HIPAA Compliance Checklist

The Health Insurance Portability and Accountability Act (HIPAA) is a very complex piece of legislation that aims to protect the private data of patients across the healthcare sector. The important nature of this act means that hefty penalties are in place to enforce it. Whilst incentivising compliance, this also adds an extra level of protection for private health data, as HIPAA fines will often exceed the value of the information itself on the black market.

A HIPAA compliance checklist is a tool every HIPAA-Covered Entity and Business Associate should use as part of their compliance efforts. Unfortunately, no formalised version of such a tool exists. This is because no two Covered Entities (CEs) or Business Associates (BAs) are identical. Most have dissimilar working practices, policies or existing security mechanisms. Therefore a singular “one-size-fits-all” HIPAA compliance checklist would likely be inappropriate for most individuals or organizations engaged in healthcare-related activities.

However, it is possible to complete a comprehensive HIPAA checklist that will help minimise the risk of breaches. This involves appointing somebody within your organization to be responsible for Privacy and Security (a requirement of HIPAA). The appointed person should use their knowledge of HIPAA to conduct appropriate risk assessments and risk analyses, and then use the results to create a HIPAA compliance checklist – listing any measures and policies that that need to be implemented in order to be HIPAA compliant.

The Purpose of a HIPAA Compliance Checklist

The primary purpose of a HIPAA compliance checklist is to detect threats to, and vulnerabilities within, your organization that could result in the unauthorized disclosure of Protected Health Information (PHI). By creating a HIPAA compliance checklist, you will have total visibility of all the measures and policies that need to be implemented in order to prevent a breach. Having total visibility will enable you to prioritize any issues according to the level of risk each presents. They will also help in communicating risk to employees: having a complete list of potential threats to present during a training course, as well as a means to avoid them, is much more likely to result in positive outcomes than correcting bad practices in the workplace randomly as you see them happen.

The documents used in the creation of a HIPAA compliance checklist also satisfy some of the administrative safeguards within the HIPAA Security Rule. This not only advances your compliance efforts, but the documents may be something you need to produce if your organization is investigated for a breach of PHI or selected for a HIPAA audit by the Office for Civil Rights (OCR). The OCR is responsible for enforcing HIPAA legislation and if an organisation is found to be non-compliant they may be subject to severe penalties. Compiling a HIPAA compliance checklist alone will not make you HIPAA compliant, but it is a good start.  A more comprehensive guide is available here.

Conducting a HIPAA-Compliant Risk Assessment

Neither the authors of the HIPAA legislation nor the Health and Human Services´ Office for Civil Rights have ever issued guidance about the methodology that should be used to conduct a HIPAA-compliant risk assessment. Though frustrating for many, this was a deliberate effort to ensure that HIPAA did not need to be constantly updated with new codes of practice. Much like the “addressable requirements” found throughout the HIPAA document (particularly the Security Rule), it gives the CE or BA flexibility to decide how best to protect PHI based on their available resources.

Thus, each individual Covered Entity and Business Associate has to determine what areas should be covered by the risk assessment and how they will be assessed. This can be daunting for organizations entering a healthcare-related industry with no previous exposure to HIPAA – even those whose access to PHI will be limited.

CEs and BAs are not, however, left totally in the dark about how to conduct risk assessments. The Office of the National Coordinator for Health Information Technology has developed a free Security Rule Assessment (SRA) tool that organizations can download and use in the risk assessment process. As this tool only covers the Security Rule element of HIPAA, organizations – particularly those applying for Meaningful Use incentive payments – will also need to conduct a risk assessment to assess their compliance with the Privacy Rule. There is professional help available for organizations who need it.

Generally, when conducting a risk assessment, organizations should focus divide threats into “internal” vs “external” threats. Internal threats are often the result of human error – phones left on buses, documents left on desks, cabinets left unlocked. These are easily identified though can be hard to address, as human errors are almost unavoidable. External threats often take a much larger scale – cyberattacks pose an ever-increasing threat to patient privacy. It may seem like there’s little an employee can do to tackle this, but education about phishing scams and similar schemes can be very helpful.

Analyzing the Risk Assessment to Prioritize Threats

The next stage of creating a HIPAA compliance checklist is to analyze the risk assessment in order to prioritize threats. Again, despite this process being a requirement of the HIPAA Security Rule, there is no specific methodology prescribed by the Office for Civil Rights.

However, the Center for Medicare and Medicaid Service has compiled a Risk Analysis Tip Sheet from which, although relating to the Meaningful Use incentive program, the following tips have been extracted and are applicable to any risk assessment:

  • Define the scope of your analysis and collect data regarding PHI relevant to the defined scope.
  • Identify potential threats and vulnerabilities to patient privacy and data security.
  • Assess the effectiveness of existing measures to protect the potential threats.
  • Determine the likelihood a particular threat will occur and the impact it will have to the integrity of PHI.
  • Determine and assign risk levels based on the likelihood and impact of a threat occurrence.
  • Prioritize the remediation or mitigation of identified risks based on the severity of their impact.
  • Document your risk analysis, and review and update it on a periodic basis.

The outcome of the risk analysis will vary according to the nature of the organization´s business and the systems already in place. It may be the case there is nothing to include on the HIPAA compliance checklist at this time; but, as the Tip Sheet recommends, the analysis should be reviewed and updated periodically – particularly when new technology is introduced or if working practices change. The documentation of each review and update is a requirement of HIPAA, and may be requested by the OCR if an audit takes place. Additionally, if a breach does occur, having such documentation showing that regular risk assessments were conducted will work in favour of the CE or BA – so long as they were subsequently acted upon.

Implementing Reasonable and Appropriate Measures

The HIPAA regulations state, once a risk analysis is completed, you must take any additional “reasonable and appropriate” measures to reduce identified risks to “reasonable and appropriate” levels. This may require changing the working practices within your organization, developing new policies and training employees. It could also require updating software, implementing additional online security tools to strengthen your network defenses or enhancing the physical security of your premises.

Whatever measures you believe are reasonable and appropriate to reduce the threats you have identified should be entered onto your HIPAA compliance checklist and prioritized in order to help you draw up an action plan. The action plan should include the measures your organization has decided to implement, the individual(s) responsible for implementing the measures, and target dates for when the measures should be implemented. As with the risk analysis, this document should be reviewed regularly.

Regardless of the outcome of the risk analyses, it is always advisable that – if one is not already in place – an organisation-wide training scheme is implemented. This will ensure that all employees, regardless of status within the organisation, will be up-to-date on new developments in privacy policy. It also acts as a refresher for employees, as it would not be surprising if some fell out of the habit of locking their desks, for example, especially if there had been no recent major breaches.

Developing and Enforcing HIPAA-Compliant Policies

Depending on the nature of the organization´s business, there are a number of policies that have to be developed and enforced in order to be HIPAA-compliant. These policies are based on the different rules within HIPAA. It is the role of the organization´s Privacy/Security Officer to determine which policies are necessary and how existing policies can be amended (if necessary) in order to fulfil the requirements of HIPAA. Again, there is plenty of professional help available for organizations and Privacy/Security Officers if required.

One of the key policies that should not be omitted in any circumstances is the Sanctions Policy. This policy for employees should be at the top of most organization´s HIPAA compliance checklist as it defines the three different classes of offences under HIPAA and their respective sanctions. A recommended best practice is to have acceptance of the Sanctions Policy included in employment contracts and ensure employees review the Sanctions Policy at least once a year.

Other sample policies include ones based on employee training, BA agreements, communication with patients and breach notification.

Review Your HIPAA Compliance Checklist Frequently

When the Final Omnibus Rule was enacted in 2013, the necessity for the Office for Civil Rights to prove a breach had occurred following an unauthorized disclosure of PHI was removed. Instead the Covered Entity or Business Associate now has to prove no significant harm has occurred due to an unauthorized disclosure. This change in the regulations has made it possible for the Office of Civil Rights to pursue more violations of HIPAA and impose more fines or “Resolution Agreements”.

With additional financial resources available, the Office for Civil Rights has commenced a HIPAA audit program. In the audit program, random Covered Entities and Business Associates are selected and required to demonstrate their compliance with HIPAA. Prior to each round of audits, the Office for Civil Rights issue an “audit protocol”, highlighting the standards and implementation specifications of the Privacy, Security, and Breach Notification Rules auditors will be specifically looking at.

By reviewing and updating your HIPAA compliance checklist frequently, you will be able to review the audit protocol, find any matching measures on the checklist still awaiting implementation, and prioritize them in case your organization is randomly selected for an audit. Creating, maintaining and reviewing a HIPAA compliance checklist is therefore ideal for avoiding sanctions from the Office for Civil Rights for non-compliance with HIPAA as well as detecting vulnerabilities within your organization and threats to the integrity of PHI.

HIPAA Compliance Checklist: Summary

HIPAA compliance is a complicated business, largely due to the vague nature in which the legislation has been written. However, it is hard to understate the importance of HIPAA compliance checklists: as well as having a pivotal role protecting PHI and thus safeguarding patient privacy, they can also protect against penalties if an OCR audit occurs. Checklists should be based off of regular and comprehensive risk assessments, and ideally feed into new company policies and training programs. Here, we provided some essential guidelines on creating such checklists and acting on them in a HIPAA-compliant manner.