The purpose of a HIPAA compliance checklist is to ensure organizations subject to HIPAA do not overlook the implementation of a policy or procedure that could prevent a HIPAA violation or a data breach. However, because each organization subject to HIPAA is required to develop and implement its own policies and procedures, there is no “one-size-fits-all” compliance checklist.
What is a HIPAA Compliance Checklist?
A compliance checklist is not a requirement of HIPAA but is often used to ensure the requirements of HIPAA are met. It is effectively a guide developed by each organization to either record what policies and procedures need to be implemented to comply with HIPAA or to ensure the policies and procedures put in place to prevent HIPAA violations and data breaches are complied with.
The content of a HIPAA compliance checklist will differ from organization to organization because each organization´s functions, size, infrastructure, and capabilities differ. Additionally, the cost of implementing certain standards and the criticality of potential risks can also influence the content of a HIPAA checklist under the Security Rule´s flexibility of approach provision (§164.306).
The Similarities between HIPAA Checklists
Although the content of a HIPAA compliance checklist will differ from organization to organization, there are some similarities between HIPAA checklists. For organizations subject to the Privacy Rule, it is important to include policies and procedures relating to permissible uses and disclosures of PHI, individuals´ rights, authorizations, training, and Business Associate Agreements.
Organizations subject to the Security Rule may also want to consider the above checklist items but will have to include items relating to the Administrative, Physical, and Technical Safeguards – specifically any items that have been identified in a security risk analysis. All organizations subject to HIPAA should have policies and procedures in place to comply with the Breach Notification Rule.
Common components of a HIPAA compliance checklist include:
- Designate a Privacy Officer and/or a Security Officer
- Identify what PHI is created, received, maintained, or transmitted
- Identify all foreseeable threats to the privacy and security of PHI
- Implement measures to reduce threats to a reasonable level
- Train the workforce on privacy and security policies and procedures
- Implement a schedule to review Business Associate Agreements
- Implement procedures for reporting and escalating data breaches
- Implement a schedule for reviewing and updating HIPAA checklists
What is PHI?
PHI – or Protected Health Information – is term frequently referenced in our guide to HIPAA compliance checklists. The term is frequently misunderstood, so it is important for Covered Entities and Business Associates to be aware of what is PHI – and what isn´t. However, in order to fully understand the meaning of PHI, you have to work backwards through the definitions section of the Administrative Simplification Regulation (§160.103).
This is because, Protected Health Information is defined as “individually identifiable health information […] transmitted by or maintained in electronic media or any other form or medium”. But what constitutes individually identifiable health information? In §160.103, this is defined as “a subset of health information […] collected from an individual […] that:
- Relates to the past, present, or future physical or mental health or condition of an individual,
- The provision of health care to an individual,
- Or the past, present, or future payment for the provision of health care to an individual,
- That identifies the individual or which can be used to identify the individual.
The backwards journey through the definitions section doesn´t stop there because there is also a definition of “health information”. This definition is similar to that of individually identifiable health information inasmuch as the term “health information” relates to the past, present, of future condition of a (non-identified) patient, treatment for the condition, or payment for the treatment. However, health information can be “oral or recorded in any form or medium”. Therefore:
- The diagnosis of “a broken ankle” is health information.
- “Mrs. Jones has a broken ankle” is individually identifiable health information.
- If the words “Mrs. Jones has a broken ankle” are spoken, written down, or typed into an EHR, the diagnosis becomes Protected Health Information.
How do You Identify what PHI is Created, Received, Maintained, or Transmitted?
This can depend on the nature of a Covered Entity´s or Business Associate´s operations because in most cases, procedures exist to record individually identifiable health information and maintain the information in a “designated record set” – a set of records used by a Covered Entity to make decisions relating to (for example) a health plan member´s eligibility, coverage, and premiums, or the best course of action to respond to a patient´s diagnosis.
Consequently, it is usually fairly straightforward to identity what PHI is in an organization´s possession provided the procedures to record individually identifiable health information are adhered to. This may need confirming via an entry on a HIPAA compliance checklist. However, it is important to be aware that a Covered Entity may maintain more than one designated record set about an individual, and this possibility should also be noted on a HIPAA checklist.
It is also important to be aware that any other information included in a designated record set that could identify the subject of the health information should be given the same protections as the health information. This not only includes the so-called “de-identification identifiers” in §164.514, but any note, image, or file that – individually or together with other information in the record set – could be used to identify the subject of the health information.
One of the benefits of identifying what PHI is created, received, maintained, or transmitted, and keeping it in one designated record set is that individuals have the right to request copies of what information is maintained about them. Having everything in one place reduces the length of time it takes to respond to an access request, ensures that the information provided to the individual is complete, and mitigates the likelihood of an individual raising a query or requesting a correction.
Identify Foreseeable Threats and Reduce Them to a Reasonable Level
You don´t have to be a security expert to be aware that healthcare data is highly sought by cybercriminals who can monetize individually identifiable health information for far more than (say) a stolen credit card. You probably don´t even need to be a security expert to identify foreseeable threats to healthcare data from both internal and external sources. You just need to know how to reduce them to a reasonable level. But what is “reasonable”?
The use of the word “reasonable” in the Administrative Simplification Regulations is unfortunate because it means different things to different people. What may be a reasonable precaution for one person, may be far too stringent for another person, or far too lax for somebody else. From a Privacy or Security Officer´s perspective, it can be a good idea to ask yourself “how would I best protect the confidentiality, integrity, and availability of my health information?”.
Working from your answers, you can then set about implementing measures to reduce foreseeable threats to a reasonable level – provided the measures meet the minimum standards of the Privacy and Security Rules and that, if you apply the “flexibility of approach” provisions of the Security Rule, you document why a certain approach has been taken. The same applies when alternate measures to addressable implementation specifications are used.
Sometimes Multiple Checklists are Necessary
As well as there being no “one-size-fits-all” HIPAA compliance checklist, it may sometimes be necessary to compile multiple checklists when more than one person is responsible for HIPAA compliance. This not only occurs when an organization appoints a Privacy Officer and a Security Officer, but also when areas of responsibility are divided among a compliance team or delegated to line managers and team supervisors.
For example, a healthcare facility may maintain a general Privacy Rule compliance checklist relating to permissible uses and disclosures of PHI and have separate HIPAA checklists for responding to patients wishing to exercise their access rights and managing Business Associate Agreements. Similarly, a general HIPAA security requirements checklist could be complimented by a HIPAA cybersecurity checklist and a HIPAA checklist for software development.
HIPAA Checklists should be Regularly Reviewed
Once a HIPAA compliance checklist has been compiled, it should be regularly reviewed to account for any changes to regulations, working practices, or threats to the privacy, confidentiality, integrity, and availability of PHI. When changes occur, they not only affect organizational policies and procedures, but may also require members of the workforce to be provided with refresher training if there is a “material change” to Privacy Rule policies and procedures.
Keeping a HIPAA compliance checklist up to date not only has benefits in terms of an organization´s compliance efforts; but, if HHS´ Office for Civil Rights conducts an audit, investigation, or compliance review, being able to demonstrate that HIPAA checklists are being kept up to date shows a good faith effort to comply with HIPAA – a fact that can mitigate the degree of any enforcement action undertaken by OCR inspectors if a HIPAA violation is discovered.
HIPAA Compliance Checklist FAQs
Which organizations are subject to HIPAA?
Generally, health plans, health care clearinghouses, and healthcare providers who transmit PHI electronically in connection with a transaction for which the Department for Health and Human Services has developed standards. These organizations are known as “Covered Entities”. Vendors of personal health devices are also required to comply with the HIPAA Breach Notification Rule.
Additionally, Business Associates providing a service for or on behalf of a Covered Entity that involves a use or disclosure of Protected Health Information are required to comply with the Security Rule, Breach Notification Rule, and whichever parts of the Administrative Requirements and/or the Privacy Rule are stipulated in their Business Associate Agreement with the Covered Entity.
Who within an organization is responsible for compliance?
According to the Privacy Rule (§164.530), Covered Entities must designate a Privacy Officer who is responsible for developing and implementing policies and procedures. Although the Privacy Rule does not state this person is responsible for compliance, it is generally assumed that – as the point of contact for complaints and queries – the Privacy Officer is responsible for Privacy Rule compliance.
Additionally, all organizations subject to HIPAA must designate a Security Officer to comply with the Administrative Requirements of the Security Rule (§164.308). The Security Officer and the Privacy Officer can be the same person; however, it is recommended that the Security Officer is proficient in IT security in order to understand the implementation specifications of the Technical Safeguards.
Why might a HIPAA compliance checklist differ because of an organization´s functions?
Not all organizations subject to HIPAA have the same functions. For example, health plans have minimal interaction with the general public, while it is the opposite for healthcare providers. Consequently, healthcare providers will need to have more policies and procedures relating to public-facing operations than health plans and will have implement measures to maximize workforce compliance with these policies and procedures.
What policies and procedures should be implemented to comply with the Breach Notification Rule?
Although most of the implementation specification of the Breach Notification Rule relate to the timeliness and content of breach notifications to individuals and HHS´ Office for Civil Rights, it is important policies exist for how – and who to – members of the workforce can report a breach of unsecured PHI and that procedures are in place for managers and supervisors to escalate reports to the Privacy and/or Security Officer in order to commence the breach notification process.
How frequently should HIPAA checklists be reviewed?
There is no recommended frequency for reviewing HIPAA checklists because reviews can be prompted by changes to regulations, working practices, or threats to data privacy and security. However, to prevent HIPAA checklists being overlooked when changes do not occur, it can be a good idea to schedule reviews of HIPAA checklists to coincide with the periodic risk assessments and risk analyses required by HIPAA.