What Are HIPAA Compliance Requirements? [Complete Checklist]
HIPAA penalties are brutal but following HIPAA compliance requirements will help you avoid them. Here is a complete step-by-step checklist to HIPAA compliance.
HIPAA compliance requirements include the following:
- Privacy: patients’ rights to PHI
- Security: physical, technical and administrative security measures
- Enforcement: investigations into a breach
- Breach Notification: required steps if a breach occurs
- Omnibus: compliant business associates
What Is HIPAA Compliance?
HIPAA is a framework developed in 1996 to outline an organization’s legal obligations to specific regulations in the Healthcare Insurance Portability and Accountability Act. These regulations set standards for critical aspects of healthcare data management, including the right of patients to have privacy, the necessity for appropriate security controls to protect private data, and the requirements healthcare organizations have if that data has been breached by a malicious third party.
Important to this framework is the notion of data protection. The physical security of data, encryption standards used to protect that data, and the procedures used to document, transmit, and store data are all critical parts of HIPAA and its underlying requirements.
Managed by the Department of Health and Human Services and the Office for Civil Rights, regulations exist to ensure the confidentiality of the private patient information in a world of electronic record keeping, digital data transfer, and (more recently) cloud services.
Who is required to follow HIPAA requirements?
Organizations must comply with HIPAA to ensure that sensitive patient health data is secure and not disclosed to unauthorized individuals or entities. HIPAA also provides safeguards that help ensure that the data is used only for the purpose intended and not used or disclosed for any other purpose.
Types of businesses that must comply with HIPAA are:
- Health Insurance Companies
- Healthcare Clearinghouses
- Healthcare Providers (hospitals, doctors, dentists, etc.)
- Business Associates of Covered Entities (such as billing companies and document storage companies)
- Long-term Care Facilities
- Research Institutions
- Public Health Authorities
- Schools and Universities
The need for HIPAA compliance
HIPAA compliance is necessary to ensure the security of confidential healthcare information. It is a federal law that requires organizations, such as healthcare providers, to maintain the privacy and security of their patients’ data. Compliance with these standards is necessary for the protection of sensitive data, such as patient medical records, health insurance information, and other personally identifiable information.
If businesses are not HIPAA compliant, they can face serious penalties. The U.S. Department of Health and Human Services Office for Civil Rights can issue sanctions that include fines and penalties, corrective action plans, and civil money penalties. Additionally, businesses can be subject to criminal charges. Examples of HIPAA compliance violation fines include:
- up to $1.5 million for a single violation and up to $15 million for multiple violations in a calendar year;
- up to $50,000 per violation for the knowing misuse of patient information;
- up to $100 per violation for failure to provide a patient an access request; and
- up to $250,000 or up to 1 year of jail time or both for obtaining or disclosing identifiable health information without authorization.
Why are these penalties so high? If a patient’s records are stolen, the patient’s privacy may be violated. Stolen records can be used to commit identity theft or financial fraud, leading to financial losses or the unauthorized use of benefits. Intercepted sensitive medical information can also be used to blackmail the patient or to target them for harassment.
Who Needs To Be HIPAA Compliant?
HIPAA compliance is applicable to any organization or individual that creates, receives, maintains, or transmits electronical protected health information (ePHI). This includes healthcare providers such as doctors and hospitals, health plans, health insurance companies, and any other organization that deals with the healthcare industry. It also applies to business associates, such as third-party billing companies, transcriptionists, and IT service providers. Ultimately, any entity that stores, transmits, or processes ePHI must comply with HIPAA regulations.
Organizations that do not create, receive, maintain, or transmit ePHI do not need to become HIPAA compliant. Examples include retailers and restaurants. However, even organizations that are not directly involved in healthcare may be subject to HIPAA requirements—for instance, if they provide services such as cloud storage for healthcare-related information.
Some Important HIPAA Regulatory and Compliance Terms
To understand what compliance is and who it applies to, it’s important to know a few key terms:
- Covered Entity. These are the hospitals, doctors, clinics, insurance agencies, or anyone that regularly works with patients and their private data.
- Business Associate. Service providers that work closely with Covered Entities without directly working with patients. Business associates often handle private data because of their technology products, consulting, financial administration, data analysis, or other services.
- Electronic Personal Health Information (ePHI). ePHI is the legal name of private patient data stored and transmitted through electronic means. All privacy, security, and reporting rules refer to the protection and management of ePHI.
What Are the Four Main HIPAA Rules and How Do They Impact Compliance?
Four primary rules define the structure and meaning of everything related to compliance requirements:
- The Privacy Rule
- The Security Rule
- The Breach Notification Rule
- The Omnibus Rule
Each rule provides a framework for one aspect of compliance and informs critical aspects of the other rules.
The HIPAA Privacy Rule
The HIPAA Privacy Rule establishes the national standard for patients’ rights to privacy and private information. Furthermore, it sets up the framework that dictates what ePHI is, how it must be protected, how it can and cannot be used, and how it can be transmitted and stored.
An additional part of the Privacy Rule is the paperwork and waivers it requires for entities handling ePHI.
In this rule, ePHI is defined that any identifiable patient data is subject to privacy covered by the covered entity or any business associated. This is what is called “protected health information” and includes:
- Any past, present or future documentation on physical or mental conditions
- Any records about the care of the patient
- And records referencing past, present or future payments for healthcare
The rule states that the only scenarios where covered entities can disclose private health information involve very specific care, research, or legal situations. These situations are themselves incredibly narrow and subject to interpretation in a court of law.
The best rule of thumb is that when it comes to ePHI privacy, the Covered Entity and their Business Associates have an obligation to protect it.
The HIPAA Security Rule
With the definition of privacy and ePHI in place, the next step is protecting that data. The HIPAA Security Rule established the national standards for the mechanisms required to protect ePHI data. These mechanisms extend across the entire operation of the covered entity, including technology, administration, physical safeguards for computers and devices, and anything that could impact the safety of ePHI.
The controls outlined in this rule are organized into three groups of safeguards:
- Administrative. This includes policies and procedures that impact ePHI as well as the technologies, system design, risk management, and maintenance related to all other security measures. It also includes aspects of healthcare administration like Human Resources and employee training.
- Physical. Physical safeguards secure the access to physical equipment—including computers, routers, switches, and data storage. Covered entities are required to maintain secure premises where only authorized individuals can access data.
- Technical. Cybersecurity includes computers, mobile devices, encryption, network security, device security, and anything related to the actual technology of storing and communicating ePHI.
The HIPAA Breach Notification Rule
The Breach Notification Rule specifies what happens when a security breach occurs. It’s almost impossible to protect data with 100% effectiveness, and organizations need to have plans in place to notify the public, and victims of a HIPAA breach, about what has happened and what their next steps are.
The Breach Notification rule defines a series of steps any Covered Entity needs to take during a breach to stay in compliance, including:
- Notifying individuals impacted by a breach. Covered entities need to give victims formal, written notice of the breach, either by first-class mail or email (if applicable).
- If the Covered Entity doesn’t have contact information for more than 10 people in a breach, then they must provide alternative notice either through a posting on the website for 90 days or a notice in major print and broadcast news sources.
- The Entity must provide the notice no later than 60 days from the discovery of the breach.
- If the breach affects more than 500 individuals in a State or other jurisdiction, the Entity must provide prominent public notice of the breach through local media outlets.
- The Entity must additionally provide a Notice to the Secretary of Health within 60 days if the breach affects more than 500 people. If less, then the entity can update the Secretary by the end of the year.
These notification rules apply to any breaches made known to the Covered Entity by one of their business associates.
The HIPAA Omnibus Rule
A more recent rule, the Omnibus rule expands the reach of regulations to organizations outside of Covered Entities.
In short, the Omnibus Rule states that compliance obligations cover the Business Associates and contractors. Accordingly, this means that Covered Entities are responsible for any potential violations of Business Associates and contractors, and need to update their gap analysis, risk assessment, and compliance procedures accordingly.
HIPAA IT Compliance
HIPAA compliance and HIPAA IT compliance vary slightly.
HIPAA compliance is a set of rules and regulations set forth by the U.S. Department of Health and Human Services (HHS) to protect the privacy, security, and integrity of patients’ sensitive health information. This includes requirements for administrative, physical, and technical safeguards, such as the implementation of policies, procedures, and security measures.
HIPAA IT compliance, by contrast, refers to the technical aspects of the HIPAA Security Rule, specifically regarding the implementation, maintenance, and monitoring of technical safeguards for electronic protected health information (ePHI). This includes implementing strong authentication and access control measures, periodic security risk assessments, and encryption and security of stored data.
Is there a specific HIPAA compliance checklist for IT?
Some IT organizations must be HIPAA compliant because they handle sensitive and/or confidential data that is protected by HIPAA. As such, IT organizations must take the necessary steps to ensure that their systems and procedures are compliant with HIPAA regulations.
IT organizations should consider these checklist Items to demonstrate HIPAA IT compliance:
- Have a dedicated HIPAA Privacy Officer responsible for developing and implementing security measures.
- Identify and classify all data that falls under the jurisdiction of HIPAA.
- Educate all staff on HIPAA laws and regulations.
- Establish and document administrative, technical, and physical policies and processes as they relate to HIPAA.
- Equip all computers and/or workstations with enough security measures to protect against unauthorized access.
- Securely store all documents containing protected health information and limit access to authorized personnel only.
- Use encryption software where appropriate to protect data at rest.
- Practice secure web browsing and use email security software.
- Properly dispose documents and records containing patient data; shredding or burning are the preferred, most secure methods.
- Establish and maintain procedures for handling security breaches and unauthorized access attempts.
- Regularly review and monitor access logs for any potential unauthorized access.
- Implement comprehensive user logging and auditing procedures.
- Develop and implement backup procedures that comply with HIPAA guidelines.
- Develop and maintain a contingency plan and disaster recovery system.
HIPAA Compliance Resources
To learn more about HIPAA and HIPAA compliance requirements, be sure to visit these resources:
- HHS.gov website
- HIPAA Journal website
- HHS Office for Civil Rights
- Centers for Medicare & Medicaid Services
- National Institute of Standards and Technology
- HHS Security Management Guidelines
- HIPAA Security Rule
- HIPAA Privacy Rule
- National Institute of Standards and Technology (NIST) Special Publications
- HITECH Security and Breach Notification Act
Getting started with HIPAA compliance
If you’re new to HIPAA compliance, here are some steps your organization can take to start becoming HIPAA compliant:
- Develop a HIPAA security and privacy compliance plan.
- Develop policies and procedures for handling and protecting protected health information (PHI).
- Implement physical, administrative, and technical safeguards to protect PHI.
- Train staff on HIPAA best practices and protocols.
- Have employees sign HIPAA acknowledgments and confirm they understand their responsibilities and obligations.
- Ensure that business associates, vendors, and contractors have signed business associate agreements (BAA) and are in compliance with HIPAA regulations.
- Implement procedures for regularly reviewing, auditing, and updating HIPAA compliance.
- Record and document all PHI security and privacy measures.
- Have an incident response plan in place in case of a breach or data loss.
- Monitor the security of PHI regularly and ensure complete compliance with HIPAA regulations.
What Is HITECH and How Does It Relate to HIPAA Compliance?
The Health Information Technology for Economic and Clinical Health (HITECH) Act was signed into law in 2009 and informs compliance requirements for all the years after. Critically, this act revised the legal requirements of healthcare organizations across several industries, including direct healthcare and social security.
Before HITECH, only 10% of hospitals used electronic health records (EHR). HITECH was a critical part of pushing hospitals to switch to electronic record keeping. In part, HITECH promoted the adoption of digital ePHI management technology and subsequent compliance with HIPAA regulations. This includes offering incentives for switching to digital technology.
By 2017, in no small part thanks to HITECH, the rate of EHR adoption was up to 86% by 2017.
HITECH also shifted some responsibility for HIPAA compliance. To encourage adoption of technology, the HITECH Act revised healthcare regulations so that Business Associates became directly responsible for violations, and that their responsibility would be outlined in a necessary business associate agreement (BAA) with a Covered Entity.
HITECH also increased penalties for violations and encouraged law enforcement to pursue violations more rigorously so organizations would stay in compliance.
What Are HIPAA Violations?
Compliance means staying within regulations stated in the Privacy, Security, and Breach Notification Rules. If an organization does not meet these standards to stay in compliance, then they are considered in violation of HIPAA.
- The unlawful exposure of ePHI to unauthorized parties, whether willfully or accidentally.
- Failure to implement proper security protocols as outlined by the HIPAA Security Rule.
- Lack of proper administrative or training protocols meeting requirements.
- Failure to properly notify affected parties and public officials following relevant data breaches.
- Lack of willingness to update, upgrade or address existing compliance gaps.
With that in mind, HIPAA breaks violations down into two groups: civil and criminal.
- Civil violations are non-compliance incidents where non-compliance was accidental or without malicious intent. This includes events like neglect or lack of awareness. Penalties tend to be less for civil violations:
- For individuals that are unaware of violations, the fine is $100 per incident.
- For those with reasonable cause without neglect, the fine is a minimum of $1,000.
- Willful neglect carries a minimum fine of $10,000 per incident.
- Willful neglect, followed without an immediate rectification of the violation, results in a minimum fine of $50,000 per violation.
- Criminal violations are those committed with malicious intent, i.e., theft, profit, or fraud. Penalties here include:
- Knowingly obtaining or disclosing ePHI is up to $50,000 and 1 year in jail.
- Committing fraud as part of the violation is up to $100,000 and 5 years in jail.
- Committing violations with the intent to profit from the violation is up to $250,000 and up to 10 years in jail.
Numerous and repeated violations can cost organizations millions of dollars a year.
That being said, there are several common examples of violations:
Fraud. The most direct and obvious violation is when individuals steal ePHI for profit or gain. Hackers or insider operations are rare, but increasingly common as more hospitals and healthcare networks turn to cloud technology and rely on unproven service providers.
Lost or stolen devices. In the world of desktop workstations, technology theft was less common. As more clinics and hospitals turn to mobile devices like laptops, tablets, and smartphones, however, it’s more and more likely that these devices can end up in the wrong hands.
Lack of protection. The Security Rule defines the kinds of HIPAA encryption, firewalls, and other security measures that should be in place. Many organizations may not understand these, or they may work with a third-party associate who they believe is compliant but is not.
Unauthorized access across organizations. Whether it’s sharing data from an authorized to an unauthorized individual, or using unencrypted devices or email, it’s extremely easy for untrained workers to access or transmit ePHI improperly. Compliant security providers like Kiteworks often provide enterprise content firewalls that have been developed to be compliant with HIPAA rules while allowing smooth communication between CEs, BAs, and patients.
It’s important to note that accidentally accessing unauthorized data is easy when, during emergencies or any other situation where time is of the essence, doctors or other workers need to share information fast. In fact, accidental disclosure of PHI is the most common form of violation, which is why there is an entire category of lower-end penalties to cover it.
Checklist to Avoid HIPAA Violations
The simplest way to avoid violations is to stay compliant across your organization. Here’s a quick compliance requirements checklist:
- Ensure that your administrative efforts are in line with the Privacy and Security rules, including training and personnel management. Have a data access and governance policy in place to support enforcement of these rules.
- Maintain compliant security technologies, including encryption for data-in-transit, in-use, and at-rest. Enforce data access policies across your system through centralized data access controls.
- Track and protect mobile devices so that they do not end up in unauthorized hands, and that all data contained in them is properly encrypted. Implement remote wipes to destroy PHI that is stolen, or simply avoid storing PHI on mobile devices in the first place.
- Keep all software updated to their latest versions to maintain compliance and security.
- Audit all Business Associates and contractors to make sure that they are also compliant and in accordance with your BAA, especially if there is any chance that they will handle ePHI.
- Work with technology and security vendors with expertise in compliance. These companies can provide cloud tech, secure file transfers, and security software that matches requirements.
- Perform the necessary audits required for your specific operation in a regulated environment, including the use and maintenance of an unbroken audit trail of data access and other events related to PHI.
- Assign a HIPAA Compliance Officer to manage your compliance efforts across your organization.
Stay HIPAA Compliant with Kiteworks Security and File Transfer Services
Kiteworks is a cloud and on-premises services provider that supports secure managed file transfer, HIPAA compliant email, data management and security, auditing and encryption technology that meets or exceeds HIPAA requirements for healthcare organizations. Kiteworks offers enterprise security features such as:
- One-click auditing and reporting with a complete, unified and unbroken audit trail of critical data access events.
- Encryption of content in transit and at rest, and additional security measures like key rotation, session timeouts, integrity checks, and anti-virus
- Compliant reporting, administrative safeguards, security policy controls for data and account access
- SOC 2 attestations and other physical safeguards for AWS and Azure environments
- AES 256 and TLS 1.2 encryption
- Enterprise content firewall for protecting data on an internal network
- Threat detection, mitigation, and forensics via comprehensive, unified logging, CISO Dashboard analysics, and exports to your SIEM
We also bring years of experience in HIPAA-related compliance to help your organization better serve patients and their data.
To learn how Kiteworks can help keep you HIPAA compliant, schedule a custom demo of Kiteworks today.
The PCI DSS Requirements
HIPAA Compliant Emails
The HIPAA Breach Notification Rule