The purpose of a HIPAA compliance checklist is to support the good faith efforts of covered entities and business associates to comply with the applicable standards of the Health Insurance Portability and Accountability Act (HIPAA) 1996. Due to the different types of organizations covered by the Act and the various functions they perform, there is no one-size-fits-all checklist for HIPAA compliance.
What does exist are the “Seven Fundamental Elements of an Effective Compliance Program” – a checklist of elements published by the HHS’ Office of the Inspector General in 2011. Due to the age of the publication, we have updated the list to create a general HIPAA compliance checklist with the following elements:
- Develop policies and procedures that support compliance with the Privacy Rule.
- Designate a Privacy and Security Officer, and – where possible – a compliance team.
- Implement effective training programs rather than intermittent training sessions.
- Enable communication channels to report complaints, issues, violations, and breaches.
- Monitor compliance to prevent poor practices developing into a cultural norm.
- Enforce sanctions on members of the workforce fairly, equally, and visibly.
- Respond promptly to reported complaints, issues, violations, and breaches.
Who Should Complete a HIPAA Compliance Checklist?
It is important to be aware that not all organizations are required to comply with all of the standards in the Administrative Simplification provisions. While most health plans, healthcare clearinghouses, and healthcare providers are required to comply with the Administrative Requirements and the Privacy, Security, and Breach Notification Rules; other types of organizations might only be required to comply with the Security Rule and/or Breach Notification Rule.
Larger organizations may have different compliance requirements for different departments of the workforce. An example of this is a healthcare facility with public-facing personnel and a remote IT team. While public-facing compliance will consist of policies and procedures relating to patients´ rights and permissible uses and disclosures of Protected Health Information (PHI), a HIPAA cybersecurity checklist will be of more value to the IT team.
As a result, this article is divided into several sections. It includes a HIPAA risk assessment checklist, a HIPAA compliance checklist for information technology, and a HIPAA compliance audit checklist based on the latest audit protocols published by the Department for Health and Human Services´ Office for Civil Rights (OCR). We conclude the article with an FAQ section answering some of the most frequently asked questions about HIPAA compliance and HIPAA checklists.
HIPAA Risk Assessment Checklist
To best ensure no gaps are left in compliance efforts, it is advisable for all organizations subject to any parts of the Administrative Simplification provisions to compile a HIPAA risk assessment checklist. This should be done by the person(s) designated to be a HIPAA Privacy or Security Officer as it is the foundation for all other HIPAA checklists. Typically, a HIPAA risk assessment checklist will be similar to the following:
- Identify what PHI the organization creates, receives, stores, and transmits – including PHI transmitted to/from other Covered Entities, Business Associates, and/or subcontractors.
- Identify any human, natural, and environmental threats to the privacy of individually identifiable health information and to the confidentiality, integrity, and availability of ePHI.
- Assess the effectiveness of existing policies, procedures, and measures implemented to prevent HIPAA violations and mitigate the likelihood of a reasonably anticipated data breach.
- Determine the potential impact of reasonably anticipated HIPAA violations and data breaches and assign each type of event a risk level based on its likelihood and its potential impact.
- Document the findings and implement further policies, procedures, and measures where necessary – training workforce members on material changes to existing policies and procedures.
- Document the HIPAA risk assessment checklist, the rationale for implementing new policies, procedures, and measures, and the training provided due to any material changes. The documents must be retained for a minimum of six years.
From this checklist, Compliance Officers should be able to develop more situation-specific HIPAA compliance checklists. For example, a healthcare facility with public-facing personnel should be able to compile a HIPAA checklist for its public-facing operations and the compliance challenges it personnel may encounter. What such a checklist might consist of will depend on the exact nature of each organization´s operations, but will likely include:
- Implement procedures for distributing Notices of Privacy Practices, obtaining written confirmations of receipt, and notifying individuals of changes to the Notices.
- Ensure all members of the workforce understand what PHI is, when it can permissibly be used and disclosed, and when an individual´s authorization is required.
- Develop policies and procedures for obtaining and documenting authorizations and for giving individuals the opportunity to agree or object when required.
- Develop policies and procedures for handling requests to access, correct, and transfer PHI – including verifying the identity of the individual making the request.
- Establish procedures for members of the workforce to report HIPAA violations and designate an individual to be responsible for fulfilling the breach notification requirements.
- Create, test, and document contingency plans for responding to different types of emergencies to ensure the continuation of operations following a human, natural, or environmental event.
It is important to be aware that this type of checklist is not only appropriate for Covered Entities required to comply with the Privacy Rule. While biased towards Privacy Rule compliance (due to the example used), Business Associates of Covered Entities may also be required to comply with Privacy Rule standards or Administrative Requirements standard depending on the service being provided and the terms of the Business Associate Agreement.
Other Types of HIPAA Compliance Checklist
There are many different types of HIPAA checklist a Covered Entity or Business Associate can compile to help ensure no gaps are left in compliance efforts. One of the more basic is a HIPAA training checklist – which, while basic, will ensure the training requirements are complied with and that members of the workforce have a good understanding of HIPAA to support compliance with organizational policies and procedures. A HIPAA training checklist should start with a few Q&As:
- Does the training provide an understanding of HIPAA so members of the workforce can make compliant decisions when necessary?
- Is the training relevant to each workforce member´s role or is there too much content that might distract trainees from key messages?
- Is the training presented in such a way to make it memorable, or will it be necessary to provide regular refresher courses?
- Are measures in place to identify who requires further training either due to a lack of compliance or when a material change to policies occurs?
- Does the security awareness training program include tests to identify which members of the workforce are susceptible to phishing?
- Is training being documented in such a way to demonstrate a good faith compliance effort in the event of an OCR investigation or audit?
Another basic type of checklist is a HIPAA breach notification checklist. It is well chronicled that a cyberattack which extracts thousands of unencrypted records should be reported to OCR and the affected individuals, but it is not so well known what should happen in the event of an inadvertent disclosure of an individual PHI record – for example, a paper test result left unattended for a few minutes. A HIPAA breach notification checklist will help determine the appropriate course of action.
- Who should the potential breach be reported to? Usually, the Privacy Officer would be responsible for making notification decisions, but this might not always be the case.
- Thereafter, it may be important to know if the unsecured PHI record was viewed or acquired and, if so, the likelihood of it being re-used or re-disclosed.
- Who might have viewed or acquired the unsecured PHI record should be considered as there may be steps that can be taken to mitigate a further disclosure.
- The nature of the PHI may also be a factor. For example, if a test result is indecipherable to anybody other than a medical professional, it may not be necessary to notify a breach.
- If it is necessary to notify a breach, what measures are in place to answer questions when individuals receive a notification and to respond to OCR inquiries for more information?
- Has the reason for (or for not) notifying the breach been documented? And are measures being put in place to prevent a repeat of the event?
When compiling a HIPAA breach notification checklist, it is also important to bear in mind that exceptions exist to the definition of a breach. These include unintentional good faith acquisitions by a workforce member working within the scope of their authority, inadvertent or incidental disclosures made by an authorized member of the workforce to another authorized member of the workforce, and disclosures to a third party who would not be able to retain the information.
HIPAA Security Rule Checklist for IT
When compiling a HIPAA security requirements checklist, it is important not to overlook the General Rules (§164.306), the Organizational Requirements (§164.314), and the Documentation Requirements (§164.316), as evidence of compliance with these sections of the Security Rule may be necessary in the event of an OCR investigation. However, the most relevant sections of the Security Rule are the Administrative, Physical, and Technical Safeguards.
These sections form the basis of a HIPAA Security Rule checklist for IT as they cover everything from assigning responsibility for security to ensuring the confidentiality, integrity, and availability of ePHI. To help compile a HIPAA Security Rule checklist for IT, organization are advised to review Appendix A of the Security Rule as this lists all the implementation specifications of the three Safeguards in a single matrix. From this matrix, an example HIPAA compliance IT checklist may look like this:
- Implement a security management process to prevent, detect, contain, and correct security violations.
- Implement policies and procedures for authorizing access to ePHI and for authenticating authorized personnel.
- Develop and test a contingency plan for responding to events that threaten the confidentiality, integrity, or availability of ePHI.
- Implement physical controls to prevent unauthorized persons accessing systems or buildings in which ePHI is maintained.
- Implement audit controls and event logging on systems maintaining ePHI and measures to ensure personnel are who they claim to be.
- Understand the HIPAA encryption requirements and determine which data, systems, and devices should be encrypted to prevent breaches of unsecured ePHI.
It is recommended not to focus too heavily on a HIPAA compliance checklist for information technology because technology is only the third item in the PPT framework (People, Processes, Technology). Organizations should devote at least as many resources into training and developing processes that simplify HIPAA compliance for members of the workforce – not forgetting to enforce HIPAA compliance via a HIPAA sanctions policy.
HIPAA Compliance Audit Checklist
The HIPAA audit protocol is a document published by the Department of Health and Human Services that outlines which areas of HIPAA compliance will be investigated by OCR inspectors during a HIPAA audit. The protocol is updated when each round of audits commences, and the current protocol dates from July 2018. The following information comes with the caveat that the protocol may soon be replaced or amended.
In the same way as there is no one-size-fits-all HIPAA compliance checklist, there is no one-size-fits-all HIPAA audit protocol checklist. Some of the items in the protocol relate to specific types of Covered Entities (i.e., health care clearinghouses), while others relate to organizations operating as hybrid entities or within an Organized Health Care Arrangement. However, there are multiple items that will apply to most organizations subject to HIPAA:
- OCR appears to be closely monitoring consistency with Notices of Privacy Practices inasmuch as the uses and disclosures listed on the Notices are accurate.
- There also appears to be a significant interest in the confidentiality, integrity, and availability of ePHI – particularly availability – during emergencies.
- Access rights have been a subject of recent OCR enforcement action, and individuals´ rights to PHI and accountings of disclosures feature in the protocol.
- Documentation is mentioned often in our example HIPAA compliance checklists, and compliance with this requirement will also be reviewed during a HIPAA audit.
- Training is also mentioned – particularly the length of time before new workforce members are trained on policies and procedures or provided with security awareness training.
- Compliance with the Breach Notification Rule will also be audited, so it may be worth taking a second look at our HIPAA Breach Notification checklist.
Due to the extensiveness of the HIPAA audit protocol, it is not possible to produce a HIPAA compliance audit checklist that would be relevant to every type of organization subject to HIPAA. We have attempted to list summaries of the topics as they appear on the protocol but organizations are advised to review the protocol from the link provided above and seek professional compliance advice if there are any areas of the audit protocol they are unsure about.
Review Your HIPAA Compliance Checklists Frequently
Although HIPAA doesn´t evolve very quickly, threats to the privacy of individually identifiable health information and the confidentiality, integrity, and availability of ePHI are evolving all the time. While HIPAA doesn´t mandate that a HIPAA compliance checklist has to be frequently reviewed, it is a best practice to schedule a review of every checklist at least annually – and certainly whenever there is a material change to the HIPAA Rules.
HIPAA Compliance Checklist FAQs
What is a HIPAA compliance checklist?
In its most basic form, a HIPAA compliance checklist is a list of actions an organization has to take to ensure it complies with the applicable standards of the Administrative Simplification provisions. The reason for this article featuring more than one HIPAA checklist is that some organizations – or departments within organizations – will have different compliance requirements than others.
How many items should there be on a HIPAA checklist?
There is no set length for a HIPAA checklist. The number of items on a checklist will likely depend on factors such as the nature and complexity of the organization´s operations, whether different individuals, teams, or departments are responsible for HIPAA compliance, the existing measures in place, and the workforce´s existing knowledge of HIPAA compliance.
How many different HIPAA checklists can you have?
You can have as many HIPAA checklists as you feel is necessary to ensure no gaps are left in compliance efforts. For example, in this article we have included checklists for training and breach notifications, but you could also compile a HIPAA compliant website checklist, HIPAA computer compliance checklist, or a HIPAA compliance checklist for software development.
Where can I get a free HIPAA compliance checklist?
There are multiple sources offering a free HIPAA compliance checklist, and some of these are very good inasmuch as the checklist is extremely comprehensive. A free HIPAA compliance checklist may be suitable for some organizations´ needs; however, we draw your attention to the opening of this article in which we note there is no one-size-fits-all checklist for HIPAA compliance.
Why are “most health plans” (etc.) required to comply with all the standards? I thought all of them had to.
Not all health plans and healthcare providers are Covered Entities under HIPAA. Health plans that pay for medical treatment as a benefit of another type of insurance (i.e., auto insurance) are not Covered Entities, nor are healthcare providers that do not conduct HIPAA covered transactions (i.e., counselors that only accept direct payments from patients).
What are the Administrative Requirements of HIPAA?
These are the identifiers, code sets, and transactions for which the Department of Health and Human Services has developed standards. Compliance with the Administrative Requirements is policed by CMS, and the reason many non-HIPAA covered organizations are unaware of them is because violations of the Administrative Requirements usually result in delayed responses to eligibility, status, and payment inquiries. They do not cause harm or loss.
Why are some organizations “required to comply with the Security Rule and/or the Breach Notification Rule”? I though all organizations subject to HIPAA had to comply with both Rules.
While most organizations subject to HIPAA are required to comply with both Rules, there are exceptions. For example, vendors of Personal Health Records (PHRs), PHR-related entities, and service providers to PHR vendors are only required to comply with the Breach Notification Rule under Section 5 of the Federal Trade Commission Act.
What is the difference between a HIPAA compliance audit checklist and a HIPAA audit checklist?
Different organizations can give different names to different types of checklists. In one organization, a HIPAA compliance audit checklist could have the same purpose as a HIPAA audit checklist in another organization. However, in some circumstances, there is little doubt about the purpose of a checklist. For example, the purpose of a HIPAA audit protocol checklist is undoubtedly to check compliance with audit protocols published by HHS´ Office for Civil Rights.
Is a HIPAA risk assessment checklist suitable for both Privacy Rule and Security Rule compliance?
It depends on the nature of an organization´s operations. A large healthcare organization should have separate privacy and Security Officers and each should have their own HIPAA compliance requirements checklist. However, a small organization operating as a Business Associate for a Covered Entity may only need one HIPAA risk assessment checklist depending on the nature of the service being provided for or on behalf of a Covered Entity.
What Privacy Rule HIPAA compliance requirements does a Business Associate have?
Again, this depends on the nature of the service being provided for or on behalf of a Covered Entity. For example, a Business Associate may have to comply with standards relating to access requests, amendment requests, and transfer requests. If it has a public-facing operation, it may also have to comply with the Minimum Necessary standard and be aware of what uses and disclosures of PHI are permitted by the Privacy Rule and which require the authorization of an individual.
It is also worth noting some healthcare providers that do not qualify as HIPAA Covered Entities can provide services to another Covered Entity as a Business Associate. For example, a therapist´s office might provide counseling services for a healthcare organization´s patients. In such circumstances, the therapist´s office – and all members of the workforce – will have to comply with the Privacy Rule even though it does not qualify as a HIPAA Covered Entity.
Is there a separate HIPAA compliance checklist for Business Associates?
While there is no separate type of HIPAA compliance checklist for Business Associates, a Covered Entity may use a Business Associate HIPAA compliance checklist to conduct due diligence on a Business Associate. The content of the Business Associate HIPAA compliance checklist will depend on what service(s) is being provided by the Business Associate, but it will usually include items relating to Security Rule compliance and Breach Notification Rule compliance.
How might a HIPAA compliance IT checklist differ from a HIPAA compliance technology checklist?
A HIPAA compliance IT checklist will likely include the standards of the Security Rule for which the IT department is responsible, whereas a HIPAA compliance technology checklist will likely only include standards relating to the Technical Safeguards of the Security Rule – omitting the Physical and Administrative Safeguards as well as any applicable standards of the General Rules (§164.306), Organizational Requirements (§164.314) and Documentation Requirements (§164.316).
Does an organization with a modest online presence have to have a HIPAA cybersecurity checklist?
Even though an organization may have a modest online presence, it is likely the organization has a website, uses email, and allows workforce members to browse the Internet. Cybersecurity is not only important for cloud servers and databases, but to any online interactions. Even though the organization´s online presence may be modest, it is still important to ensure risks are identified and measures put in place to mitigate the risks – ideally via a HIPAA cybersecurity checklist.
What is a HIPAA compliance software checklist?
A HIPAA compliance software checklist can mean one of two things. It is either a checklist to ensure a developer´s software complies with HIPAA (including how the software can be configured) or it can be a software-based compliance checklist. Although the latter can be useful for checking compliance with basic HIPAA compliance requirements, it is important to note that off-the-shelf compliance solutions often lack customization to meet the unique compliance challenges of every organization.
What is the purpose of a HIPAA compliance checklist?
A common theme throughout the combined Administrative Simplification provisions is that Covered Entities (and, where appropriate, Business Associates) must be “reasonably diligent” in protecting the privacy of PHI and ensuring the confidentiality, integrity, and availability of ePHI. It is not always possible to be simultaneously reasonably diligent with every Privacy, Security, and Breach Notification standard, so a HIPAA compliance checklist is a reminder of where diligence is required.
Although HIPAA compliance checklists are not mandatory (unless they substitute for the risk analyses required by §164.308), completing and documenting a HIPAA compliance checklist demonstrates a good faith effort to comply with HIPAA in the event of a breach investigation or compliance review. While a HIPAA risk assessment checklist may not absolve an organization of a HIPAA violation, it may mitigate the consequences or the amount of a civil monetary penalty.
Who is a HIPAA compliance checklist for?
This depends on whether the checklist has a specific purpose. In a small organization, a HIPAA compliance checklist will usually be designed to cover all of a Privacy Officer´s or Security Officer´s responsibilities. In a larger organization, you might find a HIPAA compliance website checklist for website designers, a HIPAA compliance software checklist for software developers, and a HIPAA network security checklist for Chief Information Officers.
What does HIPAA compliance mean?
HIPAA compliance can mean different things to different organizations depending on the nature of their operations. For example, Covered Entities that have in-house claims and billing operations need to comply with the Administrative Requirements of HIPAA (Part 162), whereas Covered Entities that outsource claims and billing operations to third parties do not have to comply with this Part of HIPAA (although it is necessary to conduct due diligence on the third party to ensure compliance).
Most organizations in the healthcare and health insurance industries have to comply with the Privacy, Security, and Breach Notification Rules, while Business Associates have to comply with only the parts of the Privacy Rule that apply to the service they are providing (as well as the Security and Breach Notification Rules). Vendors of personal health devices are only required – at present – to comply with the Breach Notification Rule.
Who monitors HIPAA compliance?
HIPAA compliance should be monitored in-house by HIPAA Privacy and Security Officers. However, when violations of HIPAA occur, they may be reported to HHS´ Office for Civil Rights, the Centers for Medicare and Medicare Services, or the Federal Trade Commission depending on the type of violation. These agencies may then conduct investigations or compliance reviews to monitor compliance with HIPAA and apply sanctions depending on the nature of the violation.
Is there a specific HIPAA compliance checklist for IT?
There is not a specific HIPAA compliance checklist for IT because, although IT teams are most often responsible for compliance with the Security Rule, the responsibilities of an IT team can vary according to an organization´s size, complexity, and processes. For example, some organizations may have a separate team for physical security, while others may incorporate Privacy Rule requirements into their IT team´s responsibilities (i.e., complying with PHI amendment requests).
What is the most important thing to remember about HIPAA compliance?
The most important thing to remember about HIPAA compliance is that it is an ongoing and evolving process rather than a one-off exercise. It is important to review the content of HIPAA compliance checklists frequently in order to adapt them to new threats and vulnerabilities, and to ensure compliance is monitored to prevent workforces taking shortcuts to “get the job done” and the shortcuts subsequently developing into a culture of non-compliance.
What is the HIPAA Security Rule?
The HIPAA Security Rule is a Rule that establishes a federal floor of standards for the security of electronic Protected Health Information that is created, received, maintained, or transmitted by a Covered Entity or a Business Associate providing a service for or on behalf of a Covered Entity. Other than the sections relating to Applicability, Definitions, and Compliance Dates, the HIPAA Security Rule consists of six sets of standards:
- The General Rules
- The Administrative Safeguards
- The Physical Safeguards
- The Technical Safeguards
- The Organizational Requirements
- The Documentation Requirements
Who must comply with the HIPAA Security Rule?
All Covered Entities, Business Associates, and subcontractors that create, receive, maintain, or transmit electronic Protected Health Information must comply with the HIPAA Security Rule. Any healthcare organizations and insurance companies that do not qualify as Covered Entities also have to comply with the HIPAA Security Rule when they provide a service for or on behalf of another Covered Entity as a Business Associate.
What are the HIPAA compliance requirements?
It is important to be aware there are no specific HIPAA requirements. Each organization subject to HIPAA must make a “reasonable and appropriate” effort to comply with whichever requirements apply to the nature of their business in order to protect the privacy of PHI and ensure the confidentiality, integrity, and availability of electronic PHI. A HIPAA compliance checklist can help organizations identify which requirements apply to the nature of their business.
What does the HHS regard to be a “reasonable and appropriate” effort?
The terms “reasonable” and “appropriate” are not defined anywhere in the Administrative Simplification provisions. However, according to CMS´ HIPAA Basics Guide, “what’s reasonable and appropriate depends on your business as well as its size, complexity, and resources”. Although this statement implies a degree of compliance flexibility, it should not be interpreted as a reason to take shortcuts with HIPAA compliance or omit standards that are difficult to comply with.
What are the guidelines for being HIPAA compliant?
In the same way as there are no specific HIPAA requirements (because each organization has unique compliance challenges and ways to address them), there are no specific guidelines for being HIPAA compliant. Each organization must determine what its compliance requirements are based on a risk analysis. HIPAA compliance is not a point-in-time requirement. HIPAA compliance is ongoing and must evolve to address new challenges as they are identified.
What do you need to know about HIPAA?
What you need to know about HIPAA depends on the nature of your business. In many cases, it is not necessary to know and comply with every HIPAA requirement. However, ignorance of any HIPAA requirements that apply to your organization is no defense against enforcement action. However, if you are a Covered Entity or a Business Associate with access to PHI, you need to understand what the rules are, which apply to your business, and what you need to do to become HIPAA compliant.
What steps should you take for HIPAA compliance?
The steps you should take for HIPAA compliance depend on what type of business you are operating, what services it provides, and who for. The steps you take should also depend on your business´s access to PHI and any risks or vulnerabilities that could result in impermissible disclosures of PHI. HHS publishes several tools to help businesses determine what steps to take for HIPAA compliance; or you could seek professional compliance advice.
What is the Minimum Necessary Standard?
The Minimum Necessary Standard – sometimes referred to as the “Minimum Necessary Rule” or “Minimum Necessary Requirement” – is a standard in the Privacy Rule. It states that Covered Entities and Business Associates must make reasonable efforts to ensure uses and disclosures of – and requests for – PHI are limited to the minimum necessary to accomplish the intended purpose of a particular use, disclosure, or request.
What are the HIPAA retention requirements?
The HIPAA retention requirements stipulate how long documents relating to HIPAA policies and procedures must be retained. The requirements also cover documents such as risk assessments, Notices of Privacy Practices, and sanctions policies; and, in most cases, these must be retained for a minimum of six years from when last in force. Please note, the HIPAA retention requirements do not apply to medical records and may be preempted by more stringent state laws.
What are the rules about sharing PHI on social media?
In terms of HIPAA compliance, sharing PHI on social media is only a permissible use when a Covered Entity has received a written authorization form the subject of the PHI. The authorization must state what PHI is being disclosed and why it is being disclosed, and the subject of the PHI must be made aware that because the Covered Entity has no control over what happens to PHI once it is shared on social media, it may not be possible to comply with a retraction of the authorization.
What is the difference between patient authorization and patient consent?
In the Privacy Rule, there are separate standards relating to patient authorization and patient consent. Patient authorization is required for any use or disclosure of PHI not required or permitted by the Privacy Rule, whereas patient consent is permitted for a limited number of uses and disclosures – i.e., inclusion in a hospital directory. Generally, patient authorizations are formal and must be documented, while patient consent can be verbal.
Are members of the workforce required to report HIPAA violations if they do not result in a data breach?
Members of the workforce should be encouraged to report all violations of HIPAA – including those that do not result in a data breach or impermissible use or disclosure of PHI – so that the cause of the violations can be rectified and measures put in place to prevented the violation being repeated. Repeated violations – no matter how little harm they cause – can contribute to a culture of non-compliance, so it is better to prevent them as soon as possible.
What are the Breach Notification Rule requirements?
The Breach Notification Rule requirements vary depending on where a breach occurs. Usually, Business Associates are required to report data breaches to a Covered Entity and Covered Entities are required to report data breaches to HHS´ Office for Civil Rights. However, there are circumstances in which a Business Associate might file a notification directly with HHS´ Office for Civil Rights if (for example) a data breach affects multiple Covered Entities.
Who is required to follow HIPAA requirements?
Most health plans, health care clearinghouses, healthcare providers, pharmacies, and Business Associates are required to follow the HIPAA requirements. “Partial” and “hybrid entities” – such as Medicare prescription drug card sponsors, employers that administer self-insured health plans, and educational facilities that provide medical services to the public – are required to follow some HIPAA requirements. If you are not sure whether your organization is required to follow HIPAA requirements, you should seek professional compliance advice.