Why a HIPAA Compliance Checklist is Important

As we discussed, HIPAA compliance is a process that healthcare orgs and their associates follow to be sure they are protecting and securing PHI. HIPAA’s privacy and security rules introduced minimum privacy, technical, physician and administrative requirements that apply to all covered entities nationwide, preempting all other federal, state and professional regulations. 

Before getting into the details of how a HIPAA checklist impacts an organization, let’s define some terminology, as well as who HIPAA regulations actually apply to and what they are meant to protect.

• Protected Health Information (PHI) is the data generated when consumers have any kind of healthcare encounter, such as a doctor’s office visit, medical exam, diagnostic procedure, surgery or other medical procedure. 

• Covered entities are the individuals or organizations, such as doctors, nurses and insurance companies, that have access to PHI and use it in various ways. This includes healthcare professionals in non-clinical roles. Health plans, healthcare clearing houses and healthcare providers who electronically transmit health information in connection with transaction for which the U.S. Department of Health and Human Services (HHS) has adopted standards are all covered entities.

• Business associates are individuals and services that work with covered entities in a non-healthcare capacity. They include the administrators, accountants, lawyers and others who work in the healthcare industry and, without having a hands-on role in patient care, have access to PHI.

HIPAA’s overall goal is to protect the confidentiality and security of consumers’ health information. Its 3 main rules – the Privacy Rule, the Security Rule and the Breach Notification Rule – are intended to accomplish this. All organizations must comply with these rules in order to be HIPAA-compliant.  

HIPAA rules ensure that a patient’s private health data is accessed only by authorized parties and safeguarded through physical, administrative and technical measures, and that patients have access to their personal medical records upon request. The rules also require covered entities to promptly report and resolve any security breach.

• The Privacy Rule: The HIPAA Privacy Rule sets forth standards to protect all individually identifiable health information handled by covered entities or business associates. This PHI can include a wide range of sensitive information such as social security numbers, credit card information and medical histories, which can include procedures, conditions and diagnoses.

• The Security Rule: The HIPAA Security Rule establishes standards for the protection of electronic PHI (ePHI) that covered entities may create, use or maintain. Focusing specifically on securing electronic data, the Security Rule’s goal is to protect patents’ information while allowing covered entities the leeway to develop and adopt new technologies that improve the quality and efficiency of patient care. Rather than imposing specific technological requirements, the rule considers flexibility, scalability and technological neutrality. 

• The Breach Notification Rule: HIPAA’s third rule requires covered entities and business associates to provide a specific set of notifications of any breaches involving PHI. Should a breach occur, the rule requires the affected organization to conduct a risk assessment to determine the breach’s scope and impact, confirm whether it falls under the notification requirement and make notifications to the individuals affected and the HHS Secretary.

Prior to 1996, there was no federal rule governing the privacy and protection of health information. Information privacy before HIPAA had no clear definitions for what protecting PHI meant or guidelines for how to do it. At the same time, insurance companies routinely shared information with employers, patients had limited access to their own medical records. This meant that personal information could be shared with your employer, which could lead to being stigmatized or even discharged as a result of this information being disclosed. 

With the introduction of HIPAA, individuals could be confident their personal information was being treated with the privacy and security it deserved. That meant that healthcare administrators at hospitals, medical practices, insurance companies and other covered entities had to make substantial changes to the way they had been operating in the past. 

Healthcare organizations and the people who work in them have had to develop a range of processes, technologies and external partnerships to maintain compliance with HIPAA in both physical and digital spaces. From a strategic level, 4 principles guide their HIPAA compliance activities:

• Policies: Strong cyber security standards, privacy policies and procedures should be implemented to meet HIPAA requirements. A well-trained staff and well-documented policy should be distributed throughout the organization.

• Safeguards: Physical and digital safeguards for PHI should be maintained with restricted access to physical spaces where PHI is housed and with strong password and login precautions put into place.

• Risk assessment: Covered entities should conduct annual HIPAA risk assessments. These audits should over all of the organization’s administrative, security and technical measures intended to achieve compliance.

• Investigations: When lapses in compliance are identified by the covered entity, its regulators or auditors, the organization should have processes in place to determine the cause of violations and remedy them so they don’t occur again.

How can HIPAA violations affect a healthcare organization? In the form of an enforcement rule that enables strict penalties for noncompliance. In one example, the HHS Office for Civil Rights (OCR) issued its first financial penalty for a HIPAA violation in 2009 when it ordered CVS Pharmacy Inc. to pay $2.25 million for the improper disposal of patient health records. Since then, multiple penalties have been assessed and criminal prosecutions pursued by the OCR and other entities, including State Attorneys General and the Department of Justice. 

A HIPAA Compliance Checklist, sometimes called a HIPAA Compliance Audit Checklist, helps organizations improve the efficiency of the compliance process, determine which of HIPAA’s provisions they are required to comply with and how best to achieve that compliance. Covering both technical and non-technical safeguards, steps on the checklist include:

• Thoroughly understanding HIPAA’s Privacy, Security and Breach Notification Rules.

• Discovering which rules apply to your organization.

• Determining what data needs extra protection and how to accomplish that.

• Performing a risk analysis to determine what additional controls or new procedures you may need to become HIPAA compliant.

• Addressing gaps in privacy and security controls.

• Maintaining detailed documentation, including versions of policies and procedures as they’re edited, records of who attends compliance training sessions and documentation of entities you share PHI with.

• Reporting security incidents immediately. To be compliant with the Breach Notification Rule, covered entities must submit a breach report to the Secretary of HHS within 60 days of the discovery of the breach and notify all individuals whose PHI may have been exposed. If the breach has affected more than 500 people, notify local media.

• Establishing accountability and responsible personnel for your compliance plan.

• Ensuring that your IT infrastructure meets the required standards and automating data security monitoring.

A checklist will help you to be more confident that you are fulfilling your obligations under HIPAA’s rules. When the OCR determines that a covered entity or business associate has violated HIPAA, it may assess fines and impose a Corrective Action Plan (CAP). The CAP typically imposes significant compliance requirements, including requiring the covered entity or business associate to perform a security risk analysis and risk management plan. Complying with a CAP may not involve a substantial financial penalty but can incur indirect costs and be disruptive to your business activities.

Medical practices can gain tangible benefits from HIPAA compliance in several ways. In fact, research has shown that HIPAA compliance actually makes for better medicine. When patients trust that their provider has taken steps to protect the confidentiality of their PHI, they feel more in control, less at risk and more of a willingness to share personal information with medical professionals. This, in turn, can enable medical professionals to make better-informed diagnoses and prescribe most effective treatment plans. This often results in positive patient outcomes, and can raise morale in the healthcare workplace, increase patient safety in other areas of the practice’s operations and reflect in higher satisfaction scores from patients and their families.

Several steps should be taken to ensure the successful implementation of your HIPAA compliance checklist: 

• Put someone in charge: Appoint a privacy and security officer who will oversee the program and ensure its efficient rollout. Next, develop a written privacy and security policy and code of conduct for everyone in your organization. 

• Implement staff training: HIPAA requires organizations to remain compliant by implementing internal guidelines for staff training. This should include security awareness training for all staff. 

• Shore up your digital and physical security: Make sure your IT infrastructure meets the required standards and be sure to allow for secure physical and technical storage of PHI. This involves restrictions to physical access to the areas where PHI is stored in your facilities, and digital access to electronic PHI using computer hardware and software. 

• Deploy new technologies: New technologies may be needed for PHI handling. This may involve adding technologies to reinforce your digital security measures to keep hackers at bay, planning for regular security software updates and using technology that encrypts data, monitors authorized users and blocks unauthorized users from accessing data systems.

• Evaluate your current risk level: There is no one-time certification to tell the world you are HIPAA-compliant. It’s all about self-assessment, and that’s what you need to do to discover if there’s been a breach or you suspect a violation. HIPAA-compliant organizations conduct regular audits and risk assessments, which should also cover all technical and administrative policies.

• Plan for emergencies: Develop an action plan for response to cyberattacks or other security incidents that is tailored to your organization, location and policies. The Breach Notification Rule states that HIPAA-compliant businesses must have specific policies and procedures for handling data breaches. To secure the integrity of the PHI in your system, your plan should include the creation of a roadmap for everyone in your organization to follow in case of an incident.

• Investigate violations: Each discovered violation must be resolved before your organization can be HIPAA-compliant. This requires guidelines and a timeframe for resolution, and, in accordance with the Breach Notification Rule.

At DeVry, we can help you prepare to pursue a career in health information management. Explore methods of securing and maintaining patient PHI, staying on top of current technologies and ensuring medical databases remain complete, accurate and secure. 

We have several degrees and programs at the ever-changing intersection of healthcare and technology, such as our Undergraduate Certificate in Medical Billing and Coding, our Associate Degree in Health Information Technology and our Bachelor’s Degree in Healthcare Administration. Explore them today to find the program that’s right for you.