The Health Insurance Portability and Accountability Act (HIPAA) is one of the cornerstones for both regulatory compliance and healthcare cybersecurity. Hospitals, insurance companies and healthcare providers all need to follow a HIPAA compliance checklist to safeguard private and sensitive patient data.And as we move into 2023, it’s critical that any organization subject to HIPAA get ahead of the curve by understanding any changes and preparing today. In this comprehensive guide, we’ll lay out HIPAA compliance in a step-by-step fashion based on changes in the regulation, COVID mandates and evolving cybersecurity concerns.
Get the Free Essential Guide to US Data Protection Compliance and Regulations
You don’t want to have to worry about a HIPAA complaint against your company, and you don’t want to be one of those that get fined. This guide will tell you what you need to know about HIPAA compliance and help you protect and secure your HIPAA-protected data.
What is HIPAA compliance?
The Health Insurance Portability and Accountability Act of 1996, which requires the establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers.
Breaking it down, HIPPA’s overarching goal is to protect the confidentiality and security of healthcare information. This takes place in the main two rules of HIPAA: the Privacy Rule and the Security Rule.
Compliance with HIPAA regulations is a process that business associates and covered entities follow to protect and secure Protected Health Information (PHI) as prescribed by the Health Insurance Portability and Accountability Act. That’s legalese for “keep people’s healthcare data private.”
- Protected Health Information (PHI) is your/my/everyone’s healthcare data. PHI is the content that HIPAA tries to protect and keep private. The Safe Harbor Rule identifies what kind of data you must remove to declassify PHI.
- Covered entities are individuals in a healthcare field that uses and has access to PHI. They are doctors, nurses, and insurance companies.
- Business associates are individuals and services that work with a covered entity in a non-healthcare capacity and are also responsible for maintaining HIPAA compliance as covered entities. Lawyers, accountants, administrators, and IT personnel that work in the healthcare industry and have access to PHI are some common examples of business associates.
How to become HIPAA compliant
Meeting all HIPAA requirements takes a combination of internal processes, the right technology, and targeted external partnerships. Before diving into the specific details of the regulation, here’s how to become HIPAA compliant from a strategic level.
- Develop policies: The first thing you need to do is develop and implement strong cybersecurity standards, policies, and procedures. Your administrative systems and procedures should all be HIPAA compliant and your staff well-trained. Also, have your policy well-documented and disseminated throughout the organization.
- Implement safeguards: Maintaining HIPAA compliance is about having strong PHI safeguards, both physically and digitally. Only authorized personnel should be allowed in physical PHI storage spaces. Strong password and login precautions should also be put into place.
- Risk assessments: Every covered entity should undergo an annual HIPAA risk assessment. So, if you haven’t started this process already for 2023, now is the time. Risk audits should cover all administrative, physical security, and technical security measures deployed by your organization to achieve HIPAA compliance.
- Investigate violations: In a perfect world, your entire organization will be HIPAA compliant every day of the year. However, lapses do occur, whether they’re spotted by you, an auditor, or regulators. If you do spot a violation, have processes in place to conduct root cause analysis and remediation so the issue doesn’t persist.
By keeping these four principles in mind throughout your HIPAA journey, you’ll be able to achieve and maintain compliance in the most efficient way possible.
2023 HIPAA compliance checklist
The HIPAA Privacy Rule is the foundational piece that all applicable organizations need to familiarize themselves with. The Privacy rule explains when and how authorized personnel can access PHI. This includes healthcare professionals, administrators, lawyers, or anyone else within your health information ecosystem. Concurrently, the HIPAA Security Rule sets the actual protections that need to be put in place, including both technical and non-technical safeguards.
1. Understand HIPAA Privacy and Security Rules
In 2023, there are certain key aspects to the Privacy and Security rules that you’ll want to be aware of. For instance, the Department of Health and Human Services (HHS) will continue to focus on investigating small breaches, potentially increasing their attention to protecting PHI in the fields of psychology, psychiatry, and mental health.
And as healthcare increasingly moves online in the form of remote consultations and digital evaluations, you’ll need to square how you’re conducting those activities with the Privacy Rule. There has been some debate over whether professionals browsing Facebook and social media in the workplace is a HIPAA violation, so you’ll need concrete policies to manage these types of digital health interactions in 2022 and beyond.
In short, the Privacy and Security rules are closely related. By following the HIPAA Security Rule and implementing the right security protocols, you’ll be helping yourself adhere to the Privacy Rule which outlines more general protections of PHI.
2. Determine if the Privacy Rule affects you
Next, you’ll need to assess and confirm that the Privacy Rule does, in fact, apply to your business, practice, or healthcare organization. Remember that the Privacy rule protects individual PHI by governing the practice of all covered entities, from doctors and nurses to lawyers and insurance providers.
Covered entities are the people and organizations that hold and process PHI data for their customers and/or patients. Covered entities are also responsible for reporting HIPAA violations, and are who will pay any fines imposed by the Office of Civil Rights if a HIPAA violation does occur.
HIPAA defines these individuals and organizations as covered entities:
Health care providers
- Nursing homes
- Health Plan
Health insurance companies
- Company health plans
- Government-provided health care plans
- These entities process healthcare data from another entity into a standard form.
3. Protect the right types of patient data
The third action item in your HIPAA compliance checklist is knowing what types of patient data you need to protect and begin putting the right security and privacy measures in place.
The HIPAA Privacy Rule defines PHI as “individually identifiable health information” stored or transmitted by a covered entity or its business associates. This can be in any form of media, from paper and electronic to verbal communications.
The law further defines “individually identifiable health information” as an individual’s past, present, and future health conditions, the details of the health care provided to an individual, and the payment information that identifies or for which there is a reasonable basis to believe can be used to identify the individual.”
This typically includes — but is not exclusively limited to — the following kinds of patient data:
- Names and birthdates
- Dates pertaining to a patient’s birth, death, treatment schedule, or relating to their illness and medical care
- Contact information such as telephone numbers, physical addresses, and email.
- Social Security Numbers
- Medical record numbers
- Photographs and digital images
- Fingerprints and voice recordings
- Any other form of unique identification or account number
4. Prevent potential HIPAA violations
HIPAA violations can occur in any number of ways, so it’s critical that you understand what a violation is and how they happen so you can take preventative measures. The most common type of violation is internal, and not the result of any outsider hack or data breach. Typically, violations stem from negligence or only partial compliance with the Privacy Rule.
A workstation left unlocked, or a paper file misplaced in a public setting — although not malicious — are the types of violations to be most on guard for. Not properly configuring software like Office 365 for HIPAA compliance is another great example of a non-intentional violation. However, something like a lost or stolen laptop with PHI isn’t necessarily a violation in and of itself. If the PHI is encrypted in alignment with Privacy Rule standards, you’re not liable for fines or penalties.
Here are some of the basic steps you can take to prevent HIPAA violations:
- Understand data breaches: A data breach doesn’t necessarily have to be an external hack. Under HIPAA, a data breach is simply unauthorized personnel or people accessing PHI when they shouldn’t. To prevent data breaches, you’ll need a strong cybersecurity program to keep hackers out, as well as proper internal security measures and training.
- Recognize common violations: Some common causes that can lead to a HIPAA violation are equipment theft, hacking, malware or ransomware, physical office break-in, sending PHI to the wrong party, discussing PHI in public, and/or posting it to social media. Knowing these common violations will help you prevent them from occurring.
- Anticipate a minor breach: A minor or smaller breach is one that affects fewer than 500 individuals within a single jurisdiction. The HIPAA Breach Notification Rule mandates certain actions to be taken in this instance. Have processes in place in case what HIPAA defines as a minor breach takes place.
- Prep for a meaningful breach: A meaningful breach affects over 500 people within a given jurisdiction. They need to be reported to the Department of Health and Human Services Office of Civil Rights (HHS OCR) within 60 days of the actual occurrence. You should also be ready to notify affected parties and law enforcement immediately.
5. Stay updated on HIPAA changes
HIPAA compliance can be a moving target, with changes taking place on a regular basis. After you’ve put all of the right cybersecurity measures in place — and processes for potential breach response — you’ll still need to keep abreast of new HIPAA developments. There are a variety of HIPAA changes expected to take effect in 2022 that you should prepare for now.
Some highlights of the 2022 HIPAA update include potential changes to:
- Patient acknowledgment of notice of privacy practices
- The minimum necessary standard for PHI protection
- Allowable disclosures related to care coordination and case management
- Disclosures of PHI for health emergencies
- Citizens’ rights to access their protected health information (PHI)
- Fees that organizations may charge individuals to access PHI
Even though you may have reached HIPAA compliance at present, it’s imperative to monitor the impending 2022 HIPAA update and work with your compliance partner to ensure you comply when it arrives.
6. Know how COVID affects HIPAA
The COVID-19 pandemic is changing healthcare forever, and HIPAA compliance is changing along with it. That’s why an important item on your HIPAA compliance checklist is taking COVID-19 into account in the cybersecurity, physical security, and compliance aspects of your business that might be affected.
The biggest aspect that most healthcare providers and covered entities need to account for is remote work and telehealth. Patients’ PHI is now being handled from more locations and in people’s homes on personal devices in many cases. To account for this, the HHS CSC decided to suspend HIPAA-related fines and penalties for a time.
However, the change may or may not be permanent, so extra precautions involving PHI handling in the work-from-home, telehealth-centric era must be taken to ensure compliance over the long haul. You’ll want to tightly define and control device ownership so that it’s crystal clear who is handling what types of PHI.
The HHS has also recently released guidelines for how healthcare organizations need to treat vaccination status as PHI in 2022 and beyond. The current announcement sets forth very specific guidelines as to how, where, and to whom a patient’s vaccination PHI status can be disclosed. Your HIPAA compliance team should carefully review these standards, build the right processes into your compliance plan, and ensure staff only discloses vaccination status in a HIPAA-compliant fashion.
7. Document everything
One of the best things you can do is to document as much as possible related to your HIPAA compliance efforts. You may even want to implement custom-build HIPAA compliance software to track things like security measures taken, PHI sharing with other entities and potential breach activity.
8. Report data breaches
If someone’s PHI is compromised, HIPAA sets forth rules for notifying affected individuals. These procedures are set for by the HIPAA Breach Notification Rule. Your cybersecurity policy should have procedures in place for notifying the right parties — including regulators or law enforcement — in sufficient time.
Three security tips for HIPAA compliance
Implementing the right security processes and measures is the backbone of year-round HIPAA compliance. Here are four tips to help bolster your PHI security.
- Strong login measures: Ensure that only authorized users have access to PHI by implementing strong standards for ID and password complexity. Make sure that users change their default passwords immediately as well as have systems in place requiring that they change passwords on a regular basis.
- Regular activity logging: Making sure that your IT staff and systems log everything will help comply with HIPAA in that you’ll be always tracking and documenting PHI happenings. Have the right logging and data monitoring technology in place so that you have records of where PHI is, who’s viewed it, and if a breach has occurred.
- Take a multi-layer approach: User IDs and logins are just one layer of potential HIPAA breaches. You’ll also want to examine the security measures taken at various other layers, including network, systems, software, and firewalls. Don’t simply utilize default configurations, for instance, which can be more prone to breaches.
HIPAA Compliance Audit Challenges
HIPAA compliance audits can be challenging and disruptive to the ordinary workday. Here are some questions you can answer in advance that can help you understand what you might face during a HIPAA compliance audit:
Who has access to PHI/ePHI?
Can you provide lists of access rights to data to any folder in your network right now?
Are you regularly auditing permissions, so they are current and updated?
Do you know where all of your PHI lives on the network? Are there controls in place to ensure ongoing security of PHI?
Are you 100% sure there isn’t ePHI with saved that you don’t know about?
If someone does make a mistake and save PHI to the wrong folder will you detect it?
Can you readily identify all file activity that occurs on ePHI?
Are you able to show auditors exactly what data attackers accessed in a data breach?
Are you following the standard security practices described by NIST or SANS?
Asking these questions of your team and implementing a HIPAA compliance software solution that includes Varonis will protect you from data breach and make you look good in the eyes of a compliance auditor.
How to Achieve HIPAA Compliance With Varonis
The HIPAA Security Rule defines the Technical Safeguards you need to implement to be HIPAA compliant. Varonis helps organizations fulfill the requirements in the HIPAA Security Rule by protecting and monitoring your PHI data wherever it lives. Let’s walk through how Varonis maps to the HIPAA requirements and helps you achieve HIPAA compliance.
Access Control: A covered entity must implement technical policies and procedures that allow only authorized persons to access electronic protected health information (e-PHI)
Varonis maps all of your users, folders, and permissions so you can identify where your data is at risk of unauthorized access. With Varonis, you can automatically eliminate the worst offenders of permissions issues – Global Access Groups – with a few button clicks. Varonis empowers you to update permissions on all folders and identify data owners – the people that should be managing and auditing access to their data.
Audit Controls: A covered entity must implement hardware, software, and/or procedural mechanisms to record and examine access and other activity in information systems that contain or use e-PHI.
Varonis monitors and records your file activity, folder activity, and email activity so you can always answer the question, “Who is accessing my data?” Varonis reporting will allow you to prove to auditors exactly who is accessing your ePHI. Varonis looks for patterns of abnormal behavior on your ePHI and alerts you of any potential misuse from insiders or outsiders.
Integrity Controls: A covered entity must implement policies and procedures to ensure that e-PHI is not improperly altered or destroyed. Electronic measures must be put in place to confirm that e-PHI has not been improperly altered or destroyed.
Varonis correlates file access, email activity, and perimeter telemetry to warn you of any potential threats to your ePHI.
A valid user accessing ePHI isn’t noteworthy, but Varonis can tell you if that user account logged in from an odd geographic location, is accessing data they have never touched before, or if the computer they logged into recently triggered a malware alert. Varonis gives you actionable intelligence you can use to investigate any potential intrusion.
Transmission Security: A covered entity must implement technical security measures that guard against unauthorized access to e-PHI that is being transmitted over an electronic network.
Varonis monitors DNS, VPN, and Web Proxies to augment and add invaluable context to cybersecurity alerts. Varonis correlates perimeter telemetry with user and file activity to paint a clear picture of current behavior patterns. Any behavior patterns that match a known threat model triggers alerts with all of this correlated data so you can immediately begin research into the incident.
By implementing Varonis as your HIPAA compliance software, you are empowering your organization with a powerful data access governance, data security monitoring, and behavioral analysis system. You will actively protect your PHI data, and you will have early detection of any potential HIPAA data breaches.
HIPAA key resources
Here’s a list of resources to monitor regularly to say ahead of the game in your HIPAA compliance effort in 2022:
HIPAA compliance FAQ
Q: How do I start with HIPAA compliance?
A: The first step towards HIPAA compliance is defining who within your organization is primarily responsible for HIPAA compliance. You can then begin assessing your cybersecurity and business process around PHI, preferably alongside an experienced HIPAA compliance partner. A HIPAA compliance audit is also recommended.
Q: Does HIPAA regulate social media usage?
A: Yes and no. The HIPAA Privacy Rule was adopted before the popularization of most social media platforms, so technically there is no verbatim mention of social media. However, the disclosure of PHI on social media without the patient’s consent is clearly forbidden under HIPAA.
Q: What’s the official definition of a Covered Entity (CE)?
A: A covered entity — as defined by HIPAA — is any business entity that must by law comply with HIPAA regulations. This includes healthcare providers, insurance companies, and clearinghouses. Health care providers include doctors, dentists, vision clinics, hospitals and other related health caregiving services.
Q: What types of information are categorized as PHI?
A: Any information in a patient’s medical records or personal data set that can be used to identify an individual. PHI is created, used, or disclosed while providing a health care service. PHI includes but is not limited to electronic or paper records, x-rays, schedules, medical bills, dictated notes, dental casts, and verbal conversations.
Q: Is employee training required under HIPAA?
A: Yes. HIPAA requires that all employees undergo training annually. Cybersecurity training should already be built into your employee onboarding and development processes, but you should work with a compliance partner to ensure your training is adequate. You should also include training modules and materials that address telemedicine and work-from-home.
Q: How do you do a HIPAA compliance checklist?
A: A HIPAA compliance checklist should be completed in tandem with your compliance partner. While the checklist we’ve outlined will surely get you from point A to point B, a compliance partner can tailor the roadmap to your organization and help implement the right measures more quickly and cost-effectively.
Q: How do I know if my documentation is sufficient for a HIPAA audit?
A: Generally, you will need to have detailed logs. Audit logs document what went wrong and who is responsible in the event of a breach. In an audit, whether random or due to an incident, HHS will want to see these logs. Like all HIPAA compliance documentation, logs must be kept for six years.
Q: What’s the difference between a HIPAA desk audit and a physical audit?
A: A HIPAA desk audit is the most basic form of audit and can be completed on a remote basis. Documents are transmitted between you, the auditor, and your compliance partner from your own “desks.” A physical audit is a more comprehensive on-site audit that closely examines both physical and digital PHI security measures.
Completing your HIPAA compliance checklist for 2022 requires many of the same principles as in previous years, such as implementing technology to ward off cyber threats and implementing the right internal PHI handling policies. You’ll want to keep up to date with HHS and any COVID-related changes to HIPAA and employ healthcare cybersecurity best practices in cooperation with your compliance partner to both attain and maintain HIPAA compliance for the foreseeable future.
What you should do now
Below are three ways we can help you begin your journey to reducing data risk at your company:
- Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
- Download our free report and learn the risks associated with SaaS data exposure.
- Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Twitter, Reddit, or Facebook.
David is a professional writer and thought leadership consultant for enterprise technology brands, startups and venture capital firms.