HIPAA Compliance Checklist

HIPAA fines cost ten companies $28.7 million in 2018, which broke the previous 2016 record for HIPAA fines by 22%! Needless to say, you don't want to have to worry about a HIPAA complaint being filed against your organization, and by going through this straight forward checklist, you can ensure full compliance. 

The primary purpose of the HIPAA is simply to keep people's healthcare data private. If your healthcare organization is an entity that uses and has access to Protected Health Information (PHI), then you are classified as a Covered Entity (CE) and need to make sure you are compliant with HIPAA regulations. 

There are three critical components to PHI security:

• Technical safeguards
• Physical safeguards
• Administrative safeguards

Each part is equally important and must be satisfied to ensure HIPAA compliance. 

You will notice that next to each task there is either an (R) or an (A). R stands for "Required", and A is "Addressable", however, this does not mean that they are optional. Each of the criteria has to be adhered to in order to achieve full HIPAA compliance.

While going through the checklist, bear in mind that the requirements of HIPAA are intentionally vague so that it can be applied equally to different types of covered entities that come into contact with PHI.

For more information on the ins and outs of HIPAA compliance, check out this comprehensive guide. You can also watch the video below for an overview of what is required for HIPAA compliance

In case you're wondering what Process Street is all about...

Process Street is superpowered checklists. By using our software to document your processes, you are instantly creating an actionable workflow in which tasks can be assigned to team members, automated, and monitored in real-time to ensure they are being executed as intended, each and every time.

The point is to minimize human error, increase accountability, and provide employees with all of the tools and information necessary to complete their tasks as effectively as possible.

Establishing and implementing a means of access control for each user of company software is an essential technical safeguard. 

This not only means assigning a centrally-controlled unique username and PIN code for each user, but also establishing procedures to govern the release or disclosure of ePHI during an emergency.

State below whether your organization is compliant with this requirement.

Restrict access to ePHI via permissions after you have identified the who should have access.

All attempts to access ePHI must be registered and whatever is done with that data once it has been accessed must be recorded so that if needs be, it can be reviewed at a later date.

In the case of a data breach, CEs need to provide a complete audit trail and show exactly how the breach occurred. Alerts and security analytics should be set up so that you can prevent breaches in the first place.

Introducing a mechanism to authenticate ePHI is an essential component as it confirms whether ePHI has been altered or destroyed in an unauthorized manner. 

To be HIPAA compliant, CEs need to be able to prove that the ePHI they manage is protected from threats both inside and out. Whether a member of staff accidentally deleted a record or a hacker deleted it intentionally, you should be able to recover and restore that record.

Any device used by authorized users to access ePHI must have the functionality to encrypt messages when they are sent beyond an internal firewalled server, and in turn, decrypt those messages when they are received. 

In short, you need to be able to prove that only authorized individuals accessed the ePHI. 

As an example, you can use an encrypted email with a private key, HTTPS file transfer, or a VPN. 

This simple function logs authorized personnel off the device they are using to access or communicate ePHI after a pre-defined period of time.

This prevents unauthorized access of ePHI should the device be left unattended.

Once this checklist has been completed, it will require approval from a senior person, such as your IT Security Officer. 

If you have any comments regarding the status of technical safeguards at your organization, state them below so they can be reviewed during the approval process. 

Desktops, laptops, and tablets that are used by staff to access ePHI must be securely managed. Every computer with access to ePHI must adhere to this policy.

If users are allowed to access ePHI from their mobile devices, policies must be devised and implemented to govern how ePHI is removed from the devices if the user leaves the organization or the device is re-used, sold, etc.

Limit and audit physical access to the computers that store and process ePHI.

A simple and easy way to do is put a lock on the server room door. This will prevent unauthorized physical access, tampering, and theft.

An inventory of all hardware must be maintained, together with a record of the movements of each item. In addition to computers, this includes media such as USB drives, tape backups and removable storage.

A retrievable exact copy of ePHI must be made before any equipment is moved.

If you have any comments regarding the status of physical safeguards at your organization, state them below so they can be reviewed during the approval process. 

The Security Officer designated to managing HIPAA compliance is responsible for conducting regular risk assessments to identify every area in which ePHI is being used, and to determine all of the ways in which a security breach could occur.

Below is a graphic summarising the process of conducting a comprehensive risk assessment.

CEs must establish policies and procedures to prevent, detect, contain, and correct security violations. Part of this process is to follow the procedures stated in the Risk Management Policy to assess overall risk in your current processes or when you implement new policies.

The primary purpose of a risk management policy is to periodically reduce the risks of a security breach by introducing security measures following a risk assessment. This should take place at regular intervals.

It goes without saying that it is vital to ensure ePHI is not accessed by unauthorized parent organizations, subcontractors, or other third-parties.

In the case that a business partner will be granted access to ePHI, a Business Associate Agreement must be signed. 

In the case of an emergency, a contingency plan must be ready to enable the continuation of critical business processes while protecting the integrity of ePHI.

You must have a:

Of course, in the case of an emergency, effective execution of the contingency plan is paramount. 

Therefore it is important to test the contingency plan periodically to assess its effectiveness in various situations.

The most important thing to verify during testing is that there are accessible backups of ePHI and procedures in place to restore lost data in the event of an emergency

CEs must provide workforce training and management for security policies in order to be HIPAA compliant. 

Training schedules must be introduced to raise awareness of the policies and procedures governing access to ePHI and how to identify malicious software attacks and malware.

All training must be documented. 

A security incident does not necessarily mean a breach. If there is any indication that ePHI is under security threat, there needs to be a formal procedure in place to report such incidents and address the issue as soon as possible.

As mentioned earlier, alerts and security analytics should be set up so that you can prevent breaches in the first place.

If you have any comments regarding the status of administrative safeguards at your organization, state them below so they can be reviewed during the approval process. 

• Varonis - What is HIPAA Compliance? Your 2019 Guide + Checklist
• HIPAA Journal - HIPAA Compliance Checklist
• Safety Culture - HIPAA Compliance Checklist
• PhoenixNAP - HIPAA Compliance Checklist: How Do I Become Compliant?
• Atlantic - HIPAA Compliance Guide & Checklist: What Is HIPAA?
• Compliancy Group - What is HIPAA Compliance?
• U.S. Department of Health & Human Services - Summary of the HIPAA Security Rule
• Otava - What is HIPAA Compliance?
• Digital Guardian - What is HIPAA Compliance?

• Hospital Housekeeping Checklist
• Terminal Room Cleaning Checklist
• Hospital Safety Inspection Checklist
• Patient Satisfaction Survey Checklist
• Home Visit Checklist
• Mental Health Risk Assessment Checklist
• WHO Surgical Safety Checklist
• General Infection Control Checklist
• Patient Intake Checklist for a Medical Clinic
• Electrical Inspection Checklist for Hospitals