The 5 Elements of a HIPAA Compliance Checklist
When working with people’s personal health information, whether you’re a healthcare company or not, it’s essential to be HIPAA compliant. Organizations that violate HIPAA rules are subject to substantial penalties and even fines, depending on the severity of the violation.
The best way to make sure your organization complies with HIPAA is to use a checklist and analyze every aspect of your business. Then you will be able to target the areas that need work. Here are the 5 elements of a comprehensive HIPAA compliance checklist with examples.
Audits are a great way to dive deeper into each of the 3 major sections in HIPAA. A security risk assessment should be completed for Physical, Technical and Administrative aspects.
Directly from hhs.gov, the Security Rule defines administrative safeguards as, “administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity’s workforce in relation to the protection of that information.”
The Administrative Safeguards make up more than half of all the HIPAA Security requirements. As with all the standards, compliance with the Administrative Safeguards standards require an assessment of the security controls currently in place, an accurate and thorough risk analysis, and numerous solutions derived from various factors unique to each covered entity.
The Security Rule defines physical safeguards as “physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.” Physical Standards add another layer of defense for the protection EPHI.
When assessing physical safeguards, a covered entity has to consider all physical access methods to EPHI. This commonly reaches outside of an actual office environment, and includes anywhere that employees obtain remote access to EPHI.
The Security Rule defines technical safeguards in § 164.304 as “the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.”
The Security Rule is based on the concepts of flexibility, scalability and technology neutrality. For this reason, there are not any specific requirements for types of technology to be used. The Security Rule gives an organization the freedom to use any security measures that allows for reasonable and appropriate protection. It is the job of the covered entity to determine which technologies should be implemented in its organization.
Here are key points to consider in the Audit phase:
- Conduct a security risk, administrative, and privacy assessment
- Identify any deficiencies in these audits and document them
- Ensure any business associates are also HIPAA compliant
The second phase of the checklist has to do with your employees. All employees need to be properly trained in regards to the latest HIPAA regulations. They also need to understand your organization’s security and privacy policies. Ideally, this information should all be covered in your onboarding process for new employees. In addition to communicating policies and HIPAA regulations, the training process needs to be documented.
This training and documentation should be the responsibility of an appointed employee within your organization, commonly referred to as a HIPAA security officer.
The last piece of this phase is restriction. Facilities should be secured for employees only, and personal health information should have restricted access so only those working with it can get in.
Here are some key points:
- All employees have been trained and the training has been documented
- A HIPAA security officer has been appointed
- Access has been restricted to only employees who are working with the PHI
Policies and Procedures
The largest section of the checklist has to do with your organization’s policies and procedures. The first step is to have your policies and procedures documented, as well as have a risk management policy in place.
The second part is to ensure the personal health information is protected. This information should be encrypted, and a process should be created for the proper disposal of any PHI no longer being used.
The next part is your policies regarding violations or breaches. Any violations that occur should be well documented. There should also be a process for contacting the appropriate parties if a breach does occur.
The final part of this phase is in regards to business associates. All business associates should be identified and documented, and agreements should be made with each one of them.
Here are key points to consider:
- Documented security policies and a risk management policy
- All information is encrypted
- There is a process for disposing any health information
- Violations need to be documented, and a process should exist for contacting appropriate parties if a breach occurs
- Business associates need to be identified and an active agreement with each one should be on file
The fourth section is all about fixing any issues found. A remediation plan should be made for each assessment, and each plan should be completed as soon as possible.
Here are the key points:
- A remediation plan has been made for security risk, privacy, and administrative assessments
Reporting and Investigations
The last phase is all about reporting and documenting. A report should be created to prove HIPAA compliance due diligence. A system should also exist for the tracking and management of any HIPAA violations. The last report that should be made is an annual review of your organization’s security and privacy policies.
Following HIPAA compliance is very important, but keeping up with all aspects of the rules and regulations can be overwhelming and difficult. This checklist can help you discover any potential issues within your organization and to create a plan to fix them.