Everything You Need to Know About HIPAA Compliance [Complete Checklist]
HIPAA penalties are brutal but following HIPAA compliance requirements will help you avoid them. Here is a complete step-by-step checklist to HIPAA compliance.
HIPAA compliance requirements include the following:
- Privacy: patients’ rights to protected health information (PHI)
- Security: physical, technical and administrative security measures
- Enforcement: investigations into a breach
- Breach Notification: required steps if a breach occurs
- Omnibus: compliant business associates
What Is HIPAA Compliance?
HIPAA is a framework developed in 1996 to outline an organization’s legal obligations to specific regulations in the Health Insurance Portability and Accountability Act. These regulations set standards for critical aspects of healthcare data management, including the right of patients to have privacy, the necessity for appropriate security controls to protect private data, and the requirements healthcare organizations have if that data has been breached by a malicious third party.
Important to this framework is the notion of data protection. The physical security of data, encryption standards used to protect that data, and the procedures used to document, transmit, and store data are all critical parts of HIPAA and its underlying requirements.
Managed by the Department of Health and Human Services and the Office for Civil Rights, regulations exist to ensure the confidentiality of the private patient information in a world of electronic record keeping, digital data transfer, and (more recently) cloud services.
Who Is Required to Follow HIPAA Requirements?
Organizations must comply with HIPAA to ensure that sensitive patient health data is secure and not disclosed to unauthorized individuals or entities. HIPAA also provides safeguards that help ensure that the data is used only for the purpose intended and not used or disclosed for any other purpose.
Types of businesses that must comply with HIPAA are:
- Health Insurance Companies
- Healthcare Clearinghouses
- Healthcare Providers (hospitals, doctors, dentists, etc.)
- Business Associates of Covered Entities (such as billing companies and document storage companies)
- Long-term Care Facilities
- Research Institutions
- Public Health Authorities
- Schools and Universities
The Need for HIPAA Compliance
HIPAA compliance is necessary to ensure the security of confidential healthcare information. It is a federal law that requires organizations, such as healthcare providers, to maintain the privacy and security of their patients’ data. Compliance with these standards is necessary for the protection of sensitive data, such as patient medical records, health insurance information, and other personally identifiable information (PII) and protected health information (PHI).
If businesses are not HIPAA compliant, they can face serious penalties. The U.S. Department of Health and Human Services Office for Civil Rights can issue sanctions that include fines and penalties, corrective action plans, and civil money penalties. Additionally, businesses can be subject to criminal charges. Examples of HIPAA compliance violation fines include:
- Up to $1.5 million for a single violation and up to $15 million for multiple violations in a calendar year
- Up to $50,000 per violation for the knowing misuse of patient information
- Up to $100 per violation for failure to provide a patient an access request
- Up to $250,000 or up to 1 year of jail time or both for obtaining or disclosing identifiable health information without authorization
Why are these penalties so high? If a patient’s records are stolen, the patient’s privacy may be violated. Stolen records can be used to commit identity theft or financial fraud, leading to financial losses or the unauthorized use of benefits. Intercepted sensitive medical information can also be used to blackmail the patient or to target them for harassment.
Who Needs To Be HIPAA Compliant?
HIPAA compliance is applicable to any organization or individual that creates, receives, maintains, or transmits electronical protected health information (ePHI). This includes healthcare providers such as doctors and hospitals, health plans, health insurance companies, and any other organization that deals with the healthcare industry. It also applies to business associates, such as third-party billing companies, transcriptionists, and IT service providers. Ultimately, any entity that stores, transmits, or processes ePHI must comply with HIPAA regulations. This lengthy healthcare supply chain can create significant risk.
Organizations that do not create, receive, maintain, or transmit ePHI do not need to become HIPAA compliant. Examples include retailers and restaurants. However, even organizations that are not directly involved in healthcare may be subject to HIPAA requirements—for instance, if they provide services such as cloud storage for healthcare-related information.
Some Important HIPAA Regulatory and Compliance Terms
To understand what compliance is and who it applies to, it’s important to know a few key terms:
These are the hospitals, doctors, clinics, insurance agencies, or anyone that regularly works with patients and their private data.
Service providers that work closely with Covered Entities without directly working with patients. Business associates often handle private data because of their technology products, consulting, financial administration, data analysis, or other services.
Electronic Personal Health Information (ePHI)
ePHI is the legal name of private patient data stored and transmitted through electronic means. All privacy, security, and reporting rules refer to the protection and management of ePHI.
What Are the 4 Main HIPAA Rules and How Do They Impact Compliance?
Four primary rules define the structure and meaning of everything related to compliance requirements:
- The Privacy Rule
- The Security Rule
- The Breach Notification Rule
- The Omnibus Rule
Each rule provides a framework for one aspect of compliance and informs critical aspects of the other rules.
The HIPAA Privacy Rule
The HIPAA Privacy Rule establishes the national standard for patients’ rights to privacy and private information. Furthermore, it sets up the framework that dictates what ePHI is, how it must be protected, how it can and cannot be used, and how it can be transmitted and stored.
An additional part of the Privacy Rule is the paperwork and waivers it requires for entities handling ePHI.
In this rule, ePHI is defined that any identifiable patient data is subject to privacy covered by the covered entity or any business associated. This is what is called “protected health information” and includes:
- Any past, present, or future documentation on physical or mental conditions
- Any records about the care of the patient
- And records referencing past, present, or future payments for healthcare
The rule states that the only scenarios where covered entities can disclose private health information involve very specific care, research, or legal situations. These situations are themselves incredibly narrow and subject to interpretation in a court of law.
The best rule of thumb is that when it comes to ePHI privacy, the Covered Entity and their Business Associates have an obligation to protect it.
HIPAA Privacy Rule Checklist
This HIPAA Privacy Rule Checklist includes 10 essential steps that healthcare organizations and their business associates must take to ensure compliance with the HIPAA Privacy Rule. From designating a privacy officer to establishing protocols for disclosing PHI to third parties, this checklist covers all the necessary aspects of protecting patients’ sensitive health information. Adherence to these guidelines will not only help organizations avoid HIPAA violations (and subsequent fines, penalties, and litigation), but also build patients’ trust and confidence in the healthcare system. They include:
- Designate a privacy officer
- Develop and implement written policies and procedures
- Provide training to workforce members
- Obtain patient consent for certain disclosures
- Maintain appropriate safeguards for protected health information (PHI)
- Implement a system for reviewing and verifying requests for PHI
- Respond to patient requests for access to PHI
- Notify patients in the event of a breach of unsecured PHI
- Assign unique identifiers to individuals and groups
- Establish protocols for disclosing PHI to business associates and other third parties
The HIPAA Security Rule
With the definition of privacy and ePHI in place, the next step is protecting that data. The HIPAA Security Rule established the national standards for the mechanisms required to protect ePHI data. These mechanisms extend across the entire operation of the covered entity, including technology, administration, physical safeguards for computers and devices, and anything that could impact the safety of ePHI.
The controls outlined in this rule are organized into three groups of safeguards:
1. Administrative Tasks for HIPAA Compliance
This includes policies and procedures that impact ePHI as well as the technologies, system design, risk management, and maintenance related to all other security measures. It also includes aspects of healthcare administration like Human Resources and employee training.
2. Physical for HIPAA Compliance
Physical safeguards secure the access to physical equipment—including computers, routers, switches, and data storage. Covered entities are required to maintain secure premises where only authorized individuals can access data.
3. Technical for HIPAA Compliance
Cybersecurity includes computers, mobile devices, encryption, network security, device security, and anything related to the actual technology of storing and communicating ePHI.
HIPAA Security Rule Checklist
The HIPAA Security Rule Checklist covers 10 key areas that organizations must address to safeguard electronic protected health information (ePHI). From performing risk assessments to establishing contingency plans for emergencies, this comprehensive checklist is designed to help organizations ensure compliance with HIPAA security standards and protect sensitive patient data from potential threats and vulnerabilities.
- Conducting a risk analysis to identify potential threats and vulnerabilities
- Implementing policies and procedures for maintaining and monitoring the security of electronic protected health information (ePHI)
- Limiting access to ePHI to only authorized individuals who require access to perform their job functions
- Ensuring that all ePHI is encrypted and stored securely
- Implementing procedures for responding to security incidents and breaches
- Training all workforce members on HIPAA security policies and procedures
- Regularly reviewing and updating security measures to ensure they are current and effective
- Establishing a contingency plan for disasters or other emergencies that may impact ePHI
- Ensuring that all third-party vendors and contractors comply with HIPAA security requirements
- Conducting regular audits and assessments to ensure compliance with HIPAA security standards
The HIPAA Breach Notification Rule
The Breach Notification Rule specifies what happens when a security breach occurs. It’s almost impossible to protect data with 100% effectiveness, and organizations need to have plans in place to notify the public, and victims of a HIPAA breach, about what has happened and what their next steps are.
The Breach Notification rule defines a series of steps any Covered Entity needs to take during a breach to stay in compliance, including:
- Notifying individuals impacted by a breach. Covered entities need to give victims formal, written notice of the breach, either by first-class mail or email (if applicable).
- If the Covered Entity doesn’t have contact information for more than 10 people in a breach, then they must provide alternative notice either through a posting on the website for 90 days or a notice in major print and broadcast news sources.
- The Entity must provide the notice no later than 60 days from the discovery of the breach.
- If the breach affects more than 500 individuals in a State or other jurisdiction, the Entity must provide prominent public notice of the breach through local media outlets.
- The Entity must additionally provide a Notice to the Secretary of Health within 60 days if the breach affects more than 500 people. If less, then the entity can update the Secretary by the end of the year.
These notification rules apply to any breaches made known to the Covered Entity by one of their business associates.
The HIPAA Omnibus Rule
A more recent rule, the Omnibus rule expands the reach of regulations to organizations outside of Covered Entities. In short, the Omnibus Rule states that compliance obligations cover the Business Associates and contractors. Accordingly, this means that Covered Entities are responsible for any potential violations of Business Associates and contractors, and need to update their gap analysis, risk assessment, and compliance procedures accordingly.
What Is the HIPAA Enforcement Rule?
The HIPAA Enforcement Rule is a set of regulations that provide guidelines for investigations and penalties for violations of the privacy and security rules under the Health Insurance Portability and Accountability Act (HIPAA). The rule is designed to ensure that covered entities and business associates comply with HIPAA regulations and protect the privacy and security of patients’ protected health information (PHI). The Enforcement Rule also establishes procedures for responding to complaints and conducting investigations of alleged violations, including the imposition of civil monetary penalties and corrective action plans.
The Most Recent HIPAA Updates
The most recent updates to HIPAA were implemented in 2013 and 2016.
In 2013, the HIPAA Omnibus Rule was introduced, which made significant changes to the regulations governing how protected health information (PHI) is handled and protected. Some of the key changes included:
- Expanded protections for patient rights, including the right to access and receive copies of their PHI, and the right to request restrictions on the use or disclosure of their PHI
- Strengthened enforcement of HIPAA regulations, including increased fines for noncompliance and a requirement for business associates (third-party service providers) to comply with HIPAA regulations
- Updated definitions of key terms like “business associate” and “protected health information”
In 2016, the HIPAA Privacy Rule was modified to allow certain covered entities, such as healthcare providers or insurers, to disclose the names of individuals who have been identified as having a mental health condition to the National Instant Criminal Background Check System (NICS). This change was made in response to the 2012 shooting at Sandy Hook Elementary School, which prompted concerns about the ability of individuals with mental health issues to obtain firearms. However, the disclosure of this information is subject to certain limitations and protections, including requirements for the covered entity to obtain specific written consent from the individual before disclosing their information, and to provide certain disclosures to the individual about the potential consequences of such a disclosure.
HIPAA IT Compliance
HIPAA compliance and HIPAA IT compliance vary slightly.
HIPAA compliance is a set of rules and regulations set forth by the U.S. Department of Health and Human Services (HHS) to protect the privacy, security, and integrity of patients’ sensitive health information. This includes requirements for administrative, physical, and technical safeguards, such as the implementation of policies, procedures, and security measures.
HIPAA IT compliance, by contrast, refers to the technical aspects of the HIPAA Security Rule, specifically regarding the implementation, maintenance, and monitoring of technical safeguards for electronic protected health information (ePHI). This includes implementing strong authentication and access control measures, periodic security risk assessments, and encryption and security of stored data.
Is There a Specific HIPAA Compliance Checklist for IT?
Some IT organizations must be HIPAA compliant because they handle sensitive and/or confidential data that is protected by HIPAA. As such, IT organizations must take the necessary steps to ensure that their systems and procedures are compliant with HIPAA regulations.
IT organizations should consider these checklist Items to demonstrate HIPAA IT compliance:
- Have a dedicated HIPAA Privacy Officer responsible for developing and implementing security measures.
- Identify and classify all data that falls under the jurisdiction of HIPAA.
- Educate all staff on HIPAA laws and regulations.
- Establish and document administrative, technical, and physical policies and processes as they relate to HIPAA.
- Equip all computers and/or workstations with enough security measures to protect against unauthorized access.
- Securely store all documents containing protected health information and limit access to authorized personnel only.
- Use encryption software where appropriate to protect data at rest.
- Practice secure web browsing and use email security software.
- Properly dispose documents and records containing patient data; shredding or burning are the preferred, most secure methods.
- Establish and maintain procedures for handling security breaches and unauthorized access attempts.
- Regularly review and monitor access logs for any potential unauthorized access.
- Implement comprehensive user logging and auditing procedures.
- Develop and implement backup procedures that comply with HIPAA guidelines.
- Develop and maintain a contingency plan and disaster recovery system.
HIPAA Compliance Resources
To learn more about HIPAA and HIPAA compliance requirements, be sure to visit these resources:
- HHS.gov website
- HIPAA Journal website
- HHS Office for Civil Rights
- Centers for Medicare & Medicaid Services
- National Institute of Standards and Technology
- HHS Security Management Guidelines
- HIPAA Security Rule
- HIPAA Privacy Rule
- National Institute of Standards and Technology (NIST) Special Publications
- HITECH Security and Breach Notification Act
Getting Started With HIPAA Compliance
If you’re new to HIPAA compliance, here are some steps your organization can take to start becoming HIPAA compliant:
- Develop a HIPAA security and privacy compliance plan.
- Develop policies and procedures for handling and protecting protected health information (PHI).
- Implement physical, administrative, and technical safeguards to protect PHI.
- Train staff on HIPAA best practices and protocols.
- Have employees sign HIPAA acknowledgments and confirm they understand their responsibilities and obligations.
- Ensure that business associates, vendors, and contractors have signed business associate agreements (BAA) and are in compliance with HIPAA regulations.
- Implement procedures for regularly reviewing, auditing, and updating HIPAA compliance.
- Record and document all PHI security and privacy measures.
- Have an incident response plan in place in case of a breach or data loss.
- Monitor the security of PHI regularly and ensure complete compliance with HIPAA regulations.
What Is HITECH and How Does It Relate to HIPAA Compliance?
The Health Information Technology for Economic and Clinical Health (HITECH) Act was signed into law in 2009 and informs compliance requirements for all the years after. Critically, this act revised the legal requirements of healthcare organizations across several industries, including direct healthcare and social security.
Before HITECH, only 10% of hospitals used electronic health records (EHR). HITECH was a critical part of pushing hospitals to switch to electronic record keeping. In part, HITECH promoted the adoption of digital ePHI management technology and subsequent compliance with HIPAA regulations. This includes offering incentives for switching to digital technology.
By 2017, in no small part thanks to HITECH, the rate of EHR adoption was up to 86% by 2017.
HITECH also shifted some responsibility for HIPAA compliance. To encourage adoption of technology, the HITECH Act revised healthcare regulations so that Business Associates became directly responsible for violations, and that their responsibility would be outlined in a necessary business associate agreement (BAA) with a Covered Entity.
HITECH also increased penalties for violations and encouraged law enforcement to pursue violations more rigorously so organizations would stay in compliance.
What Are HIPAA Violations?
Compliance means staying within regulations stated in the Privacy, Security, and Breach Notification Rules. If an organization does not meet these standards to stay in compliance, then they are considered in violation of HIPAA.
- The unlawful exposure of ePHI to unauthorized parties, whether willfully or accidentally
- Failure to implement proper security protocols as outlined by the HIPAA Security Rule
- Lack of proper administrative or training protocols meeting requirements
- Failure to properly notify affected parties and public officials following relevant data breaches
- Lack of willingness to update, upgrade or address existing compliance gaps
With that in mind, HIPAA breaks violations down into two groups: civil and criminal.
- Civil violations are noncompliance incidents where noncompliance was accidental or without malicious intent. This includes events like neglect or lack of awareness. Penalties tend to be less for civil violations:
- For individuals that are unaware of violations, the fine is $100 per incident.
- For those with reasonable cause without neglect, the fine is a minimum of $1,000.
- Willful neglect carries a minimum fine of $10,000 per incident.
- Willful neglect, followed without an immediate rectification of the violation, results in a minimum fine of $50,000 per violation.
- Criminal violations are those committed with malicious intent, i.e., theft, profit, or fraud. Penalties here include:
- Knowingly obtaining or disclosing ePHI is up to $50,000 and 1 year in jail.
- Committing fraud as part of the violation is up to $100,000 and 5 years in jail.
- Committing violations with the intent to profit from the violation is up to $250,000 and up to 10 years in jail.
Numerous and repeated violations can cost organizations millions of dollars a year.
That being said, there are several common examples of violations:
Fraud. The most direct and obvious violation is when individuals steal ePHI for profit or gain. Hackers or insider operations are rare, but increasingly common as more hospitals and healthcare networks turn to cloud technology and rely on unproven service providers.
Lost or stolen devices. In the world of desktop workstations, technology theft was less common. As more clinics and hospitals turn to mobile devices like laptops, tablets, and smartphones, however, it’s more and more likely that these devices can end up in the wrong hands.
Lack of protection. The Security Rule defines the kinds of HIPAA encryption, firewalls, and other security measures that should be in place. Many organizations may not understand these, or they may work with a third-party associate who they believe is compliant but is not.
Unauthorized access across organizations. Whether it’s sharing data from an authorized to an unauthorized individual, or using unencrypted devices or email, it’s extremely easy for untrained workers to access or transmit ePHI improperly. In fact, accidental disclosure of PHI is the most common form of violation, which is why there is an entire category of lower-end penalties to cover it.
HIPAA Self-audit Checklist
By using a HIPAA self-audit checklist, healthcare organizations can identify potential areas of noncompliance and take corrective action before an audit by the Department of Health and Human Services (HHS) occurs. A self-audit can also help healthcare organizations avoid costly penalties and fines for HIPAA violations.
In addition, conducting a self-audit can help healthcare organizations establish best practices for HIPAA compliance and improve their overall data security posture. It can also help build trust with patients by demonstrating a commitment to protecting their sensitive information.
Using a HIPAA self-audit checklist is an important step in maintaining compliance with HIPAA regulations and protecting patient data.
Here’s a checklist to self-audit for HIPAA compliance:
- Determine the scope of the audit, including which entities and processes will be evaluated.
- Review policies and procedures to ensure compliance with HIPAA regulations.
- Verify that all workforce members have received HIPAA training and that training is up to date.
- Review access controls and verify that only authorized individuals have access to PHI.
- Evaluate physical safeguards, including access controls to facilities and workstations.
- Review technical safeguards, including access controls to systems, encryption of PHI, and password policies.
- Verify that business associate agreements are in place with all third-party vendors that have access to PHI.
- Evaluate incident response procedures and verify that they are up to date and effective.
- Review breach notification procedures and verify that they are up to date and effective.
- Verify that all required HIPAA documentation is up to date and readily available.
- Evaluate compliance with the HIPAA Privacy Rule, including obtaining and documenting patient authorizations for disclosures of PHI.
- Review compliance with the HIPAA Security Rule, including conducting regular risk assessments and addressing identified risks.
- Verify that all PHI disclosures are properly authorized and documented, including disclosures for treatment, payment, and healthcare operations.
- Review compliance with the HIPAA Breach Notification Rule, including the timely reporting of any breaches of unsecured PHI.
- Evaluate compliance with the HIPAA Omnibus Rule, including compliance with the new requirements for business associates and subcontractors.
- Verify that all PHI is properly disposed of in accordance with HIPAA regulations.
- Review compliance with state and local laws that may impact HIPAA compliance.
- Conduct periodic audits and remediate any areas of noncompliance.
- Document all audit findings and remediation activities.
- Develop and implement a HIPAA compliance program that includes ongoing training, monitoring, and auditing.
- Assign a HIPAA Compliance Officer to manage your compliance efforts across your organization.
- Track and protect mobile devices so that they do not end up in unauthorized hands, and that all data contained in them is properly encrypted. Implement remote wipes to destroy PHI that is stolen, or simply avoid storing PHI on mobile devices in the first place.
How Does the EU’s General Data Protection Regulation Affect HIPAA Compliance?
The EU’s General Data Protection Regulation (GDPR) and the Health Insurance Portability and Accountability Act (HIPAA) are two separate regulations that aim to protect personal data privacy. GDPR applies to all businesses that process or handle EU citizens’ personal data, regardless of their location, while HIPAA is applicable to healthcare providers, insurers, and their business associates in the U.S. However, as healthcare entities and business associates are increasingly operating on a global scale, it is essential to understand the GDPR’s impact on HIPAA compliance.
The GDPR imposes stricter data protection requirements than HIPAA, including:
Explicit Consent in GDPR
GDPR requires explicit consent before processing an individual’s personal data, while HIPAA requires only a general authorization.
Data Subjects Rights in GDPR
GDPR grants individuals more extensive control over their data, including the right to access, rectify, and erase their personal data, whereas HIPAA provides limited rights to access and request amendments.
Data Protection Officer (DPO) Stipulated in GDPR
GDPR mandates that certain organizations appoint a DPO to oversee data protection, while HIPAA does not require this role.
Data Breach Notifications Required by GDPR
GDPR requires organizations to report data breaches within 72 hours, while HIPAA requires reporting within 60 days.
GDPR imposes significantly higher penalties for noncompliance, with fines of up to €20 million or 4% of global annual revenue, whichever is higher. In contrast, HIPAA fines range from $100 to $50,000 per violation, up to a maximum of $1.5 million per year.
Therefore, healthcare entities and business associates that process EU citizens’ personal data must ensure compliance with both GDPR and HIPAA. They should review their data privacy policies and procedures, implement necessary changes to meet GDPR requirements, and train their staff on the regulations’ provisions. Failure to comply with either regulation can result in significant financial penalties and damage to an organization’s reputation.
Stay HIPAA Compliant With Kiteworks Security and File Transfer Services
Kiteworks is a cloud and on-premises services provider that supports secure managed file transfer, HIPAA compliant email, data management and security, auditing and encryption technology that meets or exceeds HIPAA requirements for healthcare organizations. Kiteworks offers enterprise security features such as:
- One-click auditing and reporting with a complete, unified and unbroken audit trail of critical data access events
- Encryption of content in transit and at rest, and additional security measures like key rotation, session timeouts, integrity checks, and anti-virus
- Compliant reporting, administrative safeguards, security policy controls for data and account access
- SOC 2 attestations and other physical safeguards for AWS and Azure environments
- AES-256 and TLS 1.2 encryption
- Enterprise content firewall for protecting data on an internal network
- Threat detection, mitigation, and forensics via comprehensive, unified logging, CISO Dashboard analysis, and exports to your SIEM
We also bring years of experience in HIPAA-related compliance to help your organization better serve patients and their data.
To learn how Kiteworks can help keep you HIPAA compliant, schedule a custom demo of Kiteworks today.