2024 HIPAA Compliance Checklist: Enhancing Healthcare Cybersecurity

Are you aware that healthcare providers paid over 2 million USD as penalties for not complying with HIPAA regulations? And this is not the whole story. There are several other small-scale breaches as well. Once you experience a HIPAA Compliance breach, the Office of Civil Rights lists your business on the ‘Wall of Shame’ detailing the violation, penalty, number of people impacted, the date, etc.

If you want to avoid all of that, make double sure that you don’t take your Healthcare Cybersecurity lightly and have a look at this HIPAA Compliance Checklist.

 What is HIPAA Compliance?

HIPAA compliance sets out the processes that covered entities need to undertake to ensure that patient’s health information is protected.

They have to implement security measures to ensure that the privacy of patient data is protected. Any entity that accesses PHI has to follow the HIPAA compliance rules. Without HIPAA certification, entities can be fined and penalized.

Before we dive into the HIPAA Compliance Checklist, let’s understand the various rules and who is covered, etc. 

Who is Required to be HIPAA-Compliant?

If you or your organization are any of the following, you have to comply with HIPAA regulations as a Covered Entity:

1. Providing individual or group health plans – HMO
2. A health program, either state or federal-funded
3. Issue Medicare Supplemental policy
4. A welfare program for multiple employers
5. A health plan with 50 or more members that’s employer-sponsored or self-administered, and pays healthcare costs through reimbursement or insurance, etc.
6. A healthcare clearing house
7. A repricing firm
8. Providing billing services
9. Community health MIS provider
10. Community Health information system, processing or facilitating processing, of health information received in a non-standardized format from an entity 
11. A pharmacy or provider of healthcare services who gets paid for healthcare submits bills and transmits electronic health information for a transaction covered by HIPAA standards.

If you or your organization are any of the following, you have to comply with HIPAA regulations as a Business Associate:

• An organization that receives, records, processes, or sends PHI to fulfill an activity, service, or function, for a Covered Entity or on their behalf;
• A health information organization, an e-prescribing gateway, or other organization that provides services like data storage or transmission related to PHI;
• Offering subcontracting services for the above-mentioned organization types that receive, record, process, disclose, or send Protected Health Information.

What Is the HIPAA Privacy Rule?

The HIPAA Privacy Rule defines national security standards aimed at protecting patient rights to over their personal information and health records, and applies to Covered Entities only. These Data privacy regulations address the use and disclosure of PHI of an individual by entities, giving more control to individuals over their personally identifiable information.

HIPAA Compliance Privacy Rule Checklist

• Assign a HIPAA privacy officer to be in charge and develop, implement, and enforce the relevant policies
• Have a clear understanding of PHI, its use and disclosure complying with HIPAA, and when to get an individual’s authorization
• Identify PHI privacy risks and apply protective measures to mitigate risk and bring them to a manageable level
• Develop policies and procedures to use and disclose PHI to ensure compliance and prevent violations
• Develop policies and systems to get authorizations and to grant individuals the opportunity to agree or disagree
• Craft and distribute a Notice of Privacy Practices to specify how the organization will use and disclose PHI, and define the rights of the individual.
• Develop plans to manage requests from patients to access their PHI, edit information, and transfer data
• Create systems for employees to report violations and enable organizations to perform breach notification requirements
• Train employees thoroughly on policies relevant to their roles and HIPAA in general
• Draft and disseminate a policy that outlines the penalties for non-compliance with organizational HIPAA policies.
• Conduct due diligence on Business Associates, and review and revise existing Business associate agreements (BAA)
• Have a written contingency plan to respond to incidents of destruction of physical locations or IT systems that store PHI.

HIPAA Compliance Risk Assessment Checklist 

Covered Entities and Business Associates vary in complexity, capabilities, and size, and there isn’t much guidance regarding what risks must be assessed and how to analyze them. Here are some pointers:

• Identify the PHI recorded, received, created, and transmitted by your organization, including that shared with vendors, consultants, etc
• Identify the intentional and unintentional human threats to PHI integrity along with natural and environmental ones
• Evaluate the measures to safeguard against PHI integrity threats and the potential for anticipated breach occurrence
• Establish the possible impact of a breach and allocate a risk level to each possibility 
• Note the analysis and put plans and systems in place that will help you be in compliance with HIPAA
• The risk evaluation, reasoning for the implemented plans and systems, and all policy documentation are to be maintained for 6 years.

Do note that this is not a one-time thing, but a continuous activity if you want to maintain HIPAA compliance. Review your risk evaluations and policies whenever there are changes to staff, technology, etc.

What is HIPAA Security Rule?

The HIPAA Security Rules aim to ensure that PHI that is transmitted electronically (e-PHI) is kept confidential available, and trustworthy. It consists of five sections – General, Physical, Technical, Administrative, and Organizational safeguards.

HIPAA Compliance Security Rule Checklist

• Assign an IT employee as the Security Officer
• Identify and protect systems that record, receive, transmit or maintain Electronic Protected Health Information (ePHI), preventing unauthorized access from elsewhere in the organization
• Apply measures to minimize threats from cyberattacks through anti-malware, firewalls, etc
• Provide controlled, role-based access to ePHI to employees, preventing them from accessing too much information
• Create a process to check employee identity to ensure workstation security, and comply with the Security Rule requirements of event logging and physical security
• Inventory the devices used for ePHI access and the storage media used
• Implement a system to instantly record the movement of media or devices
• Implement PIN locking for all remote and personal devices that access ePHI 
• Create a system allowing employees to report security incidents or concerns to the relevant authority
• Train employees meticulously regarding incident reporting and escalation of concerns
• Create a sanctions policy for policy violations and ensure all employees receive a copy of the document 
• Make a contingency plan to deal with potential events that may compromise the availability, integrity, and confidentiality of ePHI 
• Review agreements with business associates and replace clauses that fail to comply with organizational requirements related to ePHI disclosures.

The HIPAA Compliance Breach Notification Rule

Every organization that records, processes, receives, or sends PHI or ePHI must comply with the data breach notification rule, including organizations to whom the privacy and security rules don’t apply, like PHR vendors, fitness tracker services, third-party service providers, etc.

Such organizations must notify affected individuals, relevant agencies, and the local media (specific cases) when there is a breach, even if it is for a single person’s health record.

However, organizations must first establish if the breach is reportable; unnecessary reporting can disrupt business and lead to investigation despite the lack of violation.

Check for the following to know if the breach must be reported:

• Was the ePHI encrypted, undecipherable, unreadable, and unusable?
• What health information and identifiers were exposed?
• What is the probability of further usage or disclosure of the data?
• What remedies are in place to mitigate the breach impact?

In case of a reportable breach, it must be communicated to the individual within 60 days including details like the disclosed data, steps taken by the organization to mitigate its impact and thwart further incidents, and how the individual can best protect themselves.

In case it impacts under 500 persons, organizations must notify the relevant authority by the end of the calendar year. If it is more than 500 persons, the relevant agency and local media must be informed within 60 days; failure to do so can result in severe penalties and heavy fines.

Trying to handle all the requirements and complexities of the compliance checklist can be overwhelming. Engage the services of an expert HIPAA compliance consultation company like Wattlecorp, and experience minimal business disruption. Stay compliant while you focus on your core business activities ensure improved health outcomes for your patients and save yourself the hefty cost of HIPAA non-compliance. 

FAQs (Frequently Asked Questions )