or have been tasked with becoming HIPAA compliant, the HIPAA compliance checklist below is for you.
In this piece, we’ll go over:
- How HIPAA works
- How to become compliant with HIPAA rules:
- The Privacy Rule
- The Security Rule
- The Data Breach Notification Rule
- A HIPAA compliance audit checklist
How Does HIPAA Work?
HIPAA protects the confidentiality, integrity and availability of patient data or protected health information (PHI). It mandates HIPAA covered entities and business associates put the right PHI safeguards in place.
HIPAA does this by focusing on three main areas or rules:
- Breach notifications
In the following section, we’ll go over some key details about each rule, and how to be compliant with each.
In the following section, we’ll go over some key details about each rule and how to be compliant with each.
How to Become Compliant with HIPAA Rules
The Privacy Rule
The privacy rule protects patient PHI in any form (verbal, electronic, or written).
The rule protects your information rights as a patient. It gives you the right to know when and how your PHI is being used and disclosed.
That seems quite broad right? Let’s break it down. Here is an overview of the mandatory privacy considerations you need to implement within your policies and procedures to ensure your HIPAA compliance.
Notice of Privacy Practices
You must share with patients how you will use and disclose their PHI. Along with organizational practices you have in place to protect their PHI.
Business Associate Agreement (BAA)
There must be a contract or a written arrangement between covered entities and their business associates. Such as, their vendors. It must specify each entities’ responsibilities when it comes to handling and protecting PHI.
The use and disclosure of PHI is limited to when it is necessary.
For example, a healthcare practitioner should not view PHI just because they can. They should only access PHI when it is required to perform certain job functions.
You must get patient authorization to use or disclosure PHI. Or any other purpose beyond what’s permitted by the HIPAA Privacy Rule. There are instances where this is not required.
Here’s an example. Let’s say you’re collecting PHI for providing treatment. And, you’ve already provided the patient notice of privacy practice—you don’t need authorization. If you want to use a patient’s PHI for research purposes however, that is an instance where you must obtain authorization. Even if you gave notice.
You could call this the Miranda Rights of HIPAA. Under the privacy rule, here are some examples of the individual rights patients have:
- Right of Notice
- Right of Access
- Request of Accounting of Disclosures
- Right of Amend
- Right to Request Restrictions
- Other rights include (but are not limited to) alternate communications, special requests and the right to file complaints.
Release of Information
You must verify the identity of a person requesting PHI before releasing it to make sure they have the proper authorization.
You know when your doctor’s office asks you for your birthday or another security question when you’re requesting something? That is to ensure appropriate release of information.
HIPAA wouldn’t be an information security framework if it didn’t prioritize documentation right? This requires covered entities to keep all PHI documentation, including amendments or requests, for at least six years.
The Security Rule
Next, there is the HIPAA security rule. It focuses on security measures for electronic PHI. It requires covered entities to protect electronic PHI using the appropriate technical safeguards.
These safeguards work to protect the confidentiality, integrity and security of electronic PHI.
There are three critical elements of the security safeguards that HIPAA requires. Administrative, physical and technical. Here’s what each element covers:
You’ll see more on how to implement some of these safeguards in the HIPAA compliance checklist in the following section.
Expert quick tip: SOC 2 and ISO 27001, have a 53-59%~ overlap with HIPAA (exact percentage is heavily organization dependent). If you’re already compliant with one of these frameworks, you have already implemented many of these safeguards. Or, hoping to become compliant with one of these frameworks after HIPAA? You’re already almost there!
It’s important to note that a security assurance platform like Tugboat Logic will automate your compliance with HIPAA’s privacy and security rules for you. You’ll complete a 11-question questionnaire to scope your HIPAA project if you choose to get compliant with a compliance software. The software then auto-populates your HIPAA policies, controls, safeguards, evidence tasks and implementation details for you. Your documentation will account for not only each HIPAA rule, but also the particularities of your business.
The Data Breach Notification Rule
This HIPAA regulation states that HIPAA covered entities must notify the Secretary of Breaches of Unsecured Protected Health Information within the U.S. Department of Health and Human Services (HHS) if a data breach or security breach of PHI occurs. Covered entities must further notify individuals impacted by the breach within 60 days.
This rule requires business associates to notify HIPAA-covered entities they are in business with if a data breach of PHI occurs within their organization.
Not reporting a data breach, or not following any other HIPAA requirement, can result in some heavy fines—up to $50,000 per incident.
Learn more about PHI data breaches and HIPAA fines here.
HIPAA Compliance Audit Checklist
The Office for Civil Rights (OCR), a department within the HHS, performs HIPAA audits.
Work with healthcare information in any way? You can be audited by the OCR. You can be audited at random by the OCR or due to a complaint or data breach.
This checklist gives you an overview of some of the key items the OCR will be looking out for if you have to go through a HIPAA audit, straight from our HIPAA compliance experts:
Are your HIPAA policies and procedures documented, up-to-date and effective? Have staff members signed a document to show they acknowledge each HIPAA policy and procedure?
Have you completed a company-wide risk analysis? Risk assessments are pivotal for passing any InfoSec audit, learn how to complete one here.
Have all staff members undergone annual HIPAA training? Could staff members show an auditor they have an understanding of HIPAA’s privacy and security rules? This is extremely important to the OCR.
Do you have an ongoing program to monitor risk management? As well as to detect HIPAA violations? This could include internal audits or assessments to ensure all your HIPAA controls and safeguards are working as intended.
Have you identified your business associates/vendors and implemented a BAA (Business Associate Agreement)? BAA’s must undergo review at least annually. You must document proof of the review as well.
Is someone managing your security and privacy compliance? There should be a dedicated team member assigned to overseeing your HIPAA program and ensuring you maintain continuous compliance.
Proving HIPAA Compliance & Tugboat Logic
So, you have all this in place. You’ve followed the HIPAA compliance checklist. But, how do you prove your HIPAA compliance to an auditor? Or, customers who want to know about your security posture? A security assurance platform like Tugboat Logic will not only give you everything you need to become HIPAA compliant but it will also give you a report to prove your compliance with a few clicks.