HIPAA Compliance Checklist
Our updated HIPAA compliance checklist covers all the areas that you need to consider on the journey to HIPAA compliance.
If your organization is subject to HIPAA, it is recommended you use our 2023 HIPAA compliance checklist in order to review your compliance with the provisions applicable to your organization´s operations.
Please use the form on this page to arrange your free copy.
This article explains HIPAA requirements in more detail and can be used in conjunction with our HIPAA checklist to understand what is required to ensure compliance.
Summary Of Article Contents
Why Use The HIPAA Compliance Checklist?
Being aware of your compliance obligations and those of your business partners can be vital because, in the event of a HIPAA violation, ignorance of the HIPAA requirements is not an acceptable defense against enforcement action.
Although the majority of enforcement actions do not result in civil monetary penalties, complying with a corrective action plan (the most common violation resolution) will incur indirect costs and disrupt business activities.
HIPAA Compliance Checklist 2023 Overview
The purpose of a HIPAA compliance checklist is to ensure that organizations subject to the Administrative Simplification provisions of HIPAA are aware of which provisions they are required to comply with, and how best to achieve – and maintain – HIPAA compliance.
It can also be important for organizations to understand the compliance obligations of business partners to ensure they are HIPAA compliant when necessary.
- Establish whether or not your organization is required to comply with HIPAA; and, if so, which Rules apply to your organization’s operations.
- If required to comply with any Privacy Rules, appoint a Privacy Officer.
- If required to comply with any Security Rules, appoint a Security Officer.
- Understand what PHI is – and what it isn´t. (Developing policies that restrict the flow of information can negatively impact healthcare operations.)
- Conduct an audit to determine where PHI is created, received, stored, or transmitted, and how it is shared with Business Associates.
- Minimize the number of designated record sets in which PHI is maintained to simplify the management and protection of PHI.
- Be aware that the Security Rule consists of more than just the Administrative, Physical, and Technical Safeguards.
- Ensure measures are put in place for promptly notifying individuals and HHS´ Office for Civil Rights of data breaches.
- Determine whether or not your organization is exempted from reporting data breaches to the State Attorneys General.
- Make sure you have a way of finding out about changes to HIPAA and temporary Notices of Enforcement Discretion.
If in doubt about your organization’s compliance obligations, seek professional advice from a HIPAA compliance professional.
HIPAA Compliance For Organizations
The first issue to address is whether or not your organization is subject to the Administrative Simplification provisions of the Healthcare Insurance Portability and Accountability Act (HIPAA); and, if so, which provisions apply.
Who Is HIPPA Applicable To?
Generally, organizations subject to all the Administrative Simplification provisions are health plans, health care clearing houses, and healthcare providers that transmit health information in electronic form in connection with a transaction for which a HIPAA standard exists.
Organizations that meet these criteria are referred to in HIPAA as Covered Entities. However, it is important to note there are multiple exceptions to the criteria. For example, health plans that provide “excluded benefits” are not Covered Entities, on-campus health centers that only provide medical services for students are not Covered Entities, and paper-to-paper non-digital fax communications are not considered electronic transmissions.
Business partners (referred to as Business Associates in HIPAA) are generally subject to some – but not all – of the Administrative Simplification provisions depending on the type of service they perform for, or on behalf of, a Covered Entity. Generally, Business Associates are required to comply with the Security Rule and Breach Notification provisions, §164.500(c) of the Privacy Rule, and any parts of the Administrative Requirements or Privacy Rule provisions stipulated in a Business Associate Agreement.
Not every business partner is a Business Associate. A business partner is only a Business Associate if it creates, receives, maintains, or transmits Protected Health Information (PHI) for a function or activity regulated by HIPAA. Business partners providing services for, or on behalf, of Covered Entities that do not involve a use or disclosure of PHI are not subject to the Administrative Simplification provisions of HIPAA.
Other exceptions exist with regards to members of a Covered Entity´s or Business Associate´s workforce. Workforce members under “the direct control” of a Covered Entity or Business Associate – whether paid or not – are not Business Associates but are required to comply with provisions relevant to their roles via policies and procedures implemented by the Covered Entity or Business Associate for whom they work.
Finally, if a health plan or healthcare provider does not qualify as a Covered Entity (because of an exception) but provides a service to or on behalf of an organization that does qualify as a Covered Entity, the exempted organization must comply with the Security Rule provisions and Breach Notification provisions, and any parts of the Privacy Rule provisions stipulated in a Business Associate Agreement.
HIPAA Compliance Checklist to Determine If Your Organization Is Subject to HIPAA as a Covered Entity or a Business Associate
This additional set of HIPAA compliance checklists will help you determine whether or not your organization is subject to the Administrative Simplification provisions of HIPAA; and, if so, which provisions apply.
|Is your organization:
|Is your organization:
|Are you, or is your organization:
If you have ticked any of the boxes in the above HIPAA compliance checklist for organizations, your organization is a Covered Entity and required to comply with the applicable Administrative Simplification provisions of the Privacy, Security, and Breach Notification Rules.
|Do you, or does your organization:
|Is your organization:
|Do you, or does your organization:
If you have ticked any of the boxes in the above HIPAA compliance checklist – and you have not already qualified as a Covered Entity – you or your organization are a Business Associate.
As such, your organization must respect HIPAA requirements to comply with the applicable Administrative Simplification provisions of the Security and Breach Notification Rules and any Administrative Requirements or Privacy Rule provisions stipulated in a Business Associate Agreement.
Not A Covered Entity Or Business Associate?
If you have ticked none of the boxes in the above HIPAA compliance checklists, this does not necessarily mean you are not required to comply with some Administrative Simplification provisions of HIPAA. For example, vendors of personal health records (“PHRs”) and PHR-related entities are required to comply with the HIPAA Breach Notification Rule even though neither a Covered Entity nor a Business Associate.
HIPAA Privacy Rule
The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other individually identifiable health information (defined as PHI when maintained or transmitted by a Covered Entity) in whatever format it is created, received, maintained, or transmitted (e.g., oral, written, or electronic).
The Rule requires appropriate safeguards to protect the privacy of PHI and sets limits on the uses and disclosures that may be made of such information without an individual’s authorization.
The Privacy Rule also gives individuals rights over their PHI – including the right to obtain a copy of PHI maintained in a designated record set, request corrections if errors exist, and transfer some or all the PHI maintained in the record set to another provider.
Individuals also have the right to request an accounting of disclosures – a record of uses or disclosures of PHI over the previous six years except certain permissible or authorized disclosures.
Although the Privacy Rule applies to fewer organizations than the Security Rule, it is best to start on the path to compliance with a HIPAA checklist that relates to privacy and individuals´ rights. This is because the Privacy Rule is the foundation for every other HIPAA Rule; and, even if your organization is not required to comply with the Privacy Rule provisions, an understanding of what they are and their purpose is virtually essential for compliance with HIPAA´s other Rules.
Consequently, the following HIPAA Privacy Rule checklist should be regarded as a starting point for any subsequent HIPAA compliance checklist that may be more appropriate for your organization.
- Step 1. Designate a HIPAA Privacy Officer responsible for the development, implementation, and enforcement of HIPAA-compliant policies.
- Step 2. Understand what PHI is, how it can be used and disclosed in compliance with HIPAA, and when an individual´s authorization is required.
- Step 3. Identify risks to the privacy of PHI and implement safeguards to minimize risks to a “reasonable and appropriate” level.
- Step 4. Develop policies and procedures for using and disclosing PHI in compliance with HIPAA and for preventing HIPAA violations.
- Step 5. Develop policies and procedures for obtaining authorizations and for giving individuals an opportunity to agree or object when required.
- Step 6. Develop and distribute a Notice of Privacy Practices explaining how the organization uses and discloses PHI and outlining individuals´ rights.
- Step 7. Develop policies and procedures for managing patient access requests (to their PHI), correction requests, and data transfer requests.
- Step 8. Develop procedures for members of the workforce to report HIPAA violations and for the organization to fulfil its breach notification requirements.
- Step 9. Train members of the workforce on the policies and procedures relevant to their roles and on general HIPAA compliance.
- Step 10. Develop and distribute a sanctions policy outlining the sanctions for non-compliance with the organization´s HIPAA policies.
- Step 11. Perform due diligence on Business Associates, review existing Business Associate Agreements, and revise as necessary.
- Step 12. Develop and document a contingency plan for responding to an emergency that damages systems or physical locations in which PHI is maintained.
What Should a HIPAA Risk Assessment Consist Of?
Before moving ahead with other types of HIPAA compliance checklists, it is worth discussing what a HIPAA risk assessment should consist of. This is because there is a lack of guidance as to what risks should be assessed and how risk assessments should be analyzed.
The Department of Health and Human Services (HHS) has explained that the failure to provide a “specific risk analysis methodology” is due to Covered Entities and Business Associates being of different sizes, capabilities, and complexity.
However, HHS does provide guidance on the objectives of a HIPAA risk assessment:
- Identify the PHI that your organization creates, receives, stores, and transmits – including PHI shared with consultants, vendors, and Business Associates.
- Identify the human, natural, and environmental threats to the integrity of PHI – human threats including those which are both intentional and unintentional.
- Assess what measures are in place to protect against threats to the integrity of PHI, and the likelihood of a “reasonably anticipated” breach occurring.
- Determine the potential impact of a PHI breach and assign each potential occurrence a risk level based on the average of the assigned likelihood and impact levels.
- Document the findings and implement measures, procedures, and policies where necessary to tick the boxes on the HIPAA compliance checklist and ensure HIPAA compliance.
- The HIPAA risk assessment, the rationale for the measures, procedures, and policies subsequently implemented, and all policy documents must be retained for a minimum of six years.
As mentioned above, a HIPAA risk assessment is not a one-time requirement, but a regular task necessary to ensure continued HIPAA compliance.
The HIPAA risk assessment and an analysis of its findings will help organizations to comply with many other areas on our HIPAA compliance checklist and should be reviewed whenever changes to the workforce, work practices, or technology occur.
Depending on the size, capability, and complexity of an organization, compiling a fully comprehensive HIPAA risk assessment can be an extremely long-winded task.
There are various online tools that can help organizations with the compilation of a HIPAA risk assessment; although, due to the lack of a “specific risk analysis methodology”, there is no one-size-fits-all solution.
HIPAA Security Rule
The HIPAA Security Rule contains standards designed to ensure the confidentiality, integrity, and availability of PHI created, received, maintained, or transmitted electronically (ePHI). The Rule consists of five sections – each of which is described in detail below, along with a HIPAA Security Rule Checklist that summarizes the key Security Rule requirements.
The General Rules
This first section of the Security Rule is frequently overlooked, yet it contains a number of key instructions to Covered Entities and Business Associates about their compliance obligations. For example, the General Rules stipulate that Covered Entities and Business Associates must:
- Protect against any reasonably anticipated threats or hazards to the security or integrity of ePHI.
- Protect against any reasonably anticipated uses or disclosures of PHI that are not permitted by the Privacy Rule.
- Ensure compliance with the Security Rule by workforce members.
These are not lightweight instructions and imply organizations must identify reasonably anticipated threats and hazards, and potential impermissible uses and disclosures, implement measures to protect against them, and then monitor user activity to ensure workforces comply with Security Rule policies and procedures implemented by the organization.
The Security Rule safeguards (in sections two, three, and four) provide the minimum measures that must implement to comply with these instructions, but it is important to be aware that if a reasonably anticipated threat or hazard exists that is not covered by these minimum measures, organizations are responsible for developing and implementing additional measures.
In this respect, the General Rules allow for a “flexibility of approach”. The flexibility of approach clause gives organizations leeway to determine what security measures are suitable to mitigate threats, hazards, and the risk of impermissible uses and disclosures depending on their size, existing security capabilities, and the criticality of identified risks.
However, the flexibility of approach does not excuse Covered Entities and Business Associates from complying with all the Security Rule safeguards unless an implementation specification is “addressable” and either the safeguard is not reasonable or appropriate or an equivalent alternative measure would be equally – or more – effective.
The Administrative Safeguards
The Administrative Safeguards are the backbone of Security Rule compliance as they require that a Security Officer is designated with responsibility for conducting risk analyses, implementing measures to reduce risks and vulnerabilities, workforce training, oversight of IT continuity, and Business Associate Agreements.
There is some crossover between the Security Officer and Privacy Officer roles as both are required to develop a contingency plan to ensure business continuity and perform due diligence on Business Associates.
This is likely because some Business Associates will not be subject to the Privacy Rule yet have to have to ensure business continuity and have Business Associate Agreements in place with subcontractors.
|Security Management Process||Organizations must conduct risk analyses, implement measures to reduce risks and vulnerabilities, implement a workforce sanctions policy, and implement procedures to review system activity.|
|Assign Security Responsibility||Designate a HIPAA Security Officer responsible for the development, implementation, and enforcement of Security Rule procedures and policies. This can be the same person as the HIPAA Privacy Officer.|
|Workforce Security||Members of the workforce should have clearance before accessing systems containing ePHI and measures must be implemented to limit access to ePHI and terminate access when they change roles or end their employment.|
|Information Access Management||This standard applies to hybrid and affiliated organizations to ensure ePHI is only accessed by members of “covered” organizations´ workforces and not by workforce members of parent, joint, or affiliated organizations.|
|Security Awareness and Training||Members of the workforce – even those with no access to ePHI – must participate in an ongoing security awareness training program. This standard also includes security reminders and password management.|
|Security Incident Procedures||The standard requires Covered Entities and Business Associates to adopt measures for reporting, responding to, and documenting the outcomes of security incidents (Note: Not limited to cybersecurity incidents).|
|Contingency Plan||Establish (and test) policies and procedures to respond to an emergency. The policies and procedures must include a data backup plan, a disaster recovery plan, and an emergency mode operating plan.|
|Periodic Evaluations||This standard requires Covered Entities and Business Associates to periodically review the policies, procedures, and measure implemented to comply with the Security Rule – including Business Associate Agreements.|
The Physical Safeguards
The Physical Safeguards focus on physical access to ePHI irrespective of its location.
ePHI could be stored in a remote data center, in the cloud, or on servers which are located within the organization´s premises.
The Physical Safeguards also stipulate how workstations and mobile devices should be secured against unauthorized access.
|Facility Access Controls||Although this standard applies to physical access to electronic information systems and the facilities in which they are housed, measures should also be put in place to limit physical access to paper PHI whenever possible.|
|Workstation Use||There are various interpretations of this standard – the most secure interpretation being prohibiting non-business activity on workstations and devices used to create, receive, maintain, or transmit ePHI.|
|Workstation Security||This standard requires Covered Entities and Business Associates to implement safeguards so that physical access to workstations and devices is limited to only members of the workforce with appropriate authorization.|
|Device and Media Controls||The implementation specifications attached to this standard include the disposal or re-use of media on which ePHI has been stored and maintaining an inventory of devices and media used by the organization to access ePHI.|
The Technical Safeguards
The Technical Safeguards are designed to make sure each person accessing ePHI is who they say they are, that they do what they are supposed to do; and that, if an issue manifests due to an accidental or malicious action, the issue is identified and rectified at the earliest possible opportunity.
|Access Controls||This standard not only relates to user identification and password management, but also includes implementation specifications relating to automatic logoff, encryption, and emergency access procedures|
|Audit Controls||The audit controls standard requires Covered Entities and Business Associates to implement software that records event logs and examines activity on systems containing ePHI.|
|Integrity Controls||As an addition to the above standard, controls have to be implemented to ensure ePHI is not altered or destroyed improperly. This is as much to mitigate the threat of malicious insiders as external threats.|
|Person or Entity Authentication||This standard is practically identical to the user identification requirements of the Access Controls standard and demonstrates the importance of implementing and enforcing an effective password management policy.|
|Transmission Security||Unlike the Integrity Controls standard that applies to ePHI when accessed by an authorized user, this standard requires measures are put in place to ensure the integrity of ePHI in transit and prevent unauthorized destruction.|
There are several sections of the Administrative Simplification provisions entitled Organizational Requirements, but whereas the others relate to “non-general scenarios” (e.g., hybrid entities and health plan uses and disclosures), the Organizational Requirements of the Security Rule are relevant to most Covered Entities and Business Associates as they cover Business Associate Agreements.
Business Associate Agreements are also covered elsewhere in the Administrative Simplification provisions, but it is important for organizations in a business relationship in which ePHI is disclosed to be aware of this specific section because it stipulates:
- Business Associate Agreements must provide that the Business Associate complies with the applicable parts of the Security Rule,
- Business Associates that subcontract services in which ePHI is disclosed must enter into an Agreement with the subcontractor, and
- Business Associates will report any security incident – including, but not limited to, breaches of unsecured ePHI – to the Covered Entity the Agreement is with.
There are additional requirements in the Organizational Requirements for when a health plan discloses ePHI to a plan sponsor, and these are very similar to the Organizational Requirements relating to hybrid entities.
The Security Rule then concludes with standards relating to document retention which are discussed in further depth in the section explaining the HIPAA Audit Checklist.
HIPAA Security Requirements
Although no standard in the Security Rule is any more important than any other, some are key to a HIPAA Security Rule checklist because – without them – it would be difficult to comply with the Rule in its entirety. Consequently, we have compiled what we feel are the twelve essential components of a HIPAA security requirements checklist.
- Step 1. Designate a HIPAA Security Officer. The role can be assigned to the HIPAA Privacy Officer; but in larger organizations, it is best to designate the role to a member of the IT team.
- Step 2. Determine which systems create, receive, maintain, or transmit ePHI and protect them from unauthorized access from other parts of the organization´s IT infrastructure.
- Step 3. Implement measures that mitigate the threats from malware, ransomware, and phishing. For example, advanced email and Internet filters with malicious URL detection capabilities.
- Step 4. Establish which workforce members should have access to ePHI and implement Role-Based Access Controls to prevent users accessing more ePHI than they are supposed to.
- Step 5. Implement a system for verifying the identity of workforce members to comply with the physical access, workstation security, and event logging requirements of the Security Rule.
- Step 6. Conduct an inventory of devices used to access ePHI and the media on which it is stored. Ensure a system is in place to record any movement of devices and media.
- Step 7. Ensure all devices used to access ePHI – including remote and personal devices – are PIN-locked and have automatic logoff capabilities activated to prevent unauthorized access.
- Step 8. Put processes in place for authorized workforce members to report security incidents or escalate security concerns to the Security Officer or Security Operations Center.
- Step 9. Implement a security awareness training program for all members of the workforce that incorporates how to escalate security concerns and incident reporting procedures.
- Step 10. Develop a sanctions policy explaining the sanctions for violating the organization´s security policies and distribute it among all members of the workforce (even those with no access to ePHI).
- Step 11. Develop a contingency plan for foreseeable events that may threaten the confidentiality, integrity, and availability of ePHI, and test the plan against each type of event.
- Step 12. Review existing Business Associate Agreements relating to disclosures of ePHI and replace any that fail to comply with the Organizational Requirements of the HIPAA Security Rule.
The HIPAA Breach Notification Rule
All organizations that create, receive, maintain, or transmit PHI or ePHI have to comply with the HIPAA Breach Notification Rule. This includes organizations not covered by the Privacy and Security Rules such as vendors of personal health records (“PHRs”), PHR-related entities (i.e., fitness tracker services that send data to or access data on a PHR), and third-party service providers.
Consequently, all organizations have to be prepared to notify individuals, the relevant federal agency, and – in some cases – local media when a breach of unsecured PHI/ePHI occurs. In such events, it is important to fulfil all the applicable requirements of the Breach Notification Rule, even if the breach relates to the health record of a single individual.
However, before actioning breach notification procedures, it is important for organizations to establish whether the breach is reportable or not. Unnecessarily reporting a data breach will likely result in an unnecessary investigation which, even if no violation is found, will result in some level of business disruption in addition to unnecessary concerns for the individual(s) affected.
Therefore, organizations should make sure that any breach is reportable by first conducting a risk assessment or taking advantage of a HIPAA breach decision tool/HIPAA breach risk assessment form to determine:
- Was ePHI encrypted and therefore unreadable, undecipherable, and unusable?
- If not, what health information and identifiers were exposed in the breach?
- Who (if known) acquired, accessed, or viewed PHI/ePHI impermissibly?
- What is the likelihood of the data being further used or disclosed?
- What measures are in place to mitigate the effect of the breach?
If a breach is reportable, individuals must be notified on the breach within sixty days. The breach notification must include information about what data has been disclosed, what the organization is doing to mitigate the effects of the breach and prevent further security incidents, and what the individual can do to best protect themselves from theft or fraud.
If the breach affects fewer than 500 individuals, organizations have until the end of each calendar year to notify HHS´ Office for Civil Rights or Federal Trade Commission. Breaches affecting 500 or more individuals must be notified to the appropriate agency and the local media within sixty days – the failure to do so attracting stiffer HIPAA violation penalties from HHS´ Office for Civil Rights or a fine of up to $46,517 per day from the Federal Trade Commission.
HIPAA IT Compliance
HIPAA IT compliance is sometimes confused with simply implementing the Safeguards of the Security Rule, but often much more is required for IT departments to be HIPAA IT compliant. For example, as most PHI is now maintained on electronic systems, IT departments have to consider how best to respond to individuals exercising their rights to access, correct, and transfer PHI.
Consequently, IT departments may be responsible for determining what data is maintained in a designated record set, what happens to data excluded from the designated record set, how information collected orally or on paper is added to the designated record set, and how the process for accounting of disclosures is managed – all Privacy Rule issues.
Due to likely being involved in the transfer of ePHI to or from Business Associates, IT departments may need to be involved in the due diligence process and will likely be the first port of call in the event of a Business Associate security incident – so therefore may need to know which party will be responsible for complying with the breach notification requirements.
It is also possible that representatives from the IT department will be involved in selected health care operations in which PHI is used or disclosed permissibly (i.e., provider or health plan evaluations, fraud and abuse detection, business planning, etc.). Consequently, they may need to be aware of the Minimum Necessary Standards and rules concerning incidental disclosures.
Additional HIPAA IT Requirements
In addition to the above – and implementing the Safeguards of the Security Rule – additional HIPAA IT requirements may include updating existing security mechanisms to meet the requirements of a “recognized cybersecurity framework” (see “Updates to HIPAA Compliance” below), preparing legacy systems for migration to the cloud, and monitoring user activity.
Ultimately – once a recognized security framework in in place and legacy systems are migrated to the cloud – it may be possible to automate many monitoring tasks. However, due to the evolving nature of cyberthreats, it will not be possible to automate periodic risk assessments and analyses and may not be possible to adjust quickly to new forms of malware, ransomware, and phishing.
Additionally, cyberattacks are not the only things that are evolving. The healthcare and health insurance landscapes are also evolving with new rules and guidance frequently being issued by HHS´ Office for Civil Rights, CMS, and the FTC. Furthermore, it is not just federal laws that IT departments have to comply with, but state laws as well.
Consequently, many IT departments have compliance requirements additional to HIPAA. Most states have privacy laws with at least one element preempting HIPAA, while some state laws extend beyond borders to protect citizens wherever they are (i.e., Texas). Organizations that treat international patients may also have to comply with the EU´s General Data Protection Regulation.
HIPAA IT Compliance Checklist
Bearing in mind the Security Rule´s “flexibility of approach”, that some smaller organizations will have limited resources, and that some larger organizations will have unique compliance challenges, there is no one-size-fits-all HIPAA IT compliance checklist. Nonetheless, we have compiled a list of best practices that can help IT departments meet the HIPAA IT requirements.
- Step 1. Understand which international, federal, and state laws your organization has to comply with and develop policies and procedures accordingly.
- Step 2. Enforce a password policy that requires the use of unique, complex passwords for each account and support the policy with mandatory MFA where practical.
- Step 3. Automate monitoring and reporting as much as possible to reduce the administrative burden of user compliance and threat management.
- Step 4. Test incident response and disaster recovery plans for every conceivable event. Ensure all team members understand their roles during such events.
- Step 5. Separate the infrastructure into a data layer and system layer to support the integrity of the system and isolate attacks on the system.
- Step 6. Implement encoding or blockchain technologies to prevent tampering and support compliance efforts to ensure the integrity of ePHI.
- Step 7. Prepare for the possibility that account credentials may be compromised and have processes ready to shut down compromised accounts remotely.
- Step 8. Map data flows – including those to/from Business Associates – to simplify risk assessments and analyses and more efficiently identify threats to ePHI.
- Step 9. Don´t assume all users have the same level of knowledge, awareness, or susceptibility. Identify where user weaknesses exist to build stronger defenses against cyberattacks.
- Step 10. Connect with third party compliance experts if you need assistance completing a HIPAA IT compliance checklist. You cannot leave security to chance!
The final HIPAA compliance checklist concerns HIPAA audits. While OCR´s audit program may not be as active as it was a few years ago, it is still beneficial to prepare for a compliance audit as the documentation requested in an audit is the same as requested in an investigation conducted by a federal agency in response to a data breach or complaint. As with the HIPAA IT compliance checklist, there is no one-size-fits-all HIPAA audit checklist.
In order to help HIPAA Covered Entities and Business Associates compile a checklist in preparation for the OCR audit program, the Department of Health and Human Services published audit protocols for the first two rounds of audits. You can find a link to OCR´s audit protocols in our dedicated HIPAA Audit Checklist page, along with suggestions for compiling internal HIPAA audit checklists.
How to Become HIPAA Compliant
It has been mentioned several times during this article that there is no one-size-fits-all HIPAA compliance checklist. However, although not all the Rules apply to all organizations, the basics of HIPAA compliance are the same for every type of Covered Entity, Business Associate, and PHR-related entity – protect the privacy of individually identifiable health information and ensure the confidentiality, integrity, and availability of ePHI.
Ultimately, it will likely be necessary for each Privacy Officer and each Security Officer to develop their own HIPAA compliance checklist in order to address unique challenges. We hope that this article has provided some pointers to what should be included on each type of checklist; but, if doubts exist about the comprehensiveness of an organization´s compliance efforts, it is in the organization´s best interest to speak with a professional HIPAA compliance advisor.
Updates to HIPAA Compliance in 2021
On January 5, 2020, President Trump signed bill HR 7898 into law, which amends the Health Information Technology for Economic and Clinical Health Act (HITECH Act) to create a safe harbor for healthcare organizations and business associates that have implemented recognized security best practices prior to experiencing a data breach. The aim of the bill is to encourage HIPAA-covered entities and their business associates to adopt a common security framework.
The update requires the HHS’ Office for Civil Rights to take security best practices, such as the adoption of a recognized cybersecurity framework, into consideration when deciding on penalties and sanctions related to data breaches. The bill also requires the HHS to decrease the extent and length of audits when an entity has achieved industry-standard security best practices.
On December 10, 2020, the HHS’ Office for Civil Rights published a Notice of Proposed Rulemaking (NPR) under the HHS’ Regulatory Sprint to Coordinated Care initiative. The NPR included several proposed modifications to the HIPAA Privacy Rule to strengthen individuals’ access to their own protected health information and to improve the sharing of PHI stored in EHRs between covered healthcare providers and health plans.
Comments on the proposed changes are being accepted for 60 days from the date of publication in the federal register and, after consideration of submitted feedback, a final rule will be published. While that may occur in 2021, HIPAA-covered entities and business associates will be given time to implement the changes before the new regulations will be enforced.
The update will see the addition of a definition of “electronic health record”, which is “an electronic record of health-related information on an individual that is created, gathered, managed, and consulted by authorized health care clinicians and staff. Such clinicians shall include, but are not limited to, health care providers that have a direct treatment relationship with individuals, as defined at [45 C.F.R.] § 164.501, such as physicians, nurses, pharmacists, and other allied health professionals.”
The proposed changes in the NPR are:
- Restricting the right of individuals to transfer ePHI to a third party to ePHI that is maintained in an EHR
- Allowing patients to inspect their PHI in person, take notes, and take photographs of their health records.
- Reducing the timeframe for providing access to PHI or copies of an individual’s PHI from 30 days to 15 days
- The creation of a pathway for individuals to direct the sharing of PHI maintained in an EHR among covered entities.
- Clarification that an individual is permitted to direct a covered entity to provide their ePHI to a personal health application
- Eliminating the requirement for HIPAA-covered entities to obtain written acknowledgment from an individual that they have received the Notice of Privacy Practices.
- A requirement for HIPAA-covered entities to post estimated fee schedules on their websites for PHI access and disclosures consistent with a valid authorization and to provide individualized estimates for fees for providing an individual with a copy of their own PHI.
- Amending the definition of healthcare operations to broaden the scope of care coordination and case management that constitute health care operations.
- Specifying when ePHI must be provided to an individual free of charge.
- Covered entities will be required to inform individuals that they retain their right to obtain or direct copies of PHI to a third party when a summary of PHI is offered rather than a copy.
- Covered health care providers and health plans will be required to respond to certain records requests received from other covered health care providers and health plans, when directed by individuals pursuant to the HIPAA right of access.
- Permitting covered entities to make certain uses and disclosures of PHI based on their good faith belief that it is in the best interests of the individual.
- The creation of an exception to the “minimum necessary” standard for individual-level care coordination and case management uses and disclosures, irrespective of whether the activities constitute treatment or health care operations.
- Expanding the Armed Forces permission to use or disclose PHI to all uniformed services.
- Expansion of the ability of covered entities to disclose PHI to avert a threat to health or safety when a harm is “seriously and reasonably foreseeable,” rather than the current definition of “serious and imminent.”
Temporary Changes to HIPAA Compliance Checklists During the COVID-19 Pandemic
Healthcare organizations are having to deal with a nationwide public health crisis, the likes of which has never been seen. The 2019 Novel Coronavirus (SARS-CoV-2) that causes COVID-19 is forcing healthcare organizations to change normal operating procedures and workflows, reconfigure hospitals to properly segregate patients, open testing centers outside of their usual facilities, work with a host of new providers and vendors, and rapidly expand telehealth services and remote care.
This colossal extra burden makes HIPAA compliance even more difficult, yet even during public health emergencies such as the COVID-19 pandemic, health plans, healthcare providers, healthcare clearinghouses, and business associates and their subcontractors must still comply with the HIPAA Privacy, Security, Breach Notification, and Omnibus Rules.
HIPAA Rules have provisions covering healthcare operations during emergencies such as natural disasters and disease pandemics; however, the current COVID-19 nationwide public health emergency has called for the temporary introduction of unprecedented flexibilities with regards to HIPAA compliance.
The HHS’ Office for Civil Rights appreciates that during such difficult times, HIPAA compliance becomes even more of a strain. In order to ensure the flow of essential healthcare information is not impeded by HIPAA regulations, and to help healthcare providers deliver high quality care, OCR has announced that penalties and sanctions for noncompliance with certain provisions of HIPAA Rules will not be imposed on healthcare providers and their business associates for good faith provision of healthcare services during the COVID-19 public health emergency.
Notice of Enforcement Discretion Covering Telehealth Remote Communications
With hospitals having limited capacity, and social distancing and self-isolation measures in place, healthcare providers have expanded their telehealth and virtual care capabilities. The Centers for Medicare and Medicaid Services (CMS) has also temporarily expanded telehealth options to all Medicare and Medicaid recipients.
To support healthcare providers, OCR announced a Notice of Enforcement Discretion covering telehealth remote communications for the duration of the COVID-19 public health emergency.
Some of the platforms used for providing these services may not be fully compliant with HIPAA Rules, but OCR will not be imposing sanctions and penalties for the use of these platforms during the COVID-19 public health emergency.
“A covered health care provider that wants to use audio or video communication technology to provide telehealth to patients during the COVID-19 nationwide public health emergency can use any non-public facing remote communication product that is available to communicate with patients,” explained OCR. That includes the likes of Zoom, Google Hangouts video, Facebook Messenger Chat, and FaceTime; however, HIPAA-compliant platforms should be used if possible.
The Notice of Enforcement Discretion DOES NOT apply to public-facing chat and video platforms such as Facebook Live and TikTok.
Notice of Enforcement Discretion Covering Uses and Disclosures of PHI by Business Associates for Public Health and Health Oversight Activities
The HIPAA Privacy Rule only permits Business Associates of HIPAA Covered Entities to use and disclose PHI for public health and health oversight activities if it is specifically stated that they can do so in their Business Associate Agreement with a HIPAA Covered Entity.
On April 2, 2020, OCR issued a Notice of Enforcement Discretion stating sanctions and penalties will not be imposed on Business Associates for good faith disclosures of PHI for public health purposes to the likes of the Centers for Disease Control and Prevention (CDC), CMS, state and local health departments, and state emergency operations centers, who need access to COVID-19 related data, including PHI. In all cases, any use or disclosure must be reported to the Covered Entity within 10 days of the use or disclosure occurring.
The minimum necessary standard applies and disclosures of PHI should be restricted to the minimum necessary amount to achieve the objective for which the information is disclosed. The Security Rule is also in effect, so safeguards must be implemented to ensure the confidentiality, integrity, and availability of all PHI transmitted in relation to public health and health oversight activities.
Notice of Enforcement Discretion for Community-Based Testing Sites
Enforcement discretion will be exercised by OCR and sanctions and penalties will not be imposed on Covered Entities or Business Associates in connection with the good faith participation on the operation of COVID-19 testing sites such as walk-up, drive-through, and mobile sites. The Notice of Enforcement Discretion is retroactive to March 13, 2020 and will last for the duration of the COVID-19 public health emergency. The Notice of Enforcement Discretion covers all activities in testing centers that support the collection of specimens and testing of individuals for COVID-19.
Reasonable safeguards must be implemented to protect patient privacy and the security of any PHI used or collected at these sites. The Notice does not apply to health plans or healthcare clearinghouses when they are performing health plan and clearinghouse functions, nor to healthcare providers or business associates that are not performing COVID-19 Community-Based Testing Site activities, even if those activities are performed at the testing sites.
Notice of Enforcement Discretion Covering Online or Web-Based Scheduling Applications for Scheduling of COVID-19 Vaccination Appointments
On January 19, 2021, OCR announced it will be exercising enforcement discretion and will not impose penalties or sanctions on HIPAA covered entities or their business associates for violations of the HIPAA Rules in connection with the good faith use of online or web-based scheduling applications (WBSAs) for scheduling COVID-19 vaccination appointments.
The enforcement discretion does not apply when an entity fails to act in good faith. Examples of bad faith use of WBSAs include, but are not limited to, the use of a WBSA when the terms of service prohibit the use of the WBSA for scheduling healthcare services; if the solution does not incorporate reasonable security safeguards to prevent unauthorized access to ePHI; use of WBSAs to conduct services other than scheduling appointments for COVID-19 vaccinations; use of a WBSA for screening individuals for COVID-19 prior to an in-person healthcare visit.
While HIPAA penalties will not be imposed, OCR encourages HIPAA-covered entities and business associates to ensure that reasonable safeguards are implemented to ensure the privacy and security of healthcare data, such as the use of encryption, limiting data input into the systems to the minimum necessary information, and activating all available privacy settings.
OCR will be exercising enforcement discretion immediately and will be retroactive to December 11, 2020.
Sharing PHI About COVID-19 Patients with First Responders
OCR has confirmed that HIPAA Rules permit the sharing of PHI with first responders such as law enforcement, paramedics, public safety agencies, and others under certain circumstances, without first obtaining a HIPAA authorization from a patient.
OCR confirmed that the HIPAA Privacy Rule permits disclosures of PHI for the provision of treatment (e.g. by a skilled nursing facility to medical transport personnel), when required to do so by law (such as to comply with state infectious disease reporting requirements), and to prevent or control disease, injury, or disability. That includes disclosures for public health surveillance, and to public health authorities to help prevent or control the spread of disease.
PHI can also be disclosed to first responders who may be at risk of infection and to help prevent or lessen a serious and imminent threat to the health and safety of a person or the public. OCR explained that it is permissible to “disclose PHI about individuals who have tested positive for COVID-19 to fire department personnel, child welfare workers, mental health crisis services personnel, or others charged with protecting the health or safety of the public if the covered entity believes in good faith that the disclosure of the information is necessary to prevent or minimize the threat of imminent exposure to such personnel in the discharge of their duties.”
HIPAA also permits disclosures of PHI when responding to a request for PHI by a correctional institution or law enforcement official, that has lawful custody of an inmate or other individual. The disclosures are permitted when PHI is needed to provide healthcare to an individual, to ensure the health and safety of staff and other inmates, to law enforcement on the premises, and to help maintain safety, security, and good order in a correctional institution.
The minimum necessary standard applies in all cases and disclosures of PHI should be restricted to the minimum necessary amount to achieve the objective for which the information is disclosed.
HIPAA Compliance Checklist: FAQs
Who is this HIPAA Compliance Checklist For?
This HIPAA compliance checklist is for HIPAA Privacy Officers, HIPAA Security Officers, and any other member of a Covered Entity’s or Business Associate’s workforce assigned the task of HIPAA compliance. The checklist can also be shared between departments if different departments are responsible for complying with specific areas of HIPAA.
What is a HIPAA Compliance Checklist?
A HIPAA compliance checklist consists of the basic compliance requirement of the HIPAA Privacy, Security, and Breach Notification Rules. Some areas of the checklist may not apply to some organizations depending on the nature of their activities, while some organizations will have to consider additional checklist items if they are involved in certain activities (i.e., psychiatrists).
Is there a specific HIPAA Compliance Checklist for IT?
There is no specific HIPAA compliance checklist for IT because the scale of IT operations can vary between different organizations depending on their size, complexity, and processes. If a HIPAA compliance checklist for IT is thought necessary, organizations are advised to conduct an IT compliance audit to see what items may be necessary to include.
What Does HIPAA Compliance Mean?
HIPAA compliance means complying with the standards and implementation specifications of the HIPAA Privacy, Security, and Breach Notification Rules. However, it is necessary to be aware that the General Rules of the Security Rule (§164.306) allow for a “flexibility of approach” Covered Entities and Business Associates should bear this clause in mind when reviewing HIPAA requirements.
Who is Responsible for Implementing and Monitoring the HIPAA Regulations?
The agency responsible for implementing and monitoring the HIPAA regulations is the Department of Health and Human Services (HHS). Within HHS, two departments are responsible for enforcing the HIPAA regulations – the agency´s Office for Civil Rights (OCR) is responsible for taking enforcement action for violations of the Privacy, Security, and Breach Notification Rule, while the Centers for Medicare and Medicaid Services (CMS) enforce the Administrative Requirements of HIPAA.
What is the Key to HIPAA Compliance?
The key to HIPAA compliance is remembering that compliance is an ongoing process and not a one-off exercise. Therefore, it is important to have mechanisms in place to prevent shortcuts becoming the norm and developing into a culture of non-compliance – which then becomes harder to reverse and may lead to more noncompliant shortcuts being taken “to get the job done”.
Who Must Comply with the HIPAA Security Rule?
Compliance with the HIPAA Security Rule is required for all individuals and organizations that qualify as Covered Entities. Additionally, Business Associates and subcontractors with whom PHI is shared must comply with the Security Rule, as must healthcare organizations and insurance companies that do not qualify as Covered Entities but provide a service for or on behalf of another Covered Entity as a Business Associate.
What does the HIPAA Security Rule Apply To?
The Security Rule applies to all Protected Health Information that is created, collected, maintained, or transmitted electronically (ePHI). It is important to be aware that ePHI is a subset of PHI, and therefore some Privacy Rule requirements may also apply – especially those relating to permissible uses and disclosures and the Minimum Necessary Standard.
What is the Health Insurance Portability and Accountability Act (HIPAA)?
The Health Insurance Portability and Accountability Act is an Act passed in 1996 with the intention of reforming the health insurance industry. It facilitated the portability of health insurance from one employer to another to avoid workers being locked in an unsuitable job for fear of losing health coverage and stopped health plans discriminating against workers with pre-existing conditions.
To prevent the costs of increased portability and accountability being passed on to employers and plan members in the form of higher premiums, Title II of HIPAA introduced measures to reduce fraud against the health insurance industry and make the processing of health insurance claims more efficient. These measures led to the Administrative Simplification regulation which includes the Privacy, Security, and Breach Notification Rules.
What are the HIPAA Compliance Requirements?
Although HIPAA compliance requirements are mentioned periodically in the above HIPAA compliance checklist, there is no one-size-fits-all set of requirements. Each Covered Entity and Business Associate must determine its own HIPAA compliance requirements based on a risk assessment and what “reasonable and appropriate” measures are required to be compliant.
What are the Guidelines to Stay HIPAA Compliant?
The guidelines to stay HIPAA compliant can be interpreted in several ways. For example, it can mean the standards of the Privacy, Security, and Breach Notification Rules, the safeguards of the Security Rule, or the policies developed by an organization´s HIPAA Privacy and Security Officers to ensure the organization and members of the organization’s workforce stay HIPAA compliant.
What Do You Need to Know about HIPAA?
The most important thing you need to know about HIPAA is that ignorance of the HIPAA requirements is no defense against enforcement action. Therefore, if you are a HIPAA Covered Entity or a Business Associate with access to Protected Health Information, you need to understand what the rules are, how they apply to you, and what you need to do to become HIPAA compliant.
What are the Penalties for Breaching HIPAA?
The penalties for breaching HIPAA vary according to the nature of the violation, the level of culpability, and the amount of assistance given to HHS during investigations into the breach. The current penalty structure was implemented in the HITECH Act 2009 and penalty amounts increase each year to account for inflation. The most recent penalties for breaching HIPAA can be found here.
What Steps Should You Take for HIPAA Compliance?
The steps you should take for HIPAA compliance depend on the nature of your business and your access to Protected Health Information. The HHS publishes several tools to help Covered Entities determine what steps to take for HIPAA compliance; but, if you are still unsure about HIPAA requirements, you should seek professional compliance advice.
What is the HIPAA Security Rule?
The HIPAA Security Rule was enacted in 2004 to establish national standards for the protection of Protected Health Information when it is created, received, used, or maintained electronically by a Covered Entity. The Rule was introduced due to more Covered Entities adopting technology and replacing paper processes.
What is the HIPAA Privacy Rule?
The HIPAA Privacy Rule – or the “Standards for Privacy of Individually Identifiable Health Information” – was introduced to standardize a patchwork of state laws relating to how healthcare providers and insurers can use, share, and disclose Protected Health Information. It is important to note that where state laws provide stronger privacy protections, these laws continue to apply.
What is the HIPAA Breach Notification Rule?
The HIPAA Breach Notification Rule requires Covered Entities and Business Associations to notify the Secretary of Health and Human Services of any impermissible use or disclosure of unsecured Protected Health Information. Different procedures apply depending on the nature of the breach and the number of records disclosed.
What is the HIPAA Omnibus Rule?
The HIPAA Omnibus Rule was enacted in 2013 to update elements of the Privacy, Security, Enforcement, and Breach Notification Rules, and activate elements of the HITECH Act. Significantly for Covered Entities and Business Associates, it gave the Department of Health and Human Services more resources to investigate breaches and impose fines for non-compliance.
What is the HIPAA Enforcement Rule?
The HIPAA Enforcement Rule explains the procedures under which the Department of Health and Human Services will conduct investigations, manage hearings, and impose penalties for HIPAA violation cases. It is important to note other agencies (for example Centers for Medicare and Medicaid Services) can take HIPAA enforcement actions, and these may have their own procedures.
What is the Minimum Necessary Rule?
The Minimum Necessary Rule – sometimes called the “Minimum Necessary Standard” or “Minimum Necessary Requirement” – is a key element of the HIPAA Privacy Rule. The Rule stipulates that HIPAA-covered entities make reasonable efforts to ensure access to PHI is limited to the minimum necessary to accomplish the intended purpose of a particular use, disclosure, or request – and nothing more.
What are the HIPAA Retention Requirements?
The HIPAA retention requirements relate to how long Covered Entities must retain HIPAA-related procedures, policies, and other documentation. In states that do not require longer retention periods, the minimum length of time for HIPAA-related documentation to be retained is six years. You will find examples of what types of documentation should be retained in this article.
Are there Rules about Sharing PHI on Social Media?
There are no specific Rules about sharing PHI on social media because the HIPAA Privacy Rule was enacted many years before most social media platforms existed. However, except for permitted uses, the disclosure of personal identifiable information without a patient´s consent is a violation of HIPAA, and sharing PHI on social media would come into this category.
What is the Difference between Patient Consent and Patient Authorization in HIPAA?
The difference between patient consent and patient authorization in HIPAA is that patient consent can be verbal, whereas patient authorization has to be written. There are very few scenarios in which patient consent is allowed by HIPAA; and, for most uses and disclosures of PHI not expressly permitted by the Privacy Rule a Covered Entity has to obtain a patient’s written authorization via a HIPAA Release Form.
Are Pagers HIPAA-Compliant Communication Tools?
Pagers can be HIPAA-compliant communication tools depending on what they are being used for and what capabilities they have. If a pager is not being used to communicate ePHI, HIPAA compliance is not an issue. If a pager is being used to communicate ePHI, it has to have capabilities such as user authentication, remote wipe, and automatic log-off. You can find out more about pagers and HIPAA compliance in this article.
How Does the EU´s General Data Protection Regulation Affect HIPAA Compliance?
While the EU´s General Data Protection Regulation doesn´t affect HIPAA compliance in any way, it does introduce a further set of regulations for Covered Entities and Business Associates that collect, process, share, or store data relating to EU citizens – for example if an EU citizen receives medical treatment in the USA. This article provides more information about GDPR for US companies.
What are the Administrative Simplification Provisions of HIPAA?
The Administrative Simplification provisions of HIPAA consist of the General Administrative Requirements (Part 160), the Transaction, Code Sets, and Identifier Standards (Part 162) and the Privacy, Security, and Breach Notification Rules (Part 164). The Department of Health and Human Services has combined the provisions into a single PDF for ease of reference.
Why Might My Organization Need to Know a Business Partner´s Compliance Obligations?
Your organization might need to know a business partner’s compliance obligations if it intends to share PHI with a Business Associate. Before a Covered Entity discloses PHI to a Business Associate, it is important to conduct due diligence on the Business Associate to ensure the privacy of the PHI is protected and safeguards are in place to ensure the confidentiality, integrity, and availability of ePHI. It is not enough to rely on the undertakings of a Business Associate Agreement.
What are the Excluded Benefits that would Exempt a Health Plan from being a Covered Entity?
The excluded benefits that would exempt a health plan from being a Covered Entity are listed in §300gg-91 of the Public Health Act (search for “benefits not subject to requirements”). This include, but are not limited to, workers´ compensation insurance, accident insurance that includes medical payment insurance, and automobile insurance in which benefits for medical care are included.
Why are On-Campus Health Centers Exempt from HIPAA?
On-campus health centers are exempted from HIPAA if they only provide medical services for students because students´ medical records are considered to be part of their educational records, which are protected by the Family Educational Rights and Privacy Act (FERPA). The HIPAA Privacy Rule specifically excludes records protected by FERPA from its definition of PHI, and therefore an on-campus health center that only provides medical services for students cannot “transmit PHI in connection with a transaction for which a HIPAA standard exists” because it does not have any PHI.
In the event that an on-campus health center treats both students and members of the public, the health center becomes a “hybrid entity”. In such circumstances, students´ medical (educational) records are still subject to FERPA and must be isolated from other patients´ PHI – which is subject to the protections of the Privacy and Security Rules; and, in the event of a data breach, the processes of the Breach Notification Rule.
Why are paper-to-paper non-digital fax communications not considered electronic transmissions?
Paper-to-paper, non-digital fax communications are not considered electronic transmissions when the information being exchanged did not exist in electronic format prior to the fax transmission. Therefore, if a healthcare provider only transmits health information for a HIPAA transaction by paper-to-paper non-digital fax, the healthcare provider is not a Covered Entity.
However, as well as paper-to-paper faxes being a poor data security practice, if the faxed health information was stored electronically prior to transmission (i.e., saved on a workstation) or any other electronic communication channel is used for any other HIPAA transaction, the healthcare provider is a Covered Entity, and all transmissions are subject to HIPAA compliance requirements.
Why Might Only Some of the Administrative Simplification Provisions Apply to Covered Entities?
Some of the Administrative Simplification provisions will not apply to Covered Entities due to the nature of the Covered Entities’ operations. For example, health care clearinghouses are typically business-to-business operations, so there will be no need to develop and distribute a Notice of Privacy Practices to individuals. Similarly, sole medical practitioners will not have to develop and distribute a workforce sanctions policy.
Additionally, the “flexibility of approach” clause in the Security Rule (§164.306) allows Covered Entities to be flexible about what security measures are adopted according to their size, complexity and capabilities, the costs of the security measure, and the probability and criticality of risks to PHI. However, the decision not to apply a Security Rule standard has to be justified, documented, and periodically reviewed to determine whether the decision is still justified.
When “Minimizing Risks to an Appropriate Level”, What is an Appropriate Level?
With regards to minimizing risks to an appropriate level, neither the Privacy Rule nor the Security Rule define what an “appropriate level” is – nor provide guidance on how an appropriate level can be obtained. In its HIPAA Basics Guide, CMS states “what’s reasonable and appropriate depends on your business as well as its size, complexity, and resources”. However, this statement should not be construed as an excuse to take shortcuts with HIPAA compliance or omit Administrative Simplification provisions.
How does a HIPAA Privacy Office Enforce an Organization’s HIPAA-Compliant Policies?
A HIPAA Privacy Officer can enforce an organization’s HIPAA-compliant policies in several ways. The primary tool in a Privacy Officer’s enforcement armory is the sanctions policy. This policy should stipulate the nature of punishments for HIPAA violations – which may range from a warning for minor violations to criminal proceedings and loss of license for serious violations. All members of an organization´s workforce should be provided with a copy of the sanctions policy regardless of whether they have access to PHI or not.
However, it is sometimes the case that a carrot rather than a stick is the best way to enforce an organization’s HIPAA-complaint policies, and Privacy Officers should focus on the benefits of compliance during HIPAA training. Naturally, the benefits will not be the same for all members of the workforce; but generally, HIPAA compliance leads to patients being more open about their conditions, which leads to better informed treatment programs and patient outcomes. This in turn improves staff morale and increases staff retention.
When might Individuals have an Opportunity to Agree or Object to a Disclosure of PHI?
Individuals have an opportunity to agree or object to a disclosure of PHI in several circumstances. Outside of the times when uses and disclosures of PHI fall into the categories of required, permissible, or requiring authorization, there are scenarios in which it is preferable, but not necessary, to obtain an individual´s “informal consent”. For example, notifying family members of a patient´s admission into hospital. In such scenarios, the individual should be given the opportunity to agree or object to the disclosure of PHI unless the individual is unable to, in which case Covered Entities are allowed to use their professional judgement.
Do Members of the Workforce Need to Report HIPAA Violations if they don’t Result in a Data Breach?
Members of the workforce should be required to report HIPAA violation if they don’t result in a data breach because, if violations are not identified and addressed, they could continue and contribute towards a culture of non-compliance which ultimately results in data breaches. Ideally, Covered Entities and Business Associates should implement a process for reporting HIPAA violations that allows members of the workforce to report violations anonymously.
What are the Breach Notification Rule requirements?
The Breach Notification Rule requirements vary depending on the type of organization at which a breach occurs. For example, Business Associates are required to notify Covered Entities of a breach, Covered Entities are required to notify affected individuals and HHS´ Office for Civil Rights of a breach, and organizations not covered by HIPAA are required to notify affected individuals and the FTC of a breach. State laws may also require breaches are notified to local authorities.
Because the Breach Notification Rule requirements vary, we have produced a comprehensive article explaining what organizations should do following a data breach. Alternatively, you can review the HIPAA Breach Notification standards at §164.400 of the Code of Federal Regulations.
Who enforces the Administrative Simplification requirements?
The Administrative Simplification requirements (Part 160, 162, and 164 of 45 CFR Subtitle A, Subchapter C), are enforced by two agencies within the Department of Health and Human Services – the Centers for Medicare and Medicaid Services (CMS) and the Office for Civil Rights (OCR).
Compliance with Part 162 – the Transaction Rules, Operating Rules, Code Set Rules, etc. – is enforced exclusively by CMS, while compliance with Part 164 – the General Rules, Privacy Rule, Security Rule, etc. – is enforced exclusively by OCR – unless a violation involves a criminal activity, in which case the violation is referred to the Department of Justice.
Who is required to follow HIPAA requirements?
The list of individuals and organizations required to follow HIPAA requirements is quite extensive. Generally, most health plans, health care clearinghouses, healthcare providers (including pharmacies), and Business Associates that provide a service for or on behalf of these organizations are required to follow the HIPAA requirements – but there are exceptions.
For example, insurance companies that provide health coverage as a secondary benefit to (say) auto insurance are not required to follow HIPAA requirements, nor are healthcare providers that do not conduct transactions for which HHS has developed standards (i.e., a counselling service that only accepts direct payments from clients).
In addition to the above, members of a Covered Entity’s or Business Associate’s workforce are required to follow whatever HIPAA requirements are included in workplace policies. Compliance with these requirements is often a condition of employment, and although a minor violation of HIPAA may not result in the termination of an employment contract, more serious violations likely will.
Further information about HIPAA requirements that coudld help with the compilation of a HIPAA compliance checklist can be found throughout the HIPAAJournal.com website. However, in order to assist organizations looking for quick answers to complex questions, we have listed a selection of HIPAA compliance resources below.