9-Step HIPAA Compliance Checklist

What Is HIPAA? 

HIPAA stands for the Health Insurance Portability and Accountability Act, a significant U.S. legislation enacted in 1996. It was originally designed to allow individuals to carry forward their health insurance coverage during periods of unemployment or job transition. However, the act evolved to provide a robust framework for the privacy and security of protected health information (PHI).

HIPAA mandates the creation and implementation of national standards for electronic health care transactions and national identifiers for providers, health plans, and employers. At its core, HIPAA ensures that an individual’s health information is properly protected while allowing the flow of data needed to provide high-quality health care and protect public health and well-being.

Its regulations are extensive, encompassing the use and disclosure of individuals’ health information (known as “protected health information” or PHI), which is critical for healthcare providers, health plans, and other entities that process health information. Furthermore, it provides patients with critical rights regarding their health information, including the right to examine and obtain a copy of their health records and request corrections.

The Act’s provisions aim to strike a balance between protecting individual privacy and providing necessary information for health care delivery. Compliance is overseen by the Department of Health and Human Services and enforced by the Office for Civil Rights.

This is part of a series of articles about HIPAA compliance.

Who Needs to Comply with HIPAA?

HIPAA compliance isn’t just for hospitals or large healthcare systems. Any organization that handles protected health information (PHI) must comply with HIPAA. This includes small private practices, health insurance companies, and even third-party vendors who provide services to these entities.

Covered entities, as defined by HIPAA, include health plans, health care clearinghouses, and health care providers that transmit any health information electronically. They bear the primary responsibility for HIPAA compliance. This means they must have measures in place to protect PHI, notify individuals of their privacy practices, and only disclose PHI as allowed under the law.

‘Business associates’ are also required to comply with HIPAA. These are any organizations or persons working with a covered entity who handle PHI. They can range from a billing company to a cloud storage provider. Just like covered entities, business associates must also have safeguards in place to protect PHI and are liable for any breaches of this information.

What Does the HITECH Amendment Apply To?

The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 was enacted as part of the American Recovery and Reinvestment Act. The HITECH amendment expands the scope of privacy and security protections available under HIPAA. It also raises the penalties of health organizations that violate HIPAA Privacy and Security Rules.

The HITECH Act also promotes the adoption and meaningful use of health information technology. It has given a significant boost to the cause of electronic health records and healthcare IT. The amendment applies to all the same entities as HIPAA, and it has increased the potential legal and financial penalties of non-compliance.

The provisions of the HITECH Act are extensive and required covered entities to revise their agreements, procedures, training, and communications to comply. One of the most significant changes under HITECH is the extension of full HIPAA compliance requirements to business associates.

A 9-Step HIPAA Compliance Checklist 

Here is a quick checklist that can help you take the first steps towards HIPAA compliance. Our checklist is not exhaustive, but it covers the most important things you should prepare for.

1. Understand HIPAA’s Three Rules

A core part of HIPAA Compliance is the three rules of HIPAA: The Privacy Rule, The Security Rule, and The Breach Notification Rule:

• The Privacy Rule establishes national standards for the protection of certain health information. It regulates how such information can be used and disclosed and grants patients certain rights over their health information. Understanding how to apply these regulations is key to ensuring that your organization is compliant.
• The Security Rule establishes standards for protecting health information that is held or transferred in electronic form. It specifies a series of administrative, physical, and technical safeguards for entities to use to assure the confidentiality, integrity, and availability of electronic protected health information.
• The Breach Notification Rule requires HIPAA-covered entities and their business associates to provide notification following a breach of unsecured protected health information. The notification must be given without unreasonable delay and no later than 60 days following the discovery of a breach.

2. Discover Which Rules Apply to Your Organization

Covered entities, which include health plans, healthcare clearinghouses, and certain healthcare providers, are directly regulated by HIPAA. These organizations must comply with all HIPAA rules, unless a specific exemption applies.

Business associates, on the other hand, are only required to comply with certain provisions of the HIPAA rules. These include entities that perform functions or activities on behalf of, or provide certain services to, a covered entity that involve access to, or the use or disclosure of, protected health information.

3. Perform a Risk Analysis

The final step in creating a HIPAA Compliance Checklist is to perform a risk analysis. This is a process in which you identify potential threats and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information.

The risk analysis should include an evaluation of the likelihood and impact of potential risks to e-PHI, the implementation of appropriate security measures to address those risks, documentation of the chosen security measures, and where required, the rationale for adopting those measures.

4. Facility Access and Control Measures

This step ensures that only authorized personnel have access to Protected Health Information (PHI). This may involve physical security measures, such as keycard access, secure storage areas for patient records, and surveillance systems. It also includes digital security measures, like secure networks, encrypted data storage, and robust firewalls.

An effective visitor management system is an essential part of facility access control. Visitors should be logged in and out, and escorted at all times within the facility. This measure further ensures that unauthorized individuals do not have the opportunity to come across any PHI.

5. Technical safeguards and Access Controls for Electronic Protected Health Information (EPHI)

The HIPAA Security Rule requires covered entities to implement technical safeguards to protect EPHI. These safeguards should allow only authorized individuals to access electronic protected health information.

The access control measures must include unique user identification (assigning a unique name and/or number for identifying and tracking user identity), emergency access procedure, automatic logoff, and encryption and decryption.

6. Comprehensively Implement Encryption

Encryption is another essential aspect of HIPAA compliance. The HIPAA Security Rule considers encryption as an addressable implementation specification. This means that if the entity decides that the specification is not reasonable and appropriate, it must document the reason and implement an equivalent alternative measure.

Covered entities and business associates should use encryption technology for transmitting EPHI, particularly over the internet. As technology advances, encryption is becoming a standard practice for securing EPHI.

7. Establish a Sanction Policy for Non-Compliance

A sanction policy outlines the consequences for employees who do not adhere to HIPAA regulations. It is crucial for deterring potential violations and demonstrating your organization’s commitment to privacy and security. Here are the key steps in creating and enforcing a sanction policy:

• Define what constitutes a violation: This could range from unauthorized access to patient information, failure to secure patient records, or sharing PHI without proper authorization. It’s important to be specific and clear in defining violations to avoid any ambiguity.
• Outline the consequences of violations: These might include disciplinary actions such as written warnings, suspension, or even termination. The severity of the sanction should correspond to the severity of the violation.
• Communicate the policy to all staff members: They should be aware of the potential consequences of non-compliance, and it should be made clear that the policy will be enforced consistently.

8. Establish an Incident Response Team

A HIPAA incident response team is responsible for responding to any potential breaches of PHI, investigating the incident, and implementing corrective measures. The following steps will help you establish an incident response team to meet HIPAA requirements:

• Identify personnel who will make up the team: This typically includes individuals from the IT department, management, legal, and human resources. These individuals should have the necessary knowledge and expertise to manage a potential breach effectively.
• Define roles and responsibilities: This could include tasks such as conducting the initial investigation, notifying affected individuals, liaising with law enforcement, or implementing corrective measures.
• Create an incident response plan: The plan should clearly define how the incident response team should identify security incidents, carry out initial containment of an incident, eradicate the incident, restore normal operations, and perform post-mortem investigation of the incident to improve their process.
• Conduct regular practice drills: to ensure they are prepared for a potential breach. These drills can help identify any gaps in the response plan and ensure that every team member is clear about their role in the event of a breach.

9. Provide Regular Training on HIPAA Policies and Procedures

HIPAA staff training should cover topics including the basics of HIPAA, how to identify PHI, the importance of protecting PHI, and the consequences of non-compliance. It should also cover specific procedures related to PHI, such as how to securely store, transmit, and dispose of PHI.

It’s important to keep records of all training sessions. This includes the date of the training, the content covered, and the attendees. This documentation can serve as evidence of your organization’s commitment to HIPAA compliance in the event of an audit.

Finally, training should not be a one-time event. Regular refresher courses should be scheduled to ensure staff members remain knowledgeable about HIPAA requirements. This also provides an opportunity to update staff on any changes to HIPAA regulations or internal policies.

Other Key Considerations

Here are a few other important considerations as you align your organization with HIPAA requirements.

• Emergency access procedures: Covered entities and business associates should have policies and procedures that enable continuation of critical business processes for the protection of the security of EPHI while operating in emergency mode.
• Automated logoff and other access control measures: Automatic logoff is a technical control that terminates an electronic session after a predetermined time of inactivity, and it’s a feature that can be implemented on almost any technology system. This is particularly important if the information system contains PHI.
• Unique identifiers for entities and credentials: Under the HIPAA rules, every covered entity and business associate must have a unique identifier. This allows the covered entity or business associate to be identified in standard transactions. The covered entity or business associate can use its Employer Identification Number (EIN) as its identifier.
• Root Cause Analysis (RCA) and post-event review: Post-event review and process improvement is a proactive approach to prevent future breaches by learning from past breaches. RCA is a process of identifying the factors that caused the breach and taking steps to prevent such events in the future.

HIPAA Compliance with Exabeam

Noncompliance with HIPAA can result in heavy fines from OCR and other consequences. When patch management, access controls, and monitoring are not fully implemented with the right solution stack, it leaves the organization vulnerable to ransomware and other attack vectors that can impact patient care. 

The AI-Driven Exabeam Security Operations Platform telemetry combines logs with context, security intelligence feeds, and AI analysis to identify anomalous behaviors that indicate potential attacks. Pre-built Dashboards make HIPAA Compliance reporting easier. Whether you are using a framework like NIST or MITRE ATT&CK^Ⓡ Exabeam offers a clear path to track your compliance and governance request needs — while all establishing what normal looks like in your environment and for every entity logged in. 

The Outcomes Navigator feature in the Exabeam Platform offers continuous visualization and insight into your detection coverage and improvements made, which provides suggestions for improvements in log parsing as well as showing which sources and detections are most effective against which parts of the ATT&CK framework and use cases are most indicative of network penetration, persistence, and lateral movement — all techniques used by attackers looking to exfiltrate in-scope HIPAA data.

For more info, visit the Exabeam Compliance page