Summary: Following a HIPAA compliance checklist can help HIPAA-covered entities comply with the regulations and become HIPAA compliant. In this HIPAA compliance guide, we’ll review the 8 primary steps to achieving HIPAA compliance, tips on how to implement them, and frequently asked questions.
Every organization that uses, handles, or discloses protected health information (PHI) needs to be aware of its compliance obligations under the Health Insurance Portability and Accountability Act (HIPAA) . However, not every organization must meet the same requirements to become compliant, which can make following HIPAA guidelines particularly confusing. HIPAA-covered entities—like health plans, healthcare clearinghouses, and healthcare providers—are responsible for meeting all HIPAA compliance requirements. Meanwhile, business associates who handle PHI data and exempted entities must only comply with some aspects. A HIPAA compliance requirements checklist provides an easy way for organizations to take the right steps to comply with the HIPAA guidelines that apply to them.
Mismanaging patients’ PHI can lead to dire consequences for both the patient and the organization that compromised their sensitive data. One such consequence for organizations that intentionally or unintentionally expose patient PHI data is a criminal or civil HIPAA violation . HIPAA non-compliance can be extremely costly for organizations. And sometimes, a criminal HIPAA violation may even involve serving time in prison. Since exposing customers’ private medical data is such a serious offense, organizations that handle PHI data must comply with HIPAA regulations to protect patients. This step-by-step HIPAA checklist can help you get started pursuing and maintaining HIPAA compliance.
Implementing the right HIPAA compliance controls starts with understanding the several HIPAA compliance guidelines covered under the Privacy Rule, the Security Rule, and the Breach Notification Rule . The Privacy Rule and Security Rule explain what organizations must do to protect PHI and electronic PHI (ePHI), including detailing what safeguards to put in place to secure sensitive medical data. The Breach Notification Rule details remediation requirements an organization must take if a breach occurs. Businesses need to understand the intention of these requirements and review the required technical specifications to create the correct safeguards, procedures, and policies for their organization.
To start, determine if your organization qualifies as a covered entity . Covered entities will be responsible for implementing safeguards dictated by the Privacy Rule to protect all PHI—not just electronic data. Even if your organization is an exempt entity or business associate, you may be subject to some Privacy Rule requirements based on agreements you maintain with covered entities.
Individually identifiable health information must be protected under HIPAA regulations, but that doesn’t include all of an organization’s data. Identify what data your organization collects, uses, or stores both physically on paper and within your IT infrastructure. Determine how much of that data qualifies as identifiable health information, and review how that data is collected, retrieved, and deleted. You’ll also want to note who has access to that data and how it’s accessed.
Recognizing the gaps in your existing data security practices can help you see where more controls or new procedures you need to become HIPAA compliant. The OCR’s Security Risk Assessment Tool serves as a great HIPAA Security Rule checklist to see how your current controls align with the requirements detailed in the Security Rule. Audit your current privacy and security policies and procedures to see how they align with the requirements detailed in the HIPAA guidelines. Your organization must maintain data security for PHI in use, at rest, and during transmission, which often requires updating outdated systems. Use your analysis to create your own HIPAA risk assessment checklist and develop a compliance plan to close your security gaps and maintain HIPAA standards.
Once you understand what your organization needs to do to achieve compliance, define who is accountable for which elements of your compliance plan to promote streamlined, transparent communication. Maintaining HIPAA compliance requires regular monitoring, audits, technology maintenance, and training. Establishing responsible parties for those steps early can help companies maintain HIPAA compliance.
Once you’ve created a compliance implementation and management plan, focus on introducing the privacy and security controls that will mitigate the most risk. Create a HIPAA compliance audit checklist to consistently review your improvements and detect more gaps to address. Consider that internal users are often more likely to be responsible for HIPAA violations than external breaches, so prioritize both technical security safeguards—like encrypting data—with physical and administrative safeguards—like using strong passwords and training users to manage data safely.
As you implement data privacy and security improvements to comply with HIPAA guidelines, track all progress with thorough documentation. That can include maintaining versions of your policies and procedures as they’re edited, tracking who attended compliance training sessions, and recording which entities you share PHI with. Some documentation may be required for an OCR audit, like policies and procedures, written and electronic communications, and actions requiring a written or typed record. However, it’s best to record as much of your HIPAA compliance process as possible to recognize and mitigate security gaps quickly.
If your organization experiences a security incident, you are required to submit a breach report form to the Secretary of Health and Human Services within 60 days of discovering the breach. Following the Breach Notification Rule, the company must also notify all individuals whose PHI it exposed within the same period. For breaches affecting over 500 people, you must also notify local media. Reporting a breach will prompt an investigation by OCR. Conduct your own investigation into HIPAA violations and document what you find. Combined with OCR’s investigation, this can help you close security gaps and restore your organization’s HIPAA compliance.
A HIPAA compliance checklist is a resource organizations use to understand the steps involved in achieving and maintaining HIPAA compliance. With a HIPAA compliance checklist, organizations can also discover how to create safeguards that protect their PHI.
HIPAA-covered entities in the United States must comply with all HIPAA regulations. These entities include health plans and most medical insurance companies; healthcare providers like hospitals, clinics, and nursing homes; medical professionals like doctors and nurses; and healthcare clearinghouses, which process medical claim and billing data.
Business associates—or external professional organizations that handle PHI data like accountants, lawyers, and IT personnel—are responsible for some elements of HIPAA compliance. Similarly, exempt entities like life insurance companies or on-campus health centers only need to comply with certain HIPAA requirements.
While there is not a dedicated HIPAA IT compliance checklist, IT teams are often responsible for implementing and managing administrative, technical, and physical security controls to secure electronic PHI and safeguard against a data breach.
Ensuring your website is HIPAA compliant involves implementing encryption, secure data transmission, regular audits, and access controls.
The U.S. Department of Health & Human Services’ Office for Civil Rights (OCR) verifies and enforces HIPAA compliance through regular compliance reviews and complaint investigations.
When an organization fails an OCR HIPAA audit, OCR will work with the organization to create a corrective action plan to help the organization become compliant. These plans often involve a data risk analysis, data encryption, creating and documenting new policies and procedures, and/or training your workforce under OCR supervision.
Even when an organization completes its corrective action plan after a failed audit, the organization will be fined based on the four tiers defined in HIPAA’s Omnibus Rule. Individuals may also face criminal charges for some HIPAA violations.
Access management is an important part of any HIPAA technical requirements checklist. For organizations to keep their ePHI secure, they need to thoroughly control which people have access to sensitive patient data … without making it harder for their employees to work effectively.
StrongDM’s Zero Trust Privileged Access Management (PAM) platform gives organizations the power to give the right people access to the right information at the right time. With StrongDM, your team gains access to comprehensive monitoring and logging capabilities that offer deep insight into who has access to ePHI and how they’re using that data.
Plus, StrongDM helps organizations like yours automate least-privilege access and deprovisioning, too. Now, your organization can secure your data without extra legwork.
Now that you have your free HIPAA compliance checklist in hand, it’s time to start implementing!
Still not sure where to begin? Try StrongDM free for 14 days and see how better access management can bring you one step closer to HIPAA compliance.
Andrew Magnusson, Customer Engineering Expert, has worked in the information security industry for 20 years on tasks ranging from firewall administration to network security monitoring. His obsession with getting people access to answers led him to publish Practical Vulnerability Management with No Starch Press in 2020. He holds a B.A. in Philosophy from Clark University, an M.A. in Philosophy from the University of Connecticut, and an M.S. in Information Management from the University of Washington. To contact Andy, visit him on LinkedIn.