The Health Insurance Portability and Accountability Act (HIPAA) is as important to the healthcare industry now more than ever — if not more. Hospitals, insurance companies and healthcare providers all need to ensure HIPAA compliance to safeguard private and sensitive patient data.
Thankfully, we’re providing a clear, step-by-step HIPAA compliance checklist that covers everything you need to know.
Get the Free Essential Guide to US Data Protection Compliance and Regulations
You don’t want to have to worry about a HIPAA complaint against your company, and you don’t want to be one of those that get fined. This guide will tell you what you need to know about HIPAA compliance and help you protect and secure your HIPAA-protected data.
What is HIPAA Compliance?
HIPAA compliance is the process that business associates and covered entities follow to protect and secure Protected Health Information (PHI) as prescribed by the Health Insurance Portability and Accountability Act. That’s legalese for “keep people’s healthcare data private.”
Protected Health Information (PHI) is your/my/everyone’s healthcare data. PHI is the content that HIPAA tries to protect and keep private. The Safe Harbor Rule identifies what kind of data you must remove to declassify PHI.
Covered entities are individuals in a healthcare field that uses and has access to PHI. They are doctors, nurses, and insurance companies.
Business associates are individuals that work with a covered entity in a non-healthcare capacity and are also responsible for maintaining HIPAA compliance as covered entities. Lawyers, accountants, administrators, and IT personnel that work in the healthcare industry and have access to PHI are some common examples of business associates.
Your 2021 HIPAA Compliance Checklist
Now that you know what constitutes PHI and who needs to comply with HIPAA, let’s take a look at what you need to do step-by-step to achieve HIPAA compliance.
1. Understand the HIPAA Privacy Rule
The HIPAA Privacy Rule is the foundational piece that all applicable organizations need to familiarize themselves with. The Privacy rule explains when and how authorized personnel can access PHI. This includes healthcare professionals, administrators, lawyers or anyone else within your health information ecosystem.
That’s why the first step towards HIPAA compliance is familiarizing yourself with the Privacy Rule. The Rule mandates appropriate safeguards to protect the privacy of PHI, setting limits on the access and use of said information. The Privacy Rule also gives patients certain rights over their PHI, including the right to obtain copies of records and request corrections.
2. Determine if the Privacy Rule Affects You
Next, you’ll need to assess and confirm that the Privacy Rule does, in fact, apply to your business, practice, or healthcare organization. Remember that the Privacy rule protects individual PHI by governing the practice of all covered entities, from doctors and nurses to lawyers and insurance providers.
Covered entities are the people and organizations that hold and process PHI data for their customers and/or patients. Covered entities are also responsible for reporting HIPAA violations and who will pay any fines imposed by the Office of Civil Rights if a HIPAA violation does occur.
HIPAA defines these individuals and organizations as covered entities:
Health Care Providers
- Nursing homes
- Health Plan
Health Insurance Companies
- Company health plans
- Government-provided health care plans
Health Care Clearinghouses
- These entities process healthcare data from another entity into a standard form.
3. Protect the Right Types of Patient Data
The third action item in your HIPAA compliance checklist is knowing what types of patient data you need to protect and begin putting the right security and privacy measures in place.
The HIPAA Privacy Rule defines PHI as “individually identifiable health information” stored or transmitted by a covered entity or their business associates. This can be in any form of media, from paper and electronic to verbal communications.
The law further defines “individually identifiable health information” as an individual’s past, present, and future health conditions, the details of the health care provided to an individual, and the payment information that identifies or for which there is a reasonable basis to believe can be used to identify the individual.”
This typically includes — but is not exclusively limited to — the following kinds of patient data:
- Names and birthdates
- Dates pertaining to a patient’s birth, death, treatment schedule or relating to their illness and medical care
- Contact information such as telephone numbers, physical addresses and email.
- Social Security Numbers
- Medical Record Numbers
- Photographs and digital images
- Fingerprints and voice recordings
- Any other form of unique identification or account number
4. Prevent Potential HIPAA Violations
HIPAA violations can occur in any number of ways, so it’s critical that you understand what a violation is and how they happen so you can take preventative measures. The most common type of violation is actually internal, and not the result of any outsider hack or data breach. Typically, violations stem from negligence or only partial compliance with the Privacy Rule.
A workstation left unlocked or paper file misplaced in a public setting — although not malicious — are the types of violations to be most on guard for. Not properly configuring software like Office 365 for HIPAA compliance is another great example of a non-intentional violation. However, something like a lost or stolen laptop with PHI isn’t necessarily a violation in and of itself. If the PHI is encrypted in alignment with Privacy Rule standards, you’re not liable for fines or penalties.
Data Breaches Under HIPAA
As we alluded to earlier, a data breach doesn’t necessarily have to be an external hack. Under HIPAA, a data breach is simply unauthorized personnel or people accessing PHI when they shouldn’t. While it can be a malicious cyberattack designed to steal PHI, it’s also any covered entity accessing or viewing PHI in a time or manner when they shouldn’t.
HIPAA defines a data breach as “the acquisition, access, use, or disclosure of protected health information in a manner not permitted which compromises the security or privacy of the protected health information.” To prevent data breaches, you’ll need a strong cybersecurity program to keep hackers out, as well as proper internal security measures and training.
Recognizing Common HIPAA Violations
We’ve touched on a few common scenarios where HIPAA violations occur, but you’ll need to familiarize yourself with multiple cases and scenarios that can trigger a violation.
Here are some of the other common causes can lead to a HIPAA violation:
- Theft of equipment that stores PHI
- Hacking, malware, or ransomware
- Physical office break-in
- Sending PHI to the wrong person or business partner
- Discussing PHI in public
- Posting PHI to social media
Which violations that your company is most at risk for depends on the nature of your business and relationship with patients and their data. That’s why it’s critical to work with a HIPAA compliance partner to determine what measures you need to put in place or improve.
Anticipating a Minor Breach
The HIPAA Breach Notification Rule requires that any affected patient or customer be notified that their PHI may have been stolen, compromised, or even merely exposed to such risk. How and when you need to notify customers depends on the nature of the breach. First, you need to have processes in place in case what HIPAA defines as a minor breach takes place.
A minor or smaller breach is one that affects fewer than 500 individuals within a single jurisdiction. The HIPAA Breach Notification Rule mandates certain actions be taken in this instance. You’ll need to gather all data on minor breaches that occur throughout the course of a year and report them to regulators within 60 days of year’s end. Affected individuals must also be notified within 60 days of then when the breach took place.
Prepping for a Meaningful Breach
On the other hand, a meaningful breach is one that affects over 500 people within a given jurisdiction. Meaningful breaches need to be reported to the Department of Health and Human Services Office of Civil Rights (HHS OCR) within 60 days of the actual occurrence. You should also be ready to notify affected parties upon immediate discovery of the breach.
Moreover, meaningful breaches need to be reported to local law enforcement agencies immediately. You will also need to coordinate with local media agencies and organizations as a part of notifying affected parties. While meaningful breaches are rare, part of your HIPAA compliance journey is making sure you have all the resources in place in case such a breach does occur.
Be Aware of the Fines and Penalties
If you take the right steps, more than likely you’ll be able to avoid any HIPAA-related fines, fees, or penalties. But you need to be aware of the penalties that do exist, how they function,K and the potentially negative consequences. Fines and penalties can be imposed for intentional or unintentional PHI breaches and are structured within a three-tiered model.
- Tier 1 Violation: The covered entity was unaware of and could not have realistically prevented the violation. Reasonable care had been taken to safeguard the PHI. Minimum fine of $100 per violation up to $50,000.
- Tier 2 Violation: The covered entity should have been aware of, but could not have avoided, the violation. Reasonable care measures could not have prevented it. Minimum fine of $1,000 per violation up to $50,000.
- Tier 3 Violation: The violation was a direct result of the “willful neglect” of HIPAA rules. A covered entity must make an attempt to correct the violation. Minimum fine of $10,000 per violation up to $50,000.
- Tier 4: The most egregious form of HIPAA violation which constitutes willful neglect. There has been no attempt has been made to correct the violation by the covered entity. Minimum fine of $50,000 per violation.
The most important factor in avoiding fines and penalties is making sure violations don’t take place from the get-go. Make sure you understand what Reasonable Care means in your specific circumstance, and make sure your PHI is guarded as such.
Meet Transaction Standards
Most covered entities transmit and send PHI throughout the course of daily operations. HIPAA, therefore, sets “transaction standards” for protecting PHI for many types of common data transmissions or transactions.
These common or standard transactions include:
- Payment and remittance advice
- Claims status
- Coordination of benefits
- Claims and encounter information
- Enrollment and disenrollment
- Referrals and authorizations
- Premium payment
Per HIPAA, all data exchanges involving these transactions should meet the X12 Data Exchange Standard.
5. Stay Updated on HIPAA Changes
HIPAA compliance can be a moving target, with changes taking place on a regular basis. After you’ve put all of the right cybersecurity measures in place — and processes for potential breach response — you’ll still need to keep abreast of new HIPAA developments. There are a variety of HIPAA changes expected to take effect in 2021 that you should prepare for now.
It’s been a full seven years since HIPAA was updated in any meaningful fashion, and 2021 is the year that HHS CSC has decided to finally make significant changes. Most of the updates relate to the HIPAA Privacy Rule and can be found in more detail on either the HHS CSC Newsroom or HIPAA Journal website.
Some highlights of the expected 2021 HIPAA update include:
- Allowing patients to inspect PHI in person and take notes or photographs of their PHI.
- Required entities must post estimated fee schedules on their websites for PHI access and disclosures.
- Increasing the maximum time to provide access to PHI from 30 days to 15 days.
- Expanding the definition of healthcare operations to cover care coordination and case management.
Even though you may have reached HIPAA compliance at present, it’s imperative to monitor the impending 2021 HIPAA update and work with your compliance partner to ensure you comply when it arrives.
6. Know how COVID Affects HIPAA
The COVID-19 pandemic is changing healthcare forever, and HIPAA compliance along with it. That’s why an important item on your HIPAA compliance checklist is taking COVID-19 into account in the cybersecurity, physical security and compliance aspects of your business that might be affected.
The biggest aspect that most healthcare providers and covered entities need to account for is remote work and telehealth. Patient’s PHI is now being handled from more locations and in people’s homes on personal devices in many cases. To account for this, the HHS CSC decided to suspend HIPAA-related fines and penalties for a time.
However, the change may or may not be permanent, so extra precautions involving PHI handling in the work-from-home, telehealth-centric era must be taken to ensure compliance over the long haul. You’ll want to tightly define and control device ownership so that it’s crystal-clear who is handling what types of PHI.
You should also review existing procedures and policies to determine where PHI protection can be further strengthened. For example, it’s wise to implement multi-factor authentication and biometrics for device logins to prevent PHI from being accessed via a lost or stolen device. Amplified staff education and training around guarding PHI is also necessary, with emphasis on work-from-home best practices.
HIPAA Key Resources
Here’s a list of resources to monitor regularly to say ahead of the game in your HIPAA compliance effort:
HIPAA Compliance FAQs
How do I start with HIPAA compliance?
The first step towards HIPAA compliance is defining who within your organization is primarily responsible for HIPAA compliance. You can then begin assessing your cybersecurity and business process around PHI, preferably alongside an experienced HIPAA compliance partner. A HIPAA compliance audit is also recommended.
Does HIPAA regulate social media usage?
Yes and no. The HIPAA Privacy Rule was adopted before the popularization of most social media platforms, so technically there is no verbatim mention of social media. However, the disclosure of PHI on social media without the patient’s consent is clearly forbidden under HIPAA.
What’s the official definition of a Covered Entity (CE)?
A covered entity — as defined by HIPAA — is any business entity that must by law comply with HIPAA regulations. This includes healthcare providers, insurance companies, and clearinghouses. Health care providers include doctors, dentists, vision clinics, hospitals and other related health caregiving services.
What types of information is categorized as PHI?
Any information in a patients’ medical records personal data set that can be used to identify an individual. PHI is created, used, or disclosed in the course of providing a health care service. PHI includes but is not limited to: electronic or paper records, x-rays schedules, medical bills, dictated notes, dental casts, and verbal conversations.
Is employee training required under HIPAA?
Yes. HIPAA requires that all employees undergo training annually. Cybersecurity training should already be built into your employee onboarding and development processes, but you should work with a compliance partner to ensure your training is adequate. You should also include training modules and materials that address telemedicine and work-from-home.
HIPAA was created to ensure patient and customer PHI stays exactly that — private. The measures that HIPAA requires are designed to help your business, company or healthcare organization take all the right steps to protect healthcare data. While HIPAA compliance may seem daunting, a step-by-step approach can get you there efficiently. Finally, you should work with an experienced HIPAA compliance partner to make sure all the items on your HIPAA checklist — from understanding HIPAA to implementation and maintenance — are checked off properly.
David is a professional writer and thought leadership consultant for enterprise technology brands, startups and venture capital firms.