Last updated on February 8, 2021
HIPAA Compliance Checklist: Learn the Requirements to Become HIPAA Compliant
Owing to the increasing number of healthcare security breaches, the US Department of Health and Human Services (HHS) imposes strict rules on companies dealing with protected health information (PHI) by using the Health Insurance Portability and Accountability Act (HIPAA). Failure to comply with the act results in substantial fines, criminal charges and civil litigations. HIPAA covers the essential criteria of:
- Privacy
- Security
- Enforcement
- Breach Notification
- Omnibus
HIPAA Definition
Introduced in 1996 by Bill Clinton, the HIPAA is a federal law that provides a set of rules and regulations for the protection of healthcare and medical data. It sets security standards for electronic healthcare billing, storing patients’ healthcare information, and handling medical data. It ensures that healthcare data is kept private at all costs.
Additionally, the HIPAA also provides guidelines for notifying patients of a security breach and requires healthcare organizations to secure their infrastructure by handling things at all technical levels.
Being aware of HIPAA compliance guidelines is essential to prevent huge fines, disciplinary action, and/or penalties. Ignorance of HIPAA regulations is not considered to be a justifiable defense by the Office for Civil Rights (OCR) of the US Department of Health and Human Services.
HIPAA Compliance Terminology
HIPAA guidelines should be followed by covered entities and business associates to protect and secure Protected Health Information (PHI). In other words, if you are a covered entity or a business associate, you must be HIPAA compliant. Before trying to understand if your company is HIPAA compliant, it is necessary to evaluate some technical terminology associated with the HIPAA.
| Protected Health Information (PHI) | The basic healthcare data of every individual that HIPAA intends to protect and safeguard. |
| Covered Entity | Any healthcare field or entity that accesses PHI. Covered entities can be medical providers, clearinghouses, health insurers or employer-sponsored health plans. |
| Business Associates | Individuals who work with covered entities in a non-healthcare capacity, i.e., people that maintain the PHI stored by covered entities. |
It is also useful to understand the rules and components of the HIPAA. After all, you can’t comply with something you are not familiar with.
Privacy Rule. The privacy rule regulates the disclosure and use of PHI by covered entities. These entities can disclose PHI to law enforcement for facilitating treatment or for other cases if written authorization is received. When PHI is disclosed, covered entities must make sure that only the minimum necessary information is released and should also notify individuals of the disclosure of their PHI.
Security Rule. Complementing the privacy rule, the security rule pertains only to electronic PHI. It lays out administrative, physical and technical safeguards. Administrative safeguards include policies and procedures that show how the entity complies with the act, while physical safeguards control the physical access to protected data. Technical safeguards, on the other hand, control access to computer systems that contain PHI.
Enforcement Rule. The enforcement rule sets the financial penalties for violating HIPAA rules and establishes the procedure for hearings of HIPAA-related violations. It states that if noncompliance is established, covered entities must apply corrective measures. Noncompliance can be established if there is:
- Misuse and nonconforming disclosure of PHI.
- Lack of protection of health information.
- Lack of safeguards for electronic PHI.
- Disclosure of more than the minimum necessary PHI.
Omnibus Rule. A new addition to the HIPAA guidelines, the HIPAA Omnibus Rule expands the definition of business associates to include storage companies, consultants, and subcontractors, and it has also increased the civil penalties for HIPAA violators.
Breach Notification. The HIPAA Breach Notification regulates how a breach notification must be issued if a breach occurs. If more than 500 PHI records are affected, you must notify HHS and OCR, and all minor violations (less than 500 records) must be reported to HHS once a year.
HIPAA Compliance Checklist
As the HIPAA is quickly approaching its 25th anniversary, its needs and demands have changed with advancements in technology. The HIPAA has been updated multiple times, with more rules added over the years because of the constant rise in security breaches in the healthcare industry. Noncompliance can result in fines varying from $100 to as high as $1.5 million per year. To be compliant with the different rules of the HIPAA, consider the following checklists for each of the aforementioned rules.
Compliance checklist for the HIPAA Privacy Rule
- Respond to patient requests promptly, as HIPAA gives you 30 days to get back to patients.
- Inform patients of data sharing policies using an NPP (Notice of Privacy Parties).
- Train your personnel to understand which data can and cannot be shared.
- Ensure that the integrity of PHI is maintained at all costs.
- Ensure that you get permission from the patient to use their PHI.
- Update your authorization forms.
Compliance checklist for the HIPAA Security Rule
Technical Safeguards
- Encrypt all electronic protected health information (ePHI) when it is transmitted over an external network.
- Control user access to and govern the release or disclosure of ePHI.
- Identify and authenticate ePHI to protect it.
- Encrypt all endpoint devices.
- Control all activity audits.
- Enable automatic logoff after a certain time frame.
Physical Safeguards
- Control physical access to the facility.
- Protect mobile devices by removing data before devices are circulated to other users.
- Track all the servers that store ePHI.
- Manage all workstations centrally to ensure proper use.
Administrative Safeguards
- Conduct risk assessments regularly, and deploy required measures to resolve risks.
- Train employees on ePHI access protocols and on how to recognize cybersecurity.
- Build contingency plans to achieve ongoing business continuity.
- Prevent unauthorized access to ePHI.
- Document and log all security incidents.
- Test your contingency plan regularly.
Compliance checklist for the HIPAA Enforcement Rule
- Report HIPAA violations to OCR.
- Fix what caused any breach.
Compliance checklist for the HIPAA Omnibus Rule
- Refresh your business associate agreements to reflect the Omnibus Rule.
- Get signed copies of the new Business Associate Agreement (BAA) from stakeholders.
- Refresh your privacy policy to reflect the Omnibus Rule changes.
- Update the NPPs to cover information that requires authorization, the right to opt out of correspondence, and the new breach notification requirements.
- Train your staff to be aware of the new Omnibus Rule adjustments.
Compliance checklist for the HIPAA Breach Notification Rule
- Make sure that you know the notification process for HIPAA in case breaches occur.
- If more than 500 PHI have been compromised:
– Notify the Department of Health and Human Services.
– Issue a press release about the breach.
– Provide OCR with the list of PHI and the explanation of how the violation occurred.
– Provide OCR with the list of all unauthorized entities that access the PHI. Also, indicate if the PHI was accessed or was just available.
– Provide OCR with the mitigation steps that were undertaken to deal with the breach.
- If less than 500 PHI have been compromised, you can report all smaller violations to HHS in a single batch.
Generic HIPAA Compliance Checklist
Apart from the above mentioned checklists, a generic HIPAA compliance checklist (a compliance checklist for individual rules) ensures that you stay on top of the game. To make certain that your organization is compliant:
- Conduct annual self-audits for security risk assessments, privacy assessments, and physical, asset and device audits.
- Identify the gaps in your system, and document them.
- Create remediation plans to address the identified gaps.
- Document the remediation plans, review and update them annually, and retain the remediation plans in your records.
- Ensure that all employees complete their annual HIPAA training. Make one person responsible for the training, and ensure that you maintain documentation proving that all employees have received training.
- Make sure that all employees legally attest to your organizational policies and procedures that incorporate HIPAA rules.
- Identify all your business associates and vendors, and include them in signing necessary agreements that comply with HIPAA.
- Create a clearly defined incidence response plan in case of a breach.
- Ensure you can provide the required reporting of minor or major breaches.
- Make sure that your organizational employees have instant but secure access to PHI from anywhere at any time.
- Deploy a solution that facilitates better access, security, mobility and easier management of organizational infrastructure.
Parallels RAS Helps Organizations Requiring HIPAA Compliance
Parallels® Remote Application Server (RAS) is a virtual desktop and application delivery solution that allows healthcare providers to create their own secure, private cloud. It is a perfect solution for healthcare providers who need to maintain a HIPAA-compliant infrastructure.
Parallels RAS improves your healthcare infrastructure by improving accessibility, security and mobility. It also allows for single-pane-of-glass management and auto-provisioning and auto-scaling.
Improving accessibility. Parallels RAS provides secure access to desktops, applications and patient data from any device, at any time, from any location, thus improving PHI accessibility to clinicians. Full redundancy offered by load balancing ensures that downtime is reduced while providing a seamless end-user experience.
Enhancing security. With the use of Parallels RAS, you can provide medical staff with compliant, secure, on-the-go access to PHI. Security measures such as multifactor authentication, customized policies, and advanced filtering are put into place to provide compliance with the HIPAA Security Rule. Since all the data is stored centrally, monitoring the data is easier, thus making it possible to conform to HIPAA and other medical guidelines.
Enabling mobility. Be it a mobile device, Chromebook, MacBook or Windows desktop, Parallels RAS allows every endpoint to access healthcare and diagnostic desktop applications easily. Therefore medical staff can respond to emergencies quickly by receiving real-time updates and alerts on the go.
Single pane of glass. Medical administrators can manage the entire infrastructure from a centralized console. This ensures that monitoring resources, managing connected devices, defining security policies, and providing helpdesk assistance is extremely easy.
Auto-provisioning and auto-scaling. Medical IT infrastructure can be scaled up or down automatically as Parallels RAS creates, releases, removes and load balances Windows Servers based on predefined criteria.
Parallels RAS has all the features necessary to comply with the HIPAA Privacy, Security, Enforcement, Omnibus and Breach Notification Rules, making it a must-have for your medical organization.
Download the 30-day trial of Parallels RAS today!
References
