Last updated on January 6, 2022
HIPAA Compliance Checklist: Learn the Requirements to Become HIPAA Compliant
Owing to the increasing number of healthcare security breaches, the US Department of Health and Human Services (HHS) imposes strict rules on companies dealing with protected health information (PHI) by using the Health Insurance Portability and Accountability Act (HIPAA).
Failure to comply with the act results in substantial fines, criminal charges, and civil litigations. HIPAA covers the essential criteria of:
- Privacy
- Security
- Enforcement
- Breach Notification
- Omnibus
HIPAA Definition
Introduced in 1996 by Bill Clinton, the HIPAA is a federal law that provides a set of rules and regulations to protect healthcare and medical data. It sets security standards for electronic healthcare billing, storing patients’ healthcare information, and handling medical data. It ensures that healthcare data is kept private at all costs.
The HIPAA also provides guidelines for notifying patients of a security breach and requires healthcare organizations to secure their infrastructure by handling things at all technical levels.
Being aware of HIPAA compliance guidelines is essential to prevent huge fines, disciplinary action, and/or penalties. Ignorance of HIPAA regulations is not considered a justifiable defense by the Office for Civil Rights (OCR) of the US Department of Health and Human Services.
HIPAA Compliance Terminology
Covered entities and business associates should follow HIPAA guidelines to protect and secure Protected Health Information (PHI). In other words, if you are a covered entity or a business associate, you must be HIPAA compliant. Before understanding if your company is HIPAA compliant, it is necessary to evaluate some technical terminology associated with the HIPAA.
| Protected Health Information (PHI) | HIPAA intends to protect and safeguard the basic healthcare data of every individual. |
| Covered Entity | Any healthcare field or entity that accesses PHI. Covered entities can be medical providers, clearinghouses, health insurers or employer-sponsored health plans. |
| Business Associates | Individuals who work with covered entities in a non-healthcare capacity, i.e., people that maintain the PHI stored by covered entities. |
Rules and Components of HIPAA
It is also helpful to understand the rules and components of HIPAA. After all, you can’t comply with something you are unfamiliar with.
Privacy Rule
The privacy rule regulates the disclosure and use of PHI by covered entities. These entities can disclose PHI to law enforcement to facilitate treatment or other cases if written authorization is received. When PHI is disclosed, covered entities must make sure that only the minimum necessary information is released and notify individuals of their PHI disclosure.
Security Rule
Complementing the privacy rule, the security rule pertains only to electronic PHI. It lays out administrative, physical, and technical safeguards. Administrative safeguards include policies and procedures that show how the entity complies with the act, while physical safeguards control the physical access to protected data. On the other hand, technical safeguards control access to computer systems that contain PHI.
Enforcement Rule
The enforcement rule sets the financial penalties for violating HIPAA rules and establishes the procedure for hearings of HIPAA-related violations. It states that covered entities must apply corrective measures if noncompliance is established. Noncompliance can be established if there is:
- Misuse and nonconforming disclosure of PHI.
- Lack of protection of health information.
- Lack of safeguards for electronic PHI.
- Disclosure of more than the minimum necessary PHI.
Omnibus Rule
A new addition to the HIPAA guidelines, the HIPAA Omnibus Rule expands the definition of business associates to include storage companies, consultants, and subcontractors, and it has also increased the civil penalties for HIPAA violators.
Breach Notification
The HIPAA Breach Notification regulates how a breach notification must be issued if a breach occurs. If more than 500 PHI records are affected, you must notify HHS and OCR, and all minor violations (less than 500 records) must be reported to HHS once a year.
HIPAA Compliance Checklist
HIPAA’s needs and demands have changed over time with advancements in technology. HIPAA has been updated multiple times, with more rules added over the years because of the constant rise in security breaches in the healthcare industry. Noncompliance can result in fines varying from $100 to as high as $1.5 million per year.
To be compliant with the different rules of the HIPAA, consider the following checklists for each of the aforementioned rules.
Compliance checklist for the HIPAA Privacy Rule
- Respond to patient requests promptly, as HIPAA gives you 30 days to get back to patients.
- Inform patients of data sharing policies using an NPP (Notice of Privacy Parties).
- Train your personnel to understand which data can and cannot be shared.
- Ensure that the integrity of PHI is maintained at all costs.
- Ensure that you get permission from the patient to use their PHI.
- Update your authorization forms.
Compliance checklist for the HIPAA Security Rule
Technical Safeguards
- Encrypt all electronically protected health information (ePHI) when it is transmitted over an external network.
- Control user access to and govern the release or disclosure of ePHI.
- Identify and authenticate ePHI to protect it.
- Encrypt all endpoint devices.
- Control all activity audits.
- Enable automatic logoff after a certain time frame.
Physical Safeguards
- Control physical access to the facility.
- Protect mobile devices by removing data before devices are circulated to other users.
- Track all the servers that store ePHI.
- Manage all workstations centrally to ensure proper use.
Administrative Safeguards
- Conduct risk assessments regularly, and deploy required measures to resolve risks.
- Train employees on ePHI access protocols and on how to recognize cybersecurity.
- Build contingency plans to achieve ongoing business continuity.
- Prevent unauthorized access to ePHI.
- Document and log all security incidents.
- Test your contingency plan regularly.
Compliance checklist for the HIPAA Enforcement Rule
- Report HIPAA violations to OCR.
- Fix what caused any breach.
Compliance checklist for the HIPAA Omnibus Rule
- Refresh your business associate agreements to reflect the Omnibus Rule.
- Get signed copies of the new Business Associate Agreement (BAA) from stakeholders.
- Refresh your privacy policy to reflect the Omnibus Rule changes.
- Update the NPPs to cover information that requires authorization, the right to opt-out of correspondence, and the new breach notification requirements.
- Train your staff to be aware of the new Omnibus Rule adjustments.
Compliance checklist for the HIPAA Breach Notification Rule
- Make sure that you know the notification process for HIPAA in case breaches occur.
- If more than 500 PHI have been compromised:
– Notify the Department of Health and Human Services.
– Issue a press release about the breach.
– Provide OCR with the list of PHI and the explanation of how the violation occurred.
– Provide OCR with the list of all unauthorized entities that access the PHI. Also, indicate if the PHI was accessed or was just available.
– Provide OCR with the mitigation steps that were undertaken to deal with the breach.
- If less than 500 PHI have been compromised, you can report all smaller violations to HHS in a single batch.
Generic HIPAA Compliance Checklist
Apart from the above-mentioned checklists, a generic HIPAA compliance checklist (a compliance checklist for individual rules) ensures that you stay on top of the game. To make certain that your organization is compliant:
- Conduct annual self-audits for security risk assessments, privacy assessments, and physical, asset, and device audits.
- Identify the gaps in your system, and document them.
- Create remediation plans to address the identified gaps.
- Document the remediation plans, review and update them annually, and retain the remediation plans in your records.
- Ensure that all employees complete their annual HIPAA training. Make one person responsible for the training, and ensure that you maintain documentation proving that all employees have received training.
- Make sure that all employees legally attest to your organizational policies and procedures that incorporate HIPAA rules.
- Identify all your business associates and vendors, and include them in signing necessary agreements that comply with HIPAA.
- Create a clearly defined incidence response plan in case of a breach.
- Ensure you can provide the required reporting of minor or major breaches.
- Make sure that your organizational employees have instant but secure access to PHI from anywhere at any time.
- Deploy a solution that facilitates better access, security, mobility, and easier management of organizational infrastructure.
Parallels RAS Helps Organizations Requiring HIPAA Compliance
Parallels® Remote Application Server (RAS) is a virtual desktop and application delivery solution that enables healthcare providers to create their own secure, private cloud. It is a perfect solution for healthcare providers who need to maintain a HIPAA-compliant infrastructure.
Parallels RAS improves your healthcare infrastructure by improving accessibility, security, and mobility. It also allows for single-pane-of-glass management and auto-provisioning, and auto-scaling.
Improving accessibility
Parallels RAS provides secure access to desktops, applications, and patient data from any device, at any time, from any location, improving PHI accessibility to clinicians. Full redundancy offered by load balancing ensures that downtime is reduced while providing a seamless end-user experience.
Enhancing security
With the use of Parallels RAS, you can provide medical staff with compliant, secure, on-the-go access to PHI. Security measures such as multifactor authentication, customized policies, and advanced filtering are implemented to comply with the HIPAA Security Rule. Since all the data is stored centrally, monitoring the data is easier, thus making it possible to conform to HIPAA and other medical guidelines.
Enabling mobility
Be it a mobile device, Chromebook, MacBook, or Windows desktop, Parallels RAS allows every endpoint to access healthcare and diagnostic desktop applications easily. Therefore medical staff can respond to emergencies quickly by receiving real-time updates and alerts on the go.
Single pane of glass
Medical administrators can manage the entire infrastructure from a centralized console. This ensures that monitoring resources, managing connected devices, defining security policies, and providing helpdesk assistance are straightforward.
Auto-provisioning and auto-scaling
Medical IT infrastructure can be scaled up or down automatically as Parallels RAS creates, releases, removes and load balances Windows Servers based on predefined criteria.
Parallels RAS has all the features necessary to comply with the HIPAA Privacy, Security, Enforcement, Omnibus, and Breach Notification Rules, making it a must-have for your medical organization.
Download the 30-day trial of Parallels RAS today!
