HIPAA Compliance Checklist: Learn the Requirements to Become HIPAA Compliant

Owing to the increasing number of healthcare security breaches, the US Department of Health and Human Services (HHS) imposes strict rules on companies dealing with protected health information (PHI) by using the Health Insurance Portability and Accountability Act (HIPAA). Failure to comply with the act results in substantial fines, criminal charges and civil litigations. HIPAA covers the essential criteria of:

HIPAA Definition

HIPAA ComplianceIntroduced in 1996 by Bill Clinton, the HIPAA is a federal law that provides a set of rules and regulations for the protection of healthcare and medical data. It sets security standards for electronic healthcare billing, storing patients’ healthcare information, and handling medical data. It ensures that healthcare data is kept private at all costs.

Additionally, the HIPAA also provides guidelines for notifying patients of a security breach and requires healthcare organizations to secure their infrastructure by handling things at all technical levels.

Being aware of HIPAA compliance guidelines is essential to prevent huge fines, disciplinary action, and/or penalties. Ignorance of HIPAA regulations is not considered to be a justifiable defense by the Office for Civil Rights (OCR) of the US Department of Health and Human Services.

HIPAA Compliance Terminology

HIPAA guidelines should be followed by covered entities and business associates to protect and secure Protected Health Information (PHI). In other words, if you are a covered entity or a business associate, you must be HIPAA compliant. Before trying to understand if your company is HIPAA compliant, it is necessary to evaluate some technical terminology associated with the HIPAA.

Protected Health Information (PHI) The basic healthcare data of every individual that HIPAA intends to protect and safeguard.
Covered Entity Any healthcare field or entity that accesses PHI. Covered entities can be medical providers, clearinghouses, health insurers or employer-sponsored health plans.
Business Associates Individuals who work with covered entities in a non-healthcare capacity, i.e., people that maintain the PHI stored by covered entities.

It is also useful to understand the rules and components of the HIPAA. After all, you can’t comply with something you are not familiar with.

Privacy Rule. The privacy rule regulates the disclosure and use of PHI by covered entities. These entities can disclose PHI to law enforcement for facilitating treatment or for other cases if written authorization is received. When PHI is disclosed, covered entities must make sure that only the minimum necessary information is released and should also notify individuals of the disclosure of their PHI.

Security Rule. Complementing the privacy rule, the security rule pertains only to electronic PHI. It lays out administrative, physical and technical safeguards. Administrative safeguards include policies and procedures that show how the entity complies with the act, while physical safeguards control the physical access to protected data. Technical safeguards, on the other hand, control access to computer systems that contain PHI.

Enforcement Rule. The enforcement rule sets the financial penalties for violating HIPAA rules and establishes the procedure for hearings of HIPAA-related violations. It states that if noncompliance is established, covered entities must apply corrective measures. Noncompliance can be established if there is:

Omnibus Rule. A new addition to the HIPAA guidelines, the HIPAA Omnibus Rule expands the definition of business associates to include storage companies, consultants, and subcontractors, and it has also increased the civil penalties for HIPAA violators.

Breach Notification. The HIPAA Breach Notification regulates how a breach notification must be issued if a breach occurs. If more than 500 PHI records are affected, you must notify HHS and OCR, and all minor violations (less than 500 records) must be reported to HHS once a year.

HIPAA Compliance Checklist

As the HIPAA is quickly approaching its 25th anniversary, its needs and demands have changed with advancements in technology. The HIPAA has been updated multiple times, with more rules added over the years because of the constant rise in security breaches in the healthcare industry. Noncompliance can result in fines varying from $100 to as high as $1.5 million per year. To be compliant with the different rules of the HIPAA, consider the following checklists for each of the aforementioned rules.

Compliance checklist for the HIPAA Privacy Rule

Compliance checklist for the HIPAA Security Rule

Technical Safeguards

Physical Safeguards

Administrative Safeguards

Compliance checklist for the HIPAA Enforcement Rule

Compliance checklist for the HIPAA Omnibus Rule

Compliance checklist for the HIPAA Breach Notification Rule

– Notify the Department of Health and Human Services.

– Issue a press release about the breach.

– Provide OCR with the list of PHI and the explanation of how the violation occurred.

– Provide OCR with the list of all unauthorized entities that access the PHI. Also, indicate if the PHI was accessed or was just available.

– Provide OCR with the mitigation steps that were undertaken to deal with the breach.

Generic HIPAA Compliance Checklist

Apart from the above mentioned checklists, a generic HIPAA compliance checklist (a compliance checklist for individual rules) ensures that you stay on top of the game. To make certain that your organization is compliant:

Parallels RAS Helps Organizations Requiring HIPAA Compliance

Parallels® Remote Application Server (RAS) is a virtual desktop and application delivery solution that allows healthcare providers to create their own secure, private cloud. It is a perfect solution for healthcare providers who need to maintain a HIPAA-compliant infrastructure.

Parallels RAS improves your healthcare infrastructure by improving accessibility, security and mobility. It also allows for single-pane-of-glass management and auto-provisioning and auto-scaling.

Improving accessibility. Parallels RAS provides secure access to desktops, applications and patient data from any device, at any time, from any location, thus improving PHI accessibility to clinicians. Full redundancy offered by load balancing ensures that downtime is reduced while providing a seamless end-user experience.

Enhancing security. With the use of Parallels RAS, you can provide medical staff with compliant, secure, on-the-go access to PHI. Security measures such as multifactor authentication, customized policies, and advanced filtering are put into place to provide compliance with the HIPAA Security Rule. Since all the data is stored centrally, monitoring the data is easier, thus making it possible to conform to HIPAA and other medical guidelines.

Enabling mobility. Be it a mobile device, Chromebook, MacBook or Windows desktop, Parallels RAS allows every endpoint to access healthcare and diagnostic desktop applications easily. Therefore medical staff can respond to emergencies quickly by receiving real-time updates and alerts on the go.

Single pane of glass. Medical administrators can manage the entire infrastructure from a centralized console. This ensures that monitoring resources, managing connected devices, defining security policies, and providing helpdesk assistance is extremely easy.

Auto-provisioning and auto-scaling. Medical IT infrastructure can be scaled up or down automatically as Parallels RAS creates, releases, removes and load balances Windows Servers based on predefined criteria.

Parallels RAS has all the features necessary to comply with the HIPAA Privacy, Security, Enforcement, Omnibus and Breach Notification Rules, making it a must-have for your medical organization.

Download the 30-day trial of Parallels RAS today!


References

Wikipedia

Axis Cloud Sync

Inoxoft

Safety Culture

hipaahq.com