Achieving HIPAA compliance is a huge task and a costly investment. But breaking it down into manageable steps can help you manage compliance more easily.
Use the checklist below to make sure you’re on the right track.
1. Understand HIPAA Privacy and Security Rules
The first step to compliance is to understand what it means to be in compliance with HIPAA. The combined regulation text for all HIPAA rules is 115 pages long, and parsing through all the standards and technical requirements can be overwhelming.
To understand what is HIPAA compliant, review the HIPAA Privacy and Security Rules to get familiar with the various HIPAA guidelines for healthcare professionals. For instance, there are around 50 implementation specifications in the HIPAA Security Rule under the administrative, physical, and technical safeguards. This section can be highly technical so it will take time to parse out what rules apply and how you can implement them. Start by putting together the big picture and then drill down into the specific details as you go.
2. Determine if the Privacy Rule applies to you
The Privacy Rule defines what information is protected under HIPAA as well as who is covered by the Rule. These covered entities include health plans, health care clearinghouses, and any health care provider who transmits health information in electronic form. If you’re not sure if you’re a covered entity, you can use the Covered Entity Decision Tool to find out.
If you are a covered entity, review the Privacy Rule guidelines on what constitutes protected health information and the general principles for uses and disclosures to see what areas may be applicable to your work.
3. Protect the right types of patient data
Not all information is protected under HIPAA—and there are permissible uses of PHI without authorization, such as when the patient data has been anonymized. In order to achieve HIPAA compliance, you’ll need to identify what patient data you have, how it is used, and what data falls under HIPAA regulation.
4. Prevent potential HIPAA violations
Preventing HIPAA violations requires an assessment of risk, a plan to address gaps in compliance and security, and robust implementation. A few HIPAA compliance controls you can include are:
- Encrypting data
- Never leaving devices or documents unattended
- Conducting regular cybersecurity awareness training
- Reviewing compliance requirements
- Never accessing patient records unless necessary
- Safely and properly disposing of PHI
- Ensuring all business associates sign a contract agreeing to HIPAA compliance
- Implementing system monitoring and access control management
5. Stay updated on HIPAA changes
Unfortunately, HIPAA compliance is often a moving target. HIPAA guidelines are subject to change—especially during health emergencies like the COVID pandemic. As technology continues to evolve, requirements will have to evolve too.
For instance, OCR issued a Notice of Proposed Rulemaking on January 21, 2021 that outlined proposed changes to HIPAA regulations. These changes aim to support individuals' engagement in their health care, remove barriers to coordinated care, and decrease regulatory burdens on health care.
The changes to the Privacy Rule include proposals to:
- Strengthen individuals' rights to access their health information.
- Improve information sharing for care coordination and case management for individuals.
- Facilitate family and caregiver involvement in the care of individuals experiencing emergencies or health crises.
- Increase flexibility for disclosures in an emergency or threatening circumstances, such as the opioid and COVID-19 public health emergencies.
- Reduce administrative burdens on HIPAA covered health care providers and health plans.
Pay attention to changes in HIPAA guidelines like these so there aren’t gaps in your compliance.
6. Understand how COVID affects HIPAA
COVID has had an outsized impact on the healthcare sector, which has also affected how HIPAA is applied. Covered entities navigating this new public health landscape will need to be up to date on how HIPAA applies to patient privacy in a remote environment, what accommodations the government has made for health practices, and what rules still apply.
For example, under specific circumstances, the HIPAA Privacy Rule allows covered entities to disclose the PHI of an individual who has been infected with or exposed to COVID-19 to law enforcement, first responders, and public health authorities without the individual’s HIPAA authorization.
7. Document everything
Documentation of your compliance efforts is a critical part of the HIPAA compliance process. The Privacy Rule requires documentation of:
- Policies and procedures
- Communications that require a written/electronic copy
- Any actions, activities, or designations that require written/electronic records
Documentation proves the organization took measures to comply with the HIPAA rules. This is not only important for demonstrating compliance in a potential audit but also for ensuring the organization has a clear understanding of their own compliance landscape. When monitoring and reviewing compliance efforts, documentation provides a record of what steps have already been taken and where there may be gaps in compliance that need addressing.
8. Report data breaches
Between human error, advances in technology, and increasing cyber attacks, breaches are bound to happen occasionally. If and when a breach occurs, it is essential to report the violation as soon as possible. HIPAA guidelines generally require notification of breach within 60 days of discovery.
In order to reduce the impact of potential breaches, it’s important to uncover breaches as early as possible. This can be accomplished through robust monitoring, communication, and training as part of your overall compliance management program. Together with these efforts, you can ensure breaches are discovered early and reported quickly to help minimize the impact and risk to the organization (and patients).
Learn more about the HIPAA Compliance Checklist.