HIPAA Compliance Checklist

A HIPAA compliance checklist is a detailed guide for healthcare organizations and their business associates, outlining necessary steps and controls required to adhere to the rules set by the Health Insurance Portability and Accountability Act (HIPAA), including the safeguarding of protected health information (PHI), implementation of security measures, staff training, breach notification procedures, and consistent audits and assessments to ensure ongoing compliance. A HIPAA compliance checklist serves the important purpose of guiding organizations in their efforts to adhere to HIPAA regulations and safeguard protected PHI. A well-designed and regularly updated HIPAA compliance checklist empowers organizations to proactively manage risks, protect PHI, and maintain compliance with the ever-evolving HIPAA regulatory landscape.

These are the essential elements of a HIPAA compliance checklist:

• Conduct a comprehensive risk assessment to identify potential vulnerabilities and risks to the security and privacy of Protected Health Information (PHI).
• Develop and implement policies and procedures that align with HIPAA regulations, covering areas such as privacy, security, breach notification, and patient rights.
• Ensure that all staff members receive HIPAA training, including training on privacy rules, security protocols, handling of PHI, and breach response procedures.
• Maintain appropriate physical safeguards to protect PHI, such as secure storage areas, controlled access to facilities, and proper disposal of sensitive documents.
• Implement technical safeguards to secure electronic PHI (ePHI), including encryption, access controls, audit logs, and regular system updates and patches.
• Establish procedures for securely transmitting PHI, both internally within the organization and externally to business associates or other entities.
• Regularly review and update security measures to address emerging threats and vulnerabilities, staying informed about the latest industry best practices.
• Create a breach response plan that outlines steps to be taken in the event of a security incident or unauthorized disclosure of PHI, including notification processes and mitigation strategies.
• Conduct periodic audits and assessments to evaluate the effectiveness of HIPAA compliance efforts and identify areas for improvement.
• Maintain a system for documenting and retaining HIPAA-related policies, procedures, training records, and incident reports.
• Establish business associate agreements with external vendors or partners who handle PHI, ensuring they also adhere to HIPAA regulations and protect the privacy and security of patient information.
• Regularly communicate HIPAA policies and expectations to staff members, reinforcing the importance of compliance and the consequences of non-compliance.
• Foster a culture of privacy and security awareness among all employees, promoting a proactive and vigilant approach to protecting PHI.
• Stay updated on changes to HIPAA regulations and guidance provided by the Department of Health and Human Services (HHS) and the Office for Civil Rights (OCR).
• Conduct periodic risk assessments to identify and address new or evolving risks to PHI, such as emerging technologies, remote work environments, or changes in organizational structure.
• Establish mechanisms for reporting and addressing potential HIPAA violations or concerns, providing channels for employees to raise questions or report incidents.
• Regularly review and update HIPAA compliance documentation, policies, and procedures to ensure they align with current regulations and industry standards.
• Continuously monitor and evaluate HIPAA compliance efforts, seeking feedback from staff members, patients, and regulatory bodies to drive ongoing improvement.

What is a HIPAA Compliance Checklist?

A compliance checklist is not a requirement of HIPAA but is often used to ensure the requirements of HIPAA are met. It is effectively a guide developed by each organization to either record what policies and procedures need to be implemented to comply with HIPAA or to ensure the policies and procedures put in place to prevent HIPAA violations and data breaches are complied with.

The content of a HIPAA compliance checklist will differ from organization to organization because each organization´s functions, size, infrastructure, and capabilities differ. Additionally, the cost of implementing certain standards and the criticality of potential risks can also influence the content of a HIPAA checklist under the Security Rule´s flexibility of approach provision (§164.306).

The Similarities between HIPAA Compliance Checklists

Although the content of a HIPAA compliance checklist will differ from organization to organization, there are some similarities between HIPAA checklists. For organizations subject to the Privacy Rule, it is important to include policies and procedures relating to permissible uses and disclosures of PHI, individuals´ rights, authorizations, training, and Business Associate Agreements.

Organizations subject to the Security Rule may also want to consider the above checklist items but will have to include items relating to the Administrative, Physical, and Technical Safeguards – specifically any items that have been identified in a security risk analysis. All organizations subject to HIPAA should have policies and procedures in place to comply with the Breach Notification Rule.

Common components of a HIPAA compliance checklist include:

• Designate a Privacy Officer and/or a Security Officer
• Identify what PHI is created, received, maintained, or transmitted
• Identify all foreseeable threats to the privacy and security of PHI
• Implement measures to reduce threats to a reasonable level
• Train the workforce on privacy and security policies and procedures
• Implement a schedule to review Business Associate Agreements
• Implement procedures for reporting and escalating data breaches
• Implement a schedule for reviewing and updating HIPAA checklists

What is PHI?

PHI – or Protected Health Information – is term frequently referenced in our guide to HIPAA compliance checklists. The term is frequently misunderstood, so it is important for Covered Entities and Business Associates to be aware of what is PHI – and what isn´t. However, in order to fully understand the meaning of PHI, you have to work backwards through the definitions section of the Administrative Simplification Regulation (§160.103).

This is because, Protected Health Information is defined as “individually identifiable health information […] transmitted by or maintained in electronic media or any other form or medium”. But what constitutes individually identifiable health information? In §160.103, this is defined as “a subset of health information […] collected from an individual […] that:

• Relates to the past, present, or future physical or mental health or condition of an individual,
• The provision of health care to an individual,
• Or the past, present, or future payment for the provision of health care to an individual,
• That identifies the individual or which can be used to identify the individual.

The backwards journey through the definitions section doesn´t stop there because there is also a definition of “health information”. This definition is similar to that of individually identifiable health information inasmuch as the term “health information” relates to the past, present, of future condition of a (non-identified) patient, treatment for the condition, or payment for the treatment. However, health information can be “oral or recorded in any form or medium”. Therefore:

• The diagnosis of “a broken ankle” is health information.
• “Mrs. Jones has a broken ankle” is individually identifiable health information.
• If the words “Mrs. Jones has a broken ankle” are spoken, written down, or typed into an EHR, the diagnosis becomes Protected Health Information.

How do You Identify what PHI is Created, Received, Maintained, or Transmitted?

This can depend on the nature of a Covered Entity´s or Business Associate´s operations because in most cases, procedures exist to record individually identifiable health information and maintain the information in a “designated record set” – a set of records used by a Covered Entity to make decisions relating to (for example) a health plan member´s eligibility, coverage, and premiums, or the best course of action to respond to a patient´s diagnosis.

Consequently, it is usually fairly straightforward to identity what PHI is in an organization´s possession provided the procedures to record individually identifiable health information are adhered to. This may need confirming via an entry on a HIPAA compliance checklist. However, it is important to be aware that a Covered Entity may maintain more than one designated record set about an individual, and this possibility should also be noted on a HIPAA checklist.

It is also important to be aware that any other information included in a designated record set that could identify the subject of the health information should be given the same protections as the health information. This not only includes the so-called “de-identification identifiers” in §164.514,  but any note, image, or file that – individually or together with other information in the record set – could be used to identify the subject of the health information.

One of the benefits of identifying what PHI is created, received, maintained, or transmitted, and keeping it in one designated record set is that individuals have the right to request copies of what information is maintained about them. Having everything in one place reduces the length of time it takes to respond to an access request, ensures that the information provided to the individual is complete, and mitigates the likelihood of an individual raising a query or requesting a correction.

Identify Foreseeable Threats and Reduce Them to a Reasonable Level

You don´t have to be a security expert to be aware that healthcare data is highly sought by cybercriminals who can monetize individually identifiable health information for far more than (say) a stolen credit card. You probably don´t even need to be a security expert to identify foreseeable threats to healthcare data from both internal and external sources. You just need to know how to reduce them to a reasonable level. But what is “reasonable”?

The use of the word “reasonable” in the Administrative Simplification Regulations is unfortunate because it means different things to different people. What may be a reasonable precaution for one person, may be far too stringent for another person, or far too lax for somebody else. From a Privacy or Security Officer´s perspective, it can be a good idea to ask yourself “how would I best protect the confidentiality, integrity, and availability of my health information?”.

Working from your answers, you can then set about implementing measures to reduce foreseeable threats to a reasonable level – provided the measures meet the minimum standards of the Privacy and Security Rules and that, if you apply the “flexibility of approach” provisions of the Security Rule, you document why a certain approach has been taken. The same applies when alternate measures to addressable implementation specifications are used.

Understanding HIPAA Rules

HIPAA is comprised of several rules that healthcare organizations and their business associates must abide by. These include the Privacy Rule, the Security Rule, the Breach Notification Rule, the Enforcement Rule, and the Omnibus Rule.

A. Privacy Rule

The Privacy Rule, as established by HIPAA, sets national standards to protect individuals’ medical records and other personal health information. It applies to health plans, healthcare clearinghouses, and healthcare providers who conduct certain healthcare transactions electronically.

The rule requires appropriate safeguards to protect the privacy of personal health information and sets limits and conditions on the uses and disclosures of such information without patient authorization. The rule also grants patients rights over their health information, including the right to examine and obtain a copy of their health records and request corrections.

HIPAA Security Rule

The Security Rule complements the Privacy Rule and deals specifically with Electronic Protected Health Information (EPHI). It lays out three types of security safeguards required for compliance: administrative, physical, and technical.

Administrative safeguards involve creating policies and procedures designed to clearly show how the entity will comply with HIPAA. Physical safeguards involve access to physical servers and hard drives, and technical safeguards involve access control to electronically stored PHI. This includes using encrypted solutions, off-site backup, and secure cloud-based servers.

HIPAA Breach Notification Rule

The Breach Notification Rule requires healthcare organizations to provide notification following a breach of unsecured PHI. The notifications must be provided promptly, and no later than 60 days following the discovery of a breach. In cases where the breach affects 500 or more individuals, notifications should be sent to the media and the Secretary of Health and Human Services.

HIPAA Enforcement Rule

The Enforcement Rule contains provisions relating to compliance and investigations, the imposition of civil money penalties for violations of HIPAA, and procedures for hearings. The Enforcement Rule increased the penalties for HIPAA violations to a maximum of $1.5 million per year for violations of an identical provision.

HIPAA Omnibus Rule

The Omnibus Rule, introduced in 2013, made several important modifications to HIPAA. It expanded the HIPAA requirements to business associates of healthcare providers, implemented new limitations on the use and disclosure of PHI, expanded the rights of patients to access their PHI, and increased the penalties for noncompliance with HIPAA.

Sometimes Multiple Checklists are Necessary

As well as there being no “one-size-fits-all” HIPAA compliance checklist, it may sometimes be necessary to compile multiple checklists when more than one person is responsible for HIPAA compliance. This not only occurs when an organization appoints a Privacy Officer and a Security Officer, but also when areas of responsibility are divided among a compliance team or delegated to line managers and team supervisors.

For example, a healthcare facility may maintain a general Privacy Rule compliance checklist relating to permissible uses and disclosures of PHI and have separate HIPAA checklists for responding to patients wishing to exercise their access rights and managing Business Associate Agreements. Similarly, a general HIPAA security requirements checklist could be complimented by a HIPAA cybersecurity checklist and a HIPAA checklist for software development.

HIPAA Checklists should be Regularly Reviewed

Once a HIPAA compliance checklist has been compiled, it should be regularly reviewed to account for any changes to regulations, working practices, or threats to the privacy, confidentiality, integrity, and availability of PHI. When changes occur, they not only affect organizational policies and procedures, but may also require members of the workforce to be provided with refresher training if there is a “material change” to Privacy Rule policies and procedures.

Keeping a HIPAA compliance checklist up to date not only has benefits in terms of an organization´s compliance efforts; but, if HHS´ Office for Civil Rights conducts an audit, investigation, or compliance review, being able to demonstrate that HIPAA checklists are being kept up to date shows a good faith effort to comply with HIPAA – a fact that can mitigate the degree of any enforcement action undertaken by OCR inspectors if a HIPAA violation is discovered.

HIPAA Compliance Checklist FAQs

Which organizations are subject to HIPAA?

Generally, health plans, health care clearinghouses, and healthcare providers who transmit PHI electronically in connection with a transaction for which the Department for Health and Human Services has developed standards. These organizations are known as “Covered Entities”. Vendors of personal health devices are also required to comply with the HIPAA Breach Notification Rule.

Additionally, Business Associates providing a service for or on behalf of a Covered Entity that involves a use or disclosure of Protected Health Information are required to comply with the Security Rule, Breach Notification Rule, and whichever parts of the Administrative Requirements and/or the Privacy Rule are stipulated in their Business Associate Agreement with the Covered Entity.

Who within an organization is responsible for compliance?

According to the Privacy Rule (§164.530), Covered Entities must designate a Privacy Officer who is responsible for developing and implementing policies and procedures. Although the Privacy Rule does not state this person is responsible for compliance, it is generally assumed that – as the point of contact for complaints and queries – the Privacy Officer is responsible for Privacy Rule compliance.

Additionally, all organizations subject to HIPAA must designate a Security Officer to comply with the Administrative Requirements of the Security Rule (§164.308). The Security Officer and the Privacy Officer can be the same person; however, it is recommended that the Security Officer is proficient in IT security in order to understand the implementation specifications of the Technical Safeguards.

Why might a HIPAA compliance checklist differ because of an organization´s functions?

Not all organizations subject to HIPAA have the same functions. For example, health plans have minimal interaction with the general public, while it is the opposite for healthcare providers. Consequently, healthcare providers will need to have more policies and procedures relating to public-facing operations than health plans and will have implement measures to maximize workforce compliance with these policies and procedures.

What policies and procedures should be implemented to comply with the Breach Notification Rule?

Although most of the implementation specification of the Breach Notification Rule relate to the timeliness and content of breach notifications to individuals and HHS´ Office for Civil Rights, it is important policies exist for how – and who to – members of the workforce can report a breach of unsecured PHI and that procedures are in place for managers and supervisors to escalate reports to the Privacy and/or Security Officer in order to commence the breach notification process.

How frequently should HIPAA checklists be reviewed?

There is no recommended frequency for reviewing HIPAA checklists because reviews can be prompted by changes to regulations, working practices, or threats to data privacy and security. However, to prevent HIPAA checklists being overlooked when changes do not occur, it can be a good idea to schedule reviews of HIPAA checklists to coincide with the periodic risk assessments and risk analyses required by HIPAA.