HIPAA Compliance Checklist
Creating a HIPAA Compliance Checklist
A HIPAA compliance checklist is a tool every HIPAA-Covered Entity and Business Associate should use as part of their compliance efforts. Unfortunately, no such tool exists. This is because no two HIPAA-Covered Entities or Business Associates are identical. Most have dissimilar working practices, policies or existing security mechanisms. Therefore a singular “one-size-fits-all” HIPAA compliance checklist would likely be inappropriate for most individuals or organizations engaged in healthcare-related activities.
However, there is a way in which it is possible to create a HIPAA compliance checklist. This involves appointing somebody within your organization to be responsible for Privacy and Security (a requirement of HIPAA). The appointed person should use their knowledge of HIPAA to conduct appropriate risk assessments and risk analyses, and then use the results to create a HIPAA compliance checklist – listing any measures and policies that that need to be implemented in order to be HIPAA compliant.
The Purpose of a HIPAA Compliance Checklist
The primary purpose of a HIPAA compliance checklist is to detect threats to, and vulnerabilities within, your organization that could result in the unauthorized disclosure of Protected Health Information (PHI). By creating a HIPAA compliance checklist, you will have total visibility of all the measures and policies that need to be implemented in order to prevent a breach. Having total visibility will enable you to prioritize any issues according to the level of risk each presents.
The documents used in the creation of a HIPAA compliance checklist also satisfy some of the administrative safeguards within the HIPAA Security Rule. This not only advances your compliance efforts, but the documents may be something you need to produce if your organization is investigated for a breach of PHI or selected for a HIPAA audit by the Office for Civil Rights. Compiling a HIPAA compliance checklist alone will not make you HIPAA compliant, but it is a good start.
Conducting a HIPAA-Compliant Risk Assessment
Neither the authors of the HIPAA legislation nor the Health and Human Services´ Office for Civil Rights have ever issued guidance about the methodology that should be used to conduct a HIPAA-compliant risk assessment. Each individual Covered Entity and Business Associate has to determine what areas should be covered and how. This can be daunting for organizations entering a healthcare-related industry with no previous exposure to HIPAA – even those whose access to PHI will be limited.
The Office of the National Coordinator for Health Information Technology has developed a free Security Rule Assessment (SRA) tool that organizations can download and use in the risk assessment process. This tool only covers the Security Rule element of HIPAA, and organizations – particularly those applying for Meaningful Use incentive payments – will also need to conduct a risk assessment to assess their compliance with the Privacy Rule. There is professional help available for organizations who need it.
Analyzing the Risk Assessment to Prioritize Threats
The next stage of creating a HIPAA compliance checklist is to analyze the risk assessment in order to prioritize threats. Again, despite this process being a requirement of the HIPAA Security Rule, there is no specific methodology prescribed by the Office for Civil Rights. However, the Center for Medicare and Medicaid Service has compiled a Risk Analysis Tip Sheet from which, although relating to the Meaningful Use incentive program, the following tips have been extracted:
- Define the scope of your analysis and collect data regarding PHI relevant to the defined scope.
- Identify potential threats and vulnerabilities to patient privacy and data security.
- Assess the effectiveness of existing measures to protect the potential threats.
- Determine the likelihood a particular threat will occur and the impact it will have to the integrity of PHI.
- Determine and assign risk levels based on the likelihood and impact of a threat occurrence.
- Prioritize the remediation or mitigation of identified risks based on the severity of their impact.
- Document your risk analysis, and review and update it on a periodic basis.
The outcome of the risk analysis will vary according to the nature of the organization´s business and the systems already in place. It may be the case there is nothing to include on the HIPAA compliance checklist at this time; but, as the Tip Sheet recommends, the analysis should be reviewed and updated periodically – particularly when new technology is introduced or if working practices change. The documentation of each review and update is a requirement of HIPAA.
Implementing Reasonable and Appropriate Measures
The HIPAA regulations state, once a risk analysis is completed, you must take any additional “reasonable and appropriate” measures to reduce identified risks to “reasonable and appropriate” levels. This may require changing the working practices within your organization, developing new policies and training employees. It could also require updating software, implementing additional online security tools to strengthen your network defenses or enhancing the physical security of your premises.
Whatever measures you believe are reasonable and appropriate to reduce the threats you have identified should be entered onto your HIPAA compliance checklist and prioritized in order to help you draw up an action plan. The action plan should include the measures your organization has decided to implement, the individual(s) responsible for implementing the measures, and target dates for when the measures should be implemented. As with the risk analysis, this document should be reviewed regularly.
Developing and Enforcing HIPAA-Compliant Policies
Depending on the nature of the organization´s business, there can be fifty-six policies that have to be developed and enforced in order to be HIPAA-compliant. It is the role of the organization´s Privacy/Security Officer to determine which policies are necessary and how existing policies can be amended (if necessary) in order to fulfil the requirements of HIPAA. Again, there is plenty of professional help available for organizations and Privacy/Security Officers if required.
One of the key policies that should not be omitted in any circumstances is the Sanctions Policy. This policy for employees should be at the top of most organization´s HIPAA compliance checklist as it defines the three different classes of offences under HIPAA and their respective sanctions. A recommended best practice is to have acceptance of the Sanctions Policy included in employment contracts and ensure employees review the Sanctions Policy at least once a year.
Review Your HIPAA Compliance Checklist Frequently
When the Final Omnibus Rule was enacted in 2013, the necessity for the Office for Civil Rights to prove a breach had occurred following an unauthorized disclosure of PHI was removed. Instead the Covered Entity or Business Associate now has to prove no significant harm has occurred due to an unauthorized disclosure. This change in the regulations has made it possible for the Office of Civil Rights to pursue more violations of HIPAA and impose more fines or “Resolution Agreements”.
With additional financial resources available, the Office for Civil Rights has commenced a HIPAA audit program. In the audit program, random Covered Entities and Business Associates are selected and required to demonstrate their compliance with HIPAA. Prior to each round of audits, the Office for Civil Rights issue an “audit protocol”, highlighting the standards and implementation specifications of the Privacy, Security, and Breach Notification Rules auditors will be specifically looking at.
By reviewing and updating your HIPAA compliance checklist frequently, you will be able to review the audit protocol, find any matching measures on the checklist still awaiting implementation, and prioritize them in case your organization is randomly selected for an audit. Creating, maintaining and reviewing a HIPAA compliance checklist is therefore ideal for avoiding sanctions from the Office for Civil Rights for non-compliance with HIPAA as well as detecting vulnerabilities within your organization and threats to the integrity of PHI.