HIPAA Compliance Checklist

Published on : 26 Aug 2022

hipaa compliance checklist


The Health Insurance Portability and Accountability Act (HIPAA) is a data privacy and security regulation for the healthcare industry.  It is a comprehensive regulation that ensures your organization complies with the requirements of HIPAA. Organizations looking to achieve HIPAA Compliance must meet the requirements outlined by the regulation. Further, failure to comply with HIPAA regulations may result in substantial fines, especially in case of an incident data breach. In fact Data Breach can also result in criminal charges and civil action lawsuits and for which organizations will also have to follow certain data breach reporting standards and protocols.

So, for organizations subject to HIPAA, it is highly recommended that they read through this informative article on HIPAA Compliance Checklist. The blog will help organizations implement all the necessary measures relevant to HIPAA requirements and ensure the privacy and security of Protected Health Information (PHI). Read on to learn and understand the requirements of HIPAA and consider referring to the HIPAA Compliance checklist prior to undergoing an audit.

HIPAA Compliance Checklist

Every Covered Entity and Business Associate having access to PHI data must ensure implementing the relevant Technical, Administrative, and Physical safeguards as a part of ensuring maximum safety of PHI data. So, here is a HIPAA compliance checklist which is a compilation of a list of Security, Privacy, Breach Notification, and Omnibus Rule requirements that organizations must implement to ensure compliance.

HIPAA Security Rule

HIPAA Security Rule highlights the need for organizations to implement safeguards to protect PHI data. The rule applies to all those organizations that have access to confidential PHI data. It requires organizations to implement technical safeguards, physical safeguards, and administrative safeguards as given below to ensure maximum level security.

Technical Safeguard

  • Access Controls- Organizations must have in place identity and access management measures in place. Further, users must be provided unique user names and passwords to those accessing PHI data. There must also be a process in place that governs access to data.
  • Authentication- Organization must identify and authenticate ePHI and protect it from unauthorized changes, and accidental destruction. There must be an appropriate Authentication policy and process in place for enforcement.
  • Encryption- Encrypt the ePHI data when transmitting over external networks.
  • Logging & Monitoring – Establish policy and procedures concerning the logging and monitoring. Organizations must have a process that periodically reviews to audit activity logs and controls. Technical safeguards are required to be in place to track and monitor access attempts and detect and alert failed attempts. There must also be measures in place for automatic log-off of devices not in use and account block in case of multiple failed login.

Physical Safeguard

  • Facility Access Controls– Have in place physical safeguards that restrict access to facilities with PHI data. There must also be measures to monitor these facilities from time to time.
  • Workstation Use- There must be a policy and process in place that manages workstations that are left unattended. For instance, automatic locking of screens when not in use after 30 sec is an essential measure that must be implemented to secure the devices. There must also be a policy in place that restricts the use of work station.
  • Inventory- Have an inventory of all the data that is stored in the server and devices within the organization. Further, monitor its access, use, and movement over the network. The organization must also have a retrievable copy of ePHI before moving any equipment is moved.
  • Device and Media Controls-

Appropriate policies must be established for the use of the device and media containing the ePHI data. Further, access to these devices must also be tracked and monitored and authorization for the use of the devices must also be updated from time to time.

Administrative Safeguard

  • Risk Assessment & Analysis- The organization must have a process in place to frequently conduct a risk assessment and analysis to determine any risk exposure. This is to reduce the level of risk and ensure maximum security. Necessary policies must be established to enforce the process of risk assessment and analysis to ensure compliance.
  • Staff Training – Educate employees on the sensitivity and the potential risk exposure to the ePHI data. Employees should also be educated about the access protocols, identifying and reporting malware, hacks, phishing, governance, and cyber security best practices. All the training conducted should be documented for future reference and audit.
  • Security Policies & Procedures- Organizations must develop security policies and procedures that facilitate the implementation and enforcement of technical, physical, and administrative safeguards. This should also include policies such as sanction policy for employees when they fail to comply with any requirements stated by the HIPAA Regulation.
  • Security Responsibilities- The organization must appoint security personnel who would overlook the implementation and enforcement of all security rules. The personnel will be responsible and will be a one-point contact for any concerns regarding meeting the requirements of HIPAA Rules.
  • Contingency Plans- There must be a contingency plan in place in case of an incident to ensure continuity of business. This is to ensure protecting the integrity of ePHI especially when an organization is addressing the incident. The contingency plan must further be tested periodically to assess its effectiveness of the plan. There must also be a backup process in place that facilitates the restoration of the lost ePHI data.
  • Third-party Contracts & Agreement- Appropriate Third-party Contracts and Business Associate Agreements must be in place to ensure every party or individual having access to ePHI and PHI data comply with HIPAA rules.
  • Documentation of Security Incidents- There must be a process in place that ensures reporting of the incident. Further, there should be an established documenting process in place for such incidents and an appropriate reporting process.  

HIPAA Privacy Rule

The HIPAA Privacy Rule highlights the need to ensure the privacy and security of PHI data. This means organizations are expected to implement appropriate security measures in terms of access controls and the process to limit the use and disclosure of PHI data. So, here is a list of measures one must consider

  • Privacy Policy & Procedure- Having policies and procedures in place ensures the enforcement of rules. So, organizations must have in place policies and procedures that ensure the privacy and security of PHI and the ePHI Data that they deal with.
  • Notice of Privacy Practices– Notice of privacy practice must include details on how you use and disclose the PHI data of individuals or patients and details of the data sharing policies. It should also include the practices enforced for securing the data.
  • Training Staff- All the staff are required to be trained to ensure they meet all the privacy rules. So organizations must have in place policies and processes for conducting training for the staff. The training should also include providing them with information and building awareness on what kind of data is being used and should be protected and what data can and cannot be shared as a part of the privacy policy.
  • Respond Request- The organization must establish processes that ensure timely response to the request of patients concerning their PHI data. HIPAA states that an organization must respond to the request within 30 days of patient access requests.
  • Consent- Have a process in place for getting consent from the patient to use redacted ePHI for research, fundraising, or marketing. Also, the patient should be informed that they have an opt-out option for the same.
  • Appointment of Personnel – The organization must appoint a privacy official responsible for developing, implementing, enforcing, and administrating privacy practices. There must also be an individual appointed as a point of contact who would be responsible for receiving complaints and informing patients about the privacy practices and their rights.
  • Limit Disclosure & Use- Organization must establish policy and process that limits the use and disclosure of PHI data. The PHI data must only be used when it is necessary and appropriate consent is required for processing the data for any other reasons than what was stated to the patient.
  • Individual Rights- There must be a process in place that informs the patients of their rights concerning their ePHI data. Further, there is also a need to establish a process that ensures these rights and requests pertaining to these rights are met. The rights include Right of Notice, Right of Access, Request of Accounting of Disclosures, Right of Amend, Right to Request Restriction, Alternate Communications, Special Requests, and Right to File Complaints.
  • Documentation & Record Maintenance-  HIPAA requires the organization to maintain all the PHI documentation, including amendments or requests, documentation concerning the Privacy Rule including privacy policies and procedures, records of complaints, and privacy practices notices, for at least six years since the last effective date.

Breach Notification Rule

HIPAA Breach Notification Rule is about having a process in place to notify patients when there is a breach of their PHI. The rule also requires a process that ensures prompt notification to the Department of Health and Human Services (HHS) of such a breach of PHI and further issues a notice to the media in case the breach has affected more than five hundred patients. So, here is a list of measures one must consider-

  • Establish an Incident Management Plan
  • Have in place Policies and Procedures concerning Data Breach Response
  • Have in place Policies and processes for notifying Individuals or patients affected.
  • Have in place Policy and process for promptly notifying HHS
  • Establish a process to notify the media about the data breach in case it has affected more than 500 patients.

Omnibus Rule

HIPAA Omnibus Rule sets out additional rules and requirements for businesses subjected to HIPAA Compliance. So, here is a list of additional requirements to consider when complying with HIPAA regulations.

  • Business Associate Agreements (BAAs): Ensure that your organization has in place an updated Business Associate Agreement that is in alignment with all the HIPAA Rules Rule.  Business Associates are equally responsible to comply with all the rules of HIPAA. So, a signed BAA will ensure that the business associates are aware of those rules and agree to comply with them.
  • Privacy Policy: Organizations must also have in place a privacy policy that reflects individuals’ rights and ways to respond to requests. It should also reflect details such as limitations of disclosures to Medicare and insurers, disclosure of PHI and school immunizations, sale of PHI, and its use for marketing, fundraising, and research. Privacy policies must also be updated to comply with all the rules of HIPAA.
  • Notices of Privacy Practices: Notice of Privacy Practice must be updated to cover information required in the Omnibus Rule. This includes information that requires authorization, the right to opt-out of correspondence for fundraising purposes, and must include or consider even the new breach notification requirements.
  • Updated HIPAA staff training: Staff must be trained to meet the Omnibus Rules and requirements to ensure compliance with HIPAA.

Final Thought

HIPAA Compliance is an ongoing process that organizations must review frequently. For those new to this and looking to achieve HIPAA Compliance, we strongly recommend considering the above-listed checklist. While those who are compliant and looking to stay compliant must frequently review their processes and update the existing policies, and procedures in alignment with the changing environment to meet the HIPAA requirements. Further as a final word of recommendation we suggest organizations consult compliance experts on ways of achieving and maintaining HIPAA Compliance.

Also Read Other Articles

Narendra Sahoo
Narendra Sahoo

Narendra Sahoo (PCI QPA, PCI QSA, PCI SSF ASSESSOR, CISSP, CISA, CRISC, 27001 LA) is the Founder and Director of VISTA InfoSec, a global Information Security Consulting firm, based in the US, Singapore & India. Mr. Sahoo holds more than 25 years of experience in the IT Industry, with expertise in Information Risk Consulting, Assessment, & Compliance services. VISTA InfoSec specializes in Information Security audit, consulting and certification services which include GDPR, HIPAA, CCPA, NESA, MAS-TRM, PCI DSS Compliance & Audit, PCI PIN, SOC2 Compliance & Audit, PDPA, PDPB to name a few. The company has for years (since 2004) worked with organizations across the globe to address the Regulatory and Information Security challenges in their industry. VISTA InfoSec has been instrumental in helping top multinational companies achieve compliance and secure their IT infrastructure.