HIPAA Compliance Checklist 2021
The failure to comply with HIPAA regulations can result in substantial fines being issued – even if no breach of PHI occurs – while breaches can result in criminal charges and civil action lawsuits being filed. There are also procedures to follow with regards to reporting breaches of the HIPAA Privacy and Security Rules and issuing HIPAA breach notifications to patients.
Ignorance of the HIPAA compliance requirements is not considered to be a justifiable defense against sanctions for HIPAA violations issued by the Office for Civil Rights of the Department of Health and Human Services (OCR). The OCR will issue fines for non-compliance with HIPAA regulations regardless of whether violations are inadvertent or result from willful neglect.
HHS HIPAA Compliance Checklist
Our HIPAA consistence agenda has been arranged by taking apart the HIPAA Privacy and Security Rules, the HIPAA Breach Notification Rule, HIPAA Omnibus Rule and the HIPAA Enforcement Rule. Note that the Health Information Technology for Economic and Clinical Health (HITECH) Act 2009 likewise has a task to carry out in HIPAA IT consistence.
Each component of the previously mentioned Rules and Acts must be conformed to all together for an association to be HIPAA agreeable. There is no chain of command in HIPAA guidelines because of the fact that one HIPAA Rule is a higher priority than another, and every one of the models in our HIPAA consistence agenda must be clung to if your association is to accomplish full HIPAA consistence.
In the event that you are uncertain with respect to whether your association is dependent upon the HIPAA consistence rules, here is an underlying HIPAA consistence agenda:
- Figure out which of the necessary yearly reviews and appraisals are material to your association.
- Direct the necessary reviews and appraisals, examine the outcomes, and archive any inadequacies.
- Archive your remediation plans, set the strategies in motion, survey yearly, and update as vital.
- On the off chance that the association has not effectively done as such, choose a HIPAA Compliance, Privacy or potentially Security Officer.
- Guarantee the assigned HIPAA Compliance Officer conducts yearly HIPAA preparing for all individuals from staff.
- Guarantee HIPAA preparing and staff part verification of HIPAA strategies and techniques is recorded.
- Perform due constancy on Business Associates to evaluate HIPAA consistence and yearly survey BAAs.
- Survey measures for staff individuals to report penetrates and how breaks are informed to HHS OCR.
What is HIPAA Compliance?
Prior to examining the components of our HIPAA consistence agenda, it is ideal to respond to the inquiry What is HIPAA consistence? HIPAA consistence includes satisfying the necessities of the Health Insurance Portability and Accountability Act of 1996, its resulting changes, and any connected enactment like HITECH.
Commonly the inquiry following what is HIPAA consistence is what are the HIPAA consistence necessities? That question isn’t so natural to reply as – in places – the necessities of HIPAA are purposefully ambiguous. This is so the HIPAA rules are similarly relevant to each kind of Covered Entity or Business Associate that makes, gets to, cycles, or stores PHI. For lucidity:
What is a Covered Entity?
A Covered Entity is a medical services supplier, a wellbeing plan, or a medical services clearing house who, in its typical exercises, makes, keeps up with or sends PHI. There are special cases. Most medical care suppliers utilized by a clinic are not Covered Entities. The clinic is the Covered Entity and liable for executing and implementing HIPAA agreeable strategies.
Employers – regardless of keeping up with medical services data about their representatives – are not for the most part Covered Entities except if they give self-safeguarded wellbeing cover or advantages like an Employee Assistance Program (EAP). In these cases they are viewed as “half and half elements” and any unapproved exposure of PHI may in any case be viewed as a break of HIPAA.
What is a Business Associate?
A Business Associate is an individual or business that offers an assistance to – or plays out a specific capacity or action for – a Covered Entity when that help, capacity or action includes the Business Associate approaching PHI kept up with by the Covered Entity. Instances of Business Associates incorporate attorneys, bookkeepers, IT workers for hire, charging organizations, distributed storage administrations, email encryption administrations, and so on
Prior to approaching PHI, the Business Associate should consent to a Business Associate Arrangement with the Covered Entity expressing what PHI they can get to, how it is to be utilized, and that it will be returned or obliterated once the assignment it is required for is finished. While the PHI is in the Business Associate’s belonging, the Business Associate has a similar HIPAA consistence commitments as a Covered Entity.
Regardless of the deliberately ambiguous HIPAA necessities, each Covered Entity and Business Associate that approaches PHI should guarantee the specialized, physical and authoritative shields are set up and clung to, that they agree with the HIPAA Privacy Rule to secure the uprightness of PHI, and that – should a penetrate of PHI happen – they follow the method in the HIPAA Breach Notification Rule.
All danger appraisals, HIPAA-related approaches and reasons why addressable protections have not been carried out should be chronicled on the off chance that a penetrate of PHI happens and an examination happens to set up how the break occurred. Every one of the HIPAA prerequisites is clarified in additional detail beneath. Business uncertain of their commitment to follow the HIPAA necessities should look for proficient counsel.
HIPAA Security Rule
The HIPAA Security Rule contains the guidelines that should be applied to defend and ensure electronically made, got to, prepared, or put away PHI (ePHI) when very still and on the way. The standard applies to anyone or any framework that approaches private patient information. For this situation “access” is deciphered as having the methods important to peruse, compose, alter, or convey ePHI, or any close to home identifiers that could uncover the personality of a person.
There are three sections to the HIPAA Security Rule – specialized protections, actual shields and authoritative protections – and we will address every one of these all together in our HIPAA consistence agenda.
The Technical Safeguards concern the technology that is utilized to ensure ePHI and give admittance to the information. The lone specification is that ePHI – regardless of whether very still or on the way – should be scrambled to NIST norms once it’s anything but an association’s inside firewalled workers. This is so that any break of classified patient information delivers the information incoherent, undecipherable and unusable. From that point associations are allowed to choose whichever components are generally fitting to:
|Implementation Specification||Required or Addressable||Further Information|
|Implement a means of access control||Required||This not only means assigning a centrally-controlled unique username and PIN code for each user, but also establishing procedures to govern the release or disclosure of ePHI during an emergency.|
|Introduce a mechanism to authenticate ePHI||Addressable||This mechanism is essential in order to comply with HIPAA regulations as it confirms whether ePHI has been altered or destroyed in an unauthorized manner.|
|Implement tools for encryption and decryption||Addressable||This guideline relates to the devices used by authorized users, which must have the functionality to encrypt messages when they are sent beyond an internal firewalled server, and decrypt those messages when they are received.|
|Introduce activity logs and audit controls||Required||The audit controls required under the technical safeguards are there to register attempted access to ePHI and record what is done with that data once it has been accessed.|
|Facilitate automatic log-off of PCs and devices||Addressable||This function logs authorized personnel off of the device they are using to access or communicate ePHI after a pre-defined period of time. This prevents unauthorized access of ePHI should the device be left unattended.|
Physical SafeguardsThe Physical Safeguards focus on physical access to ePHI irrespective of its location. ePHI could be stored in a remote data center, in the cloud, or on servers which are located within the premises of the HIPAA Covered Entity. They also stipulate how workstations and mobile devices should be secured against unauthorized access:
|Implementation Specification||Required or Addressable||Further Information|
|Facility access controls must be implemented||Addressable||Controls who has physical access to the location where ePHI is stored and includes software engineers, cleaners, etc. The procedures must also include safeguards to prevent unauthorized physical access, tampering, and theft.|
|Policies for the use/positioning of workstations||Required||Policies must be devised and implemented to restrict the use of workstations that have access to ePHI, to specify the protective surrounding of a workstation and govern how functions are to be performed on the workstations.|
|Policies and procedures for mobile devices||Required||If users are allowed to access ePHI from their mobile devices, policies must be devised and implemented to govern how ePHI is removed from the devices if the user leaves the organization or the device is re-used, sold, etc.|
|Inventory of hardware||Addressable||An inventory of all hardware must be maintained, together with a record of the movements of each item. A retrievable exact copy of ePHI must be made before any equipment is moved.|
Administrative SafeguardsThe Administrative Safeguards are the policies and procedures which bring the Privacy Rule and the Security Rule together. They are the pivotal elements of a HIPAA compliance checklist and require that a Security Officer and a Privacy Officer be assigned to put the measures in place to protect ePHI, while they also govern the conduct of the workforce. The OCR pilot audits identified risk assessments as the major area of Security Rule non-compliance. Risk assessments are going to be checked thoroughly in subsequent audit phases; not just to make sure that the organization in question has conducted one, but to ensure to ensure they are comprehensive and ongoing. A HIPAA compliant risk assessment is not a one-time requirement, but a regular task necessary to ensure continued HIPAA compliance. The administrative safeguards include:
|Implementation Specification||Required or Addressable||Further Information|
|Conducting risk assessments||Required||Among the Security Officer´s main tasks is the compilation of a risk assessment to identify every area in which ePHI is being used, and to determine all of the ways in which breaches of ePHI could occur.|
|Introducing a risk management policy||Required||The risk assessment must be repeated at regular intervals with measures introduced to reduce the risks to an appropriate level. A sanctions policy for employees who fail to comply with HIPAA regulations must also be introduced.|
|Training employees to be secure||Addressable||Training schedules must be introduced to raise awareness of the policies and procedures governing access to ePHI and how to identify malicious software attacks and malware. All training must be documented.|
|Developing a contingency plan||Required||In the event of an emergency, a contingency plan must be ready to enable the continuation of critical business processes while protecting the integrity of ePHI while an organization operates in emergency mode.|
|Testing of contingency plan||Addressable||The contingency plan must be tested periodically to assess the relative criticality of specific applications. There must also be accessible backups of ePHI and procedures to restore lost data in the event of an emergency.|
|Restricting third-party access||Required||It is vital to ensure ePHI is not accessed by unauthorized parent organizations and subcontractors, and that Business Associate Agreements are signed with business partners who will have access to ePHI.|
|Reporting security incidents||Addressable||The reporting of security incidents is different from the Breach Notification Rule (below) inasmuch as incidents can be contained and data retrieved before the incident develops into a breach.|
HIPAA Privacy RuleThe HIPAA Privacy Rule governs how ePHI can be used and disclosed. In force since 2003, the Privacy Rule applies to all healthcare organizations, the providers of health plans (including employers), healthcare clearinghouses and – from 2013 – the Business Associates of covered entities. The Privacy Rule demands that appropriate safeguards are implemented to protect the privacy of Personal Health Information. It also sets limits and conditions on the use and disclosure of that information without patient authorization. The Rule also gives patients – or their nominated representatives – rights over their health information; including the right to obtain a copy of their health records – or examine them – and the ability to request corrections if necessary. Under the Privacy Rule, Covered Entities are required to respond to patient access requests within 30 days. Notices of Privacy Practices (NPPs) must also be issued to advise patients and plan members of the circumstances under which their data will be used or shared. Covered entities are also advised to:
- Provide training to employees to ensure they are aware what information may – and may not – be shared outside of an organization´s security mechanism.
- Ensure appropriate steps are taken to maintain the integrity of PHI and the individual personal identifiers of patients.
- Ensure written permission is obtained from patients before their health information is used for purposes such as marketing, fundraising, or research.
HIPAA Breach Notification RuleThe HIPAA Breach Notification Rule requires Covered Entities to notify patients when there is a breach of their PHI. The Breach Notification Rule also requires entities to promptly notify the Department of Health and Human Services of such a breach of PHI and issue a notice to the media if the breach affects more than five hundred patients. There is also a requirement to report smaller breaches – those affecting fewer than 500 individuals – via the OCR web portal. These smaller breach reports should ideally be made once the initial investigation has been conducted. The OCR only requires these reports to be made annually. Breach notifications should include the following information:
- The nature of the PHI involved, including the types of personal identifiers exposed.
- The unauthorized person who accessed or used the PHI or to whom the disclosure was made (if known).
- Whether the PHI was actually acquired or viewed (if known).
- The extent to which the risk of damage has been mitigated.
HIPAA Omnibus RuleThe HIPAA Omnibus Rule was introduced to address a number of areas that had been omitted by previous updates to HIPAA. It amended definitions, clarified procedures and policies, and expanded the HIPAA compliance checklist to cover Business Associates and their subcontractors. Business Associates are classed as any individual or organization that creates, receives, maintains or transmits Protected Health Information in the course of performing functions on behalf of a Covered Entity. The term Business Associate also includes contractors, consultants, data storage companies, health information organizations, and any subcontractors engaged by Business Associates. The Omnibus Rule amends HIPAA regulations in five key areas:
- Introduction of the final amendments as required under the HITECH Act.
- Incorporation of the increased, tiered civil money penalty structure as required by HITECH.
- Introduced changes to the harm threshold and included the final rule on Breach Notification for Unsecured ePHI under the HITECH Act.
- Modification of HIPAA to include the provisions made by the Genetic Information Nondiscrimination Act (GINA) to prohibit the disclosure of genetic information for underwriting purposes.
- Prevented the use of PHI and personal identifiers for marketing purposes.
- Update Business Associate Agreements – Old BA agreements must be updated to take the Omnibus Rule into account. Business Associates must be made aware that they are bound by the same Security Rule and Privacy Rule regulations as covered entities, and must similarly implement the appropriate technical, physical, and administrative safeguards to protect ePHI and personal identifiers. Business Associates must comply with patient access requests for information, and data breaches must be reported to the Covered Entity without delay, while assistance with breach notification procedures must also be provided.
- Issue new Business Associate Agreements – A new HIPAA compliant agreement must be signed before the services provided by a Business Associate are used.
- Update privacy policies – Privacy policies must be updated to include the Omnibus Rule definition changes. These include amendments relating to deceased persons, patient access rights (to their PHI) and responses to access requests. Policies should also reflect the new limitations of disclosures to Medicare and insurers, the disclosure of PHI and school immunizations, the sale of PHI, and its use for marketing, fundraising, and research.
- Update Notices of Privacy Practices – NPPs must be updated to cover the types of information that require an authorization, the right to opt out of correspondence for fundraising purposes, and must factor in the new breach notification requirements.
- Train staff – Staff must be trained on the Omnibus Rule amendments and definition changes. All training must be documented.
HIPAA Enforcement RuleThe HIPAA Enforcement Rule governs the investigations that follow a breach of PHI, the penalties that could be imposed on covered entities responsible for an avoidable breach of PHI and the procedures for hearings. Although not part of a HIPAA compliance checklist, covered entities should be aware of the following penalties:
- A violation attributable to ignorance can attract a fine of $100 – $50,000.
- A violation which occurred despite reasonable vigilance can attract a fine of $1,000 – $50,000.
- A violation due to willful neglect which is corrected within thirty days will attract a fine of between $10,000 and $50,000.
- A violation due to willful neglect which is not corrected within thirty days will attract the maximum fine of $50,000.
- Misuse and unauthorized disclosures of patient records.
- No protection in place for patient records.
- Patients unable to access their patient records.
- Using or disclosing to third parties more than the minimum necessary protected health information
- No administrative or technological safeguards for electronic protected health information.
What Should a HIPAA Risk Assessment Consist Of?Throughout the HIPAA regulations, there is a lack of guidance about what a HIPAA risk assessment should consist of. OCR explains the failure to provide a "specific risk analysis methodology" is due to Covered Entities and Business Associates being of different sizes, capabilities, and complexity. However, OCR does provide guidance on the objectives of a HIPAA risk assessment:
- Identify the PHI that your organization creates, receives, stores and transmits – including PHI shared with consultants, vendors and Business Associates.
- Identify the human, natural and environmental threats to the integrity of PHI – human threats including those which are both intentional and unintentional.
- Assess what measures are in place to protect against threats to the integrity of PHI, and the likelihood of a "reasonably anticipated" breach occurring.
- Determine the potential impact of a PHI breach and assign each potential occurrence a risk level based on the average of the assigned likelihood and impact levels.
- Document the findings and implement measures, procedures, and policies where necessary to tick the boxes on the HIPAA compliance checklist and ensure HIPAA compliance.
- The HIPAA risk assessment, the rationale for the measures, procedures and policies subsequently implemented, and all policy documents must be kept for a minimum of six years.
The Importance of Data EncryptionThe vast majority of ePHI breaches result from the loss or theft of mobile devices containing unencrypted data and the transmission of unsecured ePHI across open networks. Breaches of this nature are easily avoidable if all ePHI is encrypted. Although the current HIPAA regulations do not demand encryption in every circumstance, it is a security measure which should be thoroughly evaluated and addressed. Suitable alternatives should be used if data encryption is not implemented. Data encryption renders stored and transmitted data unreadable and unusable in the event of theft. Data is first converted to an unreadable format – termed ciphertext – which cannot be unlocked without a security key that converts the encrypted data back to its original format. If an encrypted device is lost or stolen it will not result in a HIPAA breach for the exposure of patient data. Data encryption is also important on computer networks to prevent hackers from gaining unlawful access.
How to Become HIPAA CompliantMany vendors would love to develop apps, software, or services for the healthcare industry, although they are unsure how to become HIPAA compliant. While it is possible to use a HIPAA compliance checklist to make sure all aspects of HIPAA are covered, it can be a difficult process for organizations unfamiliar with the intricacies of HIPAA Rules to develop a HIPAA compliance checklist and implement all appropriate privacy and security controls. Until vendors can confirm they have implemented all the appropriate safeguards to protect ePHI at rest and in transit, and have policies and procedures in place to prevent and detect unauthorized disclosures, their products and services cannot be used by HIPAA Covered Entities. So, what is the easiest way to become HIPAA compliant? You will certainly need to use a HIPAA compliance checklist to make sure your organization, product, or service incorporates the relevant technical, administrative, and physical safeguards of the HIPAA Security Rule. You must also adhere to the requirements of the HIPAA Privacy and Breach Notification Rules. Get anything wrong and fail to safeguard ePHI and, as a HIPAA business associate, you can be fined directly for HIPAA violations by the HHS' Office for Civil Rights, state attorneys general, and other regulators. Criminal charges may also be applicable for some violations. HIPAA compliance can therefore be daunting, although the potential benefits for software vendors of moving into the lucrative healthcare market are considerable. To ensure you cover all elements on your HIPAA compliance checklist and leave no stone unturned, it is worthwhile seeking expert guidance from HIPAA compliance experts. Many firms offer HIPAA compliance software to guide you through your HIPAA compliance checklist, ensure ongoing compliance with HIPAA Rules, and provide you with HIPAA certification.
HIPAA IT ComplianceHIPAA IT compliance is primarily concerned with ensuring all the provisions of the HIPAA Security Rule are followed and all elements on your HIPAA IT compliance checklist are covered. Risk assessment and management is a key consideration for HIPAA IT security. One way to help ensure risks are identified and appropriate controls are implemented as part of your HIPAA IT compliance program is to adopt the NIST Cybersecurity Framework. The NIST Cybersecurity Framework will help prevent data breaches, and detect and respond to attacks in a HIPAA compliant manner when attacks do occur. HIPAA IT compliance concerns all systems that are used to transmit, receive, store, or alter electronic protected health information. Any system or software that 'touches' ePHI must incorporate appropriate security protections to ensure its confidentiality, integrity, and availability. One element of the HIPAA compliance checklist that is often low down on the priority list is monitoring ePHI access logs regularly. Inappropriate accessing of ePHI by healthcare employees is common, yet many Covered Entities fail to conduct regular audits and inappropriate access can continue for months or sometimes years before it is discovered.
HIPAA Compliance Checklist for ITIn addition to the rules and regulations that appear on our HIPAA compliance checklist originating from acts of legislation, there are several mechanisms that IT departments can implement to increase the security of ePHI. Potential lapses in security due to the use of personal mobile devices in the workplace can be eliminated by the use of a secure messaging solution. Secure messaging solutions allow authorized personnel to communicate ePHI – and send attachments containing ePHI – via encrypted text messages that comply with the physical, technical, and administrative HIPAA safeguards. Email is another area in which potential lapses in security exist. Emails containing ePHI that are sent beyond an internal firewalled server should be encrypted. It should also be considered that emails containing ePHI are part of a patient´s medical record and should therefore be archived securely in an encrypted format for a minimum of six years. As medical records can attract a higher selling price on the black market than credit card details, defenses should be put in place to prevent phishing attacks and the inadvertent downloading of malware. Several recent HIPAA breaches have been attributed to criminals obtaining passwords to EMRs or other databases, and healthcare organizations can mitigate the risk of this happening to them with a web content filter.
Additional HIPAA IT RequirementsAs well as the technological regulations mentioned above, there are many miscellaneous HIPAA IT compliance requirements that are easy to overlook – for example the facility access rules within the physical safeguards of the Security Rule. These HIPAA IT compliance requirements may inadvertently be discounted if the IT Department has no responsibility for the physical security of its servers, and it will be the HIPAA Security Officer´s role to establish responsibility. Other areas of the HIPAA IT requirements frequently overlooked include Business Associate Agreements with SaaS providers and hosting companies who may have access to ePHI via the services they provide. The same applies to software developers who build eHealth apps that will transmit PHI. There has to be a Business Associate Agreement in place with any health care provider distributing the app in order to be compliant with the HIPAA IT requirements.
HIPAA Audit ChecklistThe further area of our HIPAA compliance checklist concerns a HIPAA audit checklist. The passage of the HIPAA Enforcement Rule created a viable way in which HHR could monitor HIPAA compliance. It was found that a Covered Entity or Business Associate had made no attempt to comply with HIPAA, HHR could issue fines even if no breach of PHI had occurred. In order to help Covered Entities and Business Associates compile a HIPAA audit checklist, HHR has released audit protocols for the first two rounds of audits.
2021 HIPAA ComplianceOn January 5, 2020, President Trump signed bill HR 7898 into law, which amends the Health Information Technology for Economic and Clinical Health Act (HITECH Act) to create a safe harbor for healthcare organizations and business associates that have implemented recognized security best practices prior to experiencing a data breach. The aim of the bill is to encourage HIPAA-covered entities and their business associates to adopt a common security framework. The update requires the HHS' Office for Civil Rights to take security best practices, such as the adoption of a recognized cybersecurity framework, into consideration when deciding on penalties and sanctions related to data breaches. The bill also requires the HHS to decrease the extent and length of audits when an entity has achieved industry-standard security best practices. On December 10, 2020, the HHS' Office for Civil Rights published a Notice of Proposed Rulemaking (NPR) under the HHS' Regulatory Sprint to Coordinated Care initiative. The NPR included several proposed modifications to the HIPAA Privacy Rule to strengthen individuals' access to their own protected health information and to improve the sharing of PHI stored in EHRs between covered healthcare providers and health plans. Comments on the proposed changes are being accepted for 60 days from the date of publication in the federal register and, after consideration of submitted feedback, a final rule will be published. While that may occur in 2021, HIPAA-covered entities and business associates will be given time to implement the changes before the new regulations will be enforced. The update will see the addition of a definition of "electronic health record", which is "an electronic record of health-related information on an individual that is created, gathered, managed, and consulted by authorized health care clinicians and staff. Such clinicians shall include, but are not limited to, health care providers that have a direct treatment relationship with individuals, as defined at [45 C.F.R.] § 164.501, such as physicians, nurses, pharmacists, and other allied health professionals." The proposed changes in the NPR are:
- Restricting the right of individuals to transfer ePHI to a third party to ePHI that is maintained in an EHR
- Allowing patients to inspect their PHI in person, take notes, and take photographs of their health records.
- Reducing the timeframe for providing access to PHI or copies of an individual's PHI from 30 days to 15 days
- The creation of a pathway for individuals to direct the sharing of PHI maintained in an EHR among covered entities.
- Clarification that an individual is permitted to direct a covered entity to provide their ePHI to a personal health application
- Eliminating the requirement for HIPAA-covered entities to obtain written acknowledgment from an individual that they have received the Notice of Privacy Practices.
- A requirement for HIPAA-covered entities to post estimated fee schedules on their websites for PHI access and disclosures consistent with a valid authorization and to provide individualized estimates for fees for providing an individual with a copy of their own PHI.
- Amending the definition of healthcare operations to broaden the scope of care coordination and case management that constitute health care operations.
- Specifying when ePHI must be provided to an individual free of charge.
- Covered entities will be required to inform individuals that they retain their right to obtain or direct copies of PHI to a third party when a summary of PHI is offered rather than a copy.
- Covered health care providers and health plans will be required to respond to certain records requests received from other covered health care providers and health plans, when directed by individuals pursuant to the HIPAA right of access.
- Permitting covered entities to make certain uses and disclosures of PHI based on their good faith belief that it is in the best interests of the individual.
- The creation of an exception to the "minimum necessary" standard for individual-level care coordination and case management uses and disclosures, irrespective of whether the activities constitute treatment or health care operations.
- Expanding the Armed Forces permission to use or disclose PHI to all uniformed services.
- Expansion of the ability of covered entities to disclose PHI to avert a threat to health or safety when a harm is "seriously and reasonably foreseeable," rather than the current definition of "serious and imminent."