All businesses that deal with Protected Health Information (PHI) are required to adhere to HIPAA rules and regulations. Those that don’t, and are found to be in violation of its standards, can face hefty fines, reputation damage, and even legal action. Our HIPAA compliance checklist will help you avoid such consequences and become fully HIPAA compliant.
Why is HIPAA Compliance So Important?
HIPAA compliance is increasingly important because of the number of businesses it applies to and the type of private, personal data it is designed to secure - physical and electronic Protected Health Information– also known as PHI and ePHI.
“If exposed to the wrong people, Protected Health Information has the potential to cause tremendous damage to an individual. Everything from personal reputation to career opportunities can be affected. HIPAA requirements are important to prevent Americans' health information from being stolen and exploited by criminals.” - Zach Fuller, Founding Partner, Silent Sector |
HIPAA regulations didn’t always affect such a wide spectrum of industries. At one point it applied solely to healthcare organizations and insurance companies. This was before the advent of online data risks. That’s certainly not the case today.
Today, any business or organization that could come across PHI data, or is deemed a “business associate” of a healthcare organization is responsible for following HIPAA rules.
This means law firms, document storage companies, managed service providers, medical couriers, billing agencies, SaaS providers - anyone who handles PHI - needs to comply with HIPAA rules and regulations.
Another hard truth is that businesses who don’t meet these standards will be unable to work with healthcare organizations and miss out on potentially very lucrative business opportunities. However, by becoming HIPAA compliant, a company can access an industry worth over $800 billion.
What is HIPAA Compliance?
HIPAA compliance is the sum of activities, processes, and behaviors that a company or organization enacts in order to comply with the rules and regulations of Health Insurance and Portability Act of 1996 (HIPAA). This includes the final Omnibus rules of the act established in 2013 that also contain Breach Notification rules.
HIPAA compliance measures often include (but are not limited to):
- Internal training and education on HIPAA rules
- Controlling who has access to PHI data
- Documenting security information and security policies
- Breach notification processes
- Reporting HIPAA compliance measures and processes
- Ongoing security reviews to ensure continual compliance is met
What Companies Need to Comply with HIPAA?
As mentioned earlier, any company or organization that may come into contact with PHI data is required to adhere to HIPAA compliance processes. Eligible companies are called “entities” in the HIPAA act and are broken into two categories:
- Covered entities. These are organizations directly involved in healthcare such as clinics, insurance companies, pharmacies, hospitals, nursing facilities, and others.
- Business associates. These are companies that provide services to “covered entities” and may come in contact with PHI and ePHI as a result of this relationship. This could include (but is not limited to) data warehouses, managed service providers, law firms, accountants, telecommunications, medical couriers, and more.
Covered Entity vs. Business Associate
Criteria |
Covered Entity |
Business Associate |
Individual or group health plan providers |
✓ |
|
Health maintenance organization (HMO) |
✓ |
|
Issuer of a Medicare supplemental policy |
✓ |
|
Federal or state-funded health program |
✓ |
|
Multi-employer welfare program |
✓ |
|
Self-administered, employer-sponsored health plan with 50+ members |
✓ |
|
Health care clearinghouse |
✓ |
|
Billing service |
✓ |
|
Repricing company |
✓ |
|
Community health management/information system |
✓ |
|
Transmit health information in electronic form for patient care (clinician, pharmacy) |
✓ (Healthcare provider/pharmacy) |
|
Create, receive, maintain, or transmit Protected Health Information (PHI) |
✓ (For or on behalf of a Covered Entity) |
|
Data transmission or storage services for PHI (data warehouse, managed service provider, information consultants, paper records management) |
✓ |
|
Subcontractor services that handle PHI |
✓ |
To summarize:
- If your organization fits any of the criteria in the "Covered Entity" column, it is considered a Covered Entity.
- If your organization does not fit the criteria for a Covered Entity but meets any of the criteria in the "Business Associate" column, it is considered a Business Associate.
- If your company doesn’t fit into any of the above categories, it may still need to comply with HIPAA, for example, if you provide a digital platform a covered entity or business associate use you may be required to comply with HIPAA. If you’re unsure, reach out to a HIPAA security consultant for a thorough assessment of your HIPAA responsibilities.
4 HIPAA Compliance Checklists to Quickly Assess Your HIPAA Compliance Status
HIPAA compliance is an ongoing process that requires continual efforts and assessments. As such, we’ve broken down HIPAA IT checklists based on the different areas of your organization in relation to HIPAA compliance requirements. Covered entities and business associates will find these checklists helpful.
The following checklists are for quickly assessing if your company’s compliance measures are up-to-date and in good standing with current rules and regulations.
They will give you a snapshot of your current HIPAA posture; they should not be used as a replacement for HIPAA readiness assessments, security gap assessments, audit-readiness testing or as an official compliance measure.
HIPAA Checklist 1: Security Governance, Policies, and Procedures
This checklist will help you assess if you have the right internal governance policies in relation to cybersecurity and HIPAA requirements.
YES |
NO |
|
Do you have established security governance documents, including privacy policies and procedures that are easily accessible and up-to-date? |
⬜ |
⬜ |
Is there a risk management policy in place? |
⬜ |
⬜ |
Is ePHI encrypted when being shared across public networks? |
⬜ |
⬜ |
Do you have breach notification protocols? |
⬜ |
⬜ |
If your company is a covered entity, have you identified all business associates? |
⬜ |
⬜ |
Do you have up-to-date agreements with all business associates to show they are HIPAA compliant? |
⬜ |
⬜ |
Can your employees report HIPAA violations anonymously? |
⬜ |
⬜ |
Is there a contingency/disaster recovery plan if physical PHI records are damaged? |
⬜ |
⬜ |
HIPAA Checklist 2: HIPAA Compliance Audit Checklist
Security audits of different kinds are required when a company is seeking to become HIPAA certified or as part of their ongoing compliance program and requirements. They apply to different areas of your company such as people, infrastructure, policies, and other areas where PHI and ePHI data is handled.
The checklist below will help you identify if you’ve completed the right security audits for your organization’s HIPAA compliance protocols.
Type of Security Audit |
YES |
NO |
Security risk assessment |
⬜ |
⬜ |
Privacy assessment |
⬜ |
⬜ |
Administrative assessment |
⬜ |
⬜ |
Security assessment of business associates and third-party vendors |
⬜ |
⬜ |
Do you have a plan to address deficiencies found in any of the security audits? |
⬜ |
⬜ |
HIPAA Checklist 3: People
Your people are key to ensuring your company complies with HIPAA rules and regulations at all times. They need to be educated on their responsibilities, understand the best practices of securing PHI and ePHI data, and know how to report a violation if they encounter one.
This checklist will help you assess how well your team is able to maintain HIPAA compliance rules.
YES |
NO |
|
Are employees aware of their responsibilities in relation to HIPAA compliance? |
⬜ |
⬜ |
Are employees trained on how to uphold HIPAA protocols in relation to their role and tasks? |
⬜ |
⬜ |
Are employees aware of the ramifications and consequences of violating HIPAA rules? |
⬜ |
⬜ |
Does your team know how to report HIPAA compliance violations and would they be comfortable doing so? |
⬜ |
⬜ |
Do you have a designated HIPAA compliance officer? |
⬜ |
⬜ |
Do you have control measures that limit who can access PHI data? |
⬜ |
⬜ |
HIPAA Checklist 4: Reporting
Being able to demonstrate compliance is equally important as following the rules themselves. This will ensure that any auditor or potential customer can quickly and easily see your company’s commitment to compliance. Documentation is also a requirement of compliance.
This HIPAA compliance requirements checklist for reporting will help you assess if your documentation practices measure up.
YES |
NO |
|
Do you have reports that demonstrate 6 years of HIPAA compliance? Including archives of all HIPAA documents including policies and procedures? |
⬜ |
⬜ |
Do you have a system to track, investigate, and mitigate compliance violations? |
⬜ |
⬜ |
Do you thoroughly document your annual review of policies and procedures? |
⬜ |
⬜ |
Do you have a process to document and report breach violations? |
⬜ |
⬜ |
Do you document internal training and ongoing education? |
⬜ |
⬜ |
Take the Next Steps in Your HIPAA Compliance Journey
Once you’ve completed the above checklists you and your team should have a clearer understanding of where you stand in relation to HIPAA compliance. This information will be useful as you determine your next steps forward.
If you’re unsure of how to proceed or don’t know how to respond to the above questions, you may need support from a HIPAA compliance security expert. At Silent Sector, we can untangle your HIPAA compliance position and help get you on the right path towards full compliance.
To learn more, contact the Silent Sector team.