HIPAA compliance requires covered entities and business associates to secure protected health information. Social Security numbers, medical record numbers, health plan beneficiary numbers, account numbers, and names of patients, relatives, or employers all must be secured from unauthorized access.
The penalties and fines for HIPAA violations can be steep — in some instances reaching millions of dollars. And, HIPAA isn’t prescriptive about what it takes to be in compliance. Organizations must safeguard the confidentiality, integrity, and availability of PHI, but how to secure patient information is up to the covered entity or business associate.
To help, we’ve developed this HIPAA compliance checklist outlining HIPAA’s requirements and with tips to better manage data security at your institution.
HIPAA Compliance Requirements Checklist
HIPAA is vague — intentionally so. To provide clarity, the HIPAA Journal sums up compliance requirements as:
“[E]very Covered Entity and Business Associate that has access to PHI must ensure the technical, physical and administrative safeguards are in place and adhered to, that they comply with the HIPAA Privacy Rule in order to protect the integrity of PHI, and that – should a breach of PHI occur – they follow the procedure in the HIPAA Breach Notification Rule.”
HIPAA deems some safeguards as “addressable” and others as “required.” Here’s what this looks like in practice. Addressable safeguards are not optional, necessarily; but, if they are unreasonable, then the covered entity may introduce an appropriate alternative or in some cases not introduce the safeguards at all.
- Administrative safeguards
HIPAA’s administrative safeguards refer to policies and procedures designed to clearly show how the entity will comply with HIPAA. This section links HIPAA’s Privacy Rule and Security Rule. Here’s what these safeguards require:
- Conduct risk assessments (required)
- Introduce a risk management policy (required)
- Restrict third-party access to ePHI (required)
- Develop a contingency plan in the event of an emergency (required)
- Test the contingency plan (addressable)
- Provide employee training on cybersecurity (addressable)
- Report security incidents (addressable)
In addition, HIPAA requires that covered entities assign a Security Officer and a Privacy Officer to protect ePHI and govern employee conduct.
- Physical safeguards
Physical safeguards focus on securing devices, such as laptops and mobile devices. Workstations and even data centers where ePHI is stored are also liable under HIPAA’s physical safeguards.
- Create policies for the use and positioning of workstations (required)
- Create policies and procedures for the use of mobile devices (required)
- Create an inventory of all hardware (addressable)
- Implement facility access controls (addressable)
Note that the above list pertains to ePHI; there may be more requirements related to PHI stored on disks and paper files.
- Technical safeguards
Finally, technical safeguards relate to the technology used to protect and access ePHI. The biggest concern for health organizations is to protect PHI at rest or in transit using NIST-standard encryption. In addition, covered entities must:
- Implement access control measures (required)
- Introduce activity logs and audit controls (required)
- Use a mechanism to authenticate ePHI (addressable)
- Implement tools for encryption and decryption (addressable)
- Implement a tool for automatic log-off of PCs and devices (addressable)
Covered entities that work with business associates have more technical safeguards for which they are responsible. Read more about these technical safeguards in our detailed resource, Nightfall’s Guide to HIPAA Compliance for SaaS Applications.
Consider this checklist a starting point for protecting ePHI. HIPAA ultimately seeks to protect patient health information from falling into the wrong hands. For health organizations, it’s both a moral imperative and business mandate to ensure this doesn’t happen.
Learn how Nightfall can help achieve HIPAA compliance by setting up a demo at the link below.