Companies or organizations handling Protected Health Information (PHI) need to become HIPAA compliant, in order to properly protect the privacy and security of their clients’ PHI. So the question is: What steps need to be taken to become compliant? Essentially, there are 4 main rules that need to be examined and followed, in order to become HIPAA compliant. Throughout each of these rules and their subsets, there are both action items and addressable items – meaning they need to be put into place if it is reasonable and appropriate to do so. This checklist is meant to serve as an overview of the HIPAA Compliancy checklist and is not comprehensive; please refer to the U.S. Department of Health & Human Services for detailed information on each rule and its implementation.
The 4 rules are as follows with some general guidelines and suggestions that should be followed or enacted:
1. HIPAA Privacy Rule (Action Items) – Required of Business Associates:
- Don’t allow improper use or disclosure of PHI.
- Provide breach notification to the Covered Entity (CE).
- Provide either the individual or CE access to PHI.
- Disclose PHI to the Secretary of HHS (Health and Human Services), if needed.
- Provide a record of disclosures.
- Comply with the requirements of the HIPAA Security Rule.
2. HIPAA Security Rule (Action Items) – Requires organizations to provide notification if a breach of unsecured PHI occurs.
Technical Safeguards – This area focuses on technology that protects and controls access to PHI.
- Access Control –
- A unique name or id must be assigned to users (required)
- Create and use procedures for locating Electronic PHI (ePHI) information in an emergency (required)
- Make sure electronic steps are in place to timeout each user session (addressable)
- Encrypt and Decrypt ePHI data (addressable)
- Audit Controls (required) – Implement hardware, software, or other procedures that record and review activity in information systems containing or using ePHI
- Integrity (addressable) – Use electronic systems to verify ePHI hasn’t been changed or destroyed without permission
- Authentication (required) – Implement procedures verifying a person’s or entity’s identity when accessing ePHI data
- Transmission Security (addressable) – Use security measures that make sure ePHI data is not changed or disposed of without knowledge or permission, and encrypt ePHI data when appropriate
Physical Safeguards – This area looks at the physical processes being used to protect an organization’s electronic information systems and related buildings and equipment.
- Facility Access Controls (addressable) –
- Enable a facility access plan to support the restoration of lost data under the disaster recovery plan in the event of an emergency
- Protect the facility and equipment inside from unauthorized physical access, tampering, and theft
- Apply procedures to control and approve a person’s access to facilities, based on role or function
- Document repairs and changes to the physical components of a facility that are related to security (i.e. hardware, doors, locks)
- Workstation Use (required) – Specify functions to be performed, how to perform them, and the physical attributes of workstations accessing ePHI
- Workstation Security (required) – Enact physical safeguards for all workstations with access to ePHI and restrict access to authorized users
- Device and Media Controls
- Follow procedures for final disposal of ePHI and/or hardware or media on which it is stored, and removal of ePHI from electronic media before it can be reused (required)
- Track movement of hardware and electronic media, including any person responsible, and create an exact copy of ePHI prior to moving any equipment (addressable)
Administrative Safeguards – These policies govern the workforce and enforce security measures put in place to protect ePHI. Your company must assign a privacy officer, complete an annual risk assessment, review the policies, and implement employee training.
- The organization must execute Business Associate Agreements (BAAs) with all partners handling PHI
- Security Management Process (required)
- Document and analyze risk to see where PHI is being used and stored to determine potential HIPAA violations and implement ways to reduce these risks appropriately
- Implement sanction policies for employees failing to comply
- Review system activity and logs, plus audit trails
- Assigned Security Responsibility – Officers (required) -Designate HIPAA Security and Privacy Officers
- Workforce Security – Employee Oversight (addressable)
- Follow procedures to authorize and supervise employees working with PHI, and controlling employee access to PHI
- Ensure that an employee’s access to PHI ends with termination of employment
- Information Access Management (required)
- Ensure PHI cannot be accessed by parent, partner organizations, or subcontractors not authorized for access
- ePHI Access (addressable) – Document procedures used to allow access to ePHI, or to services and systems that grant access to ePHI
- Security Awareness and Training (addressable)
- Send updates and reminders about security and privacy policies to employees
- Use procedures guarding against, detecting, and reporting malicious software
- Monitor logins to systems and report discrepancies
- Make sure there are procedures for creating, changing, and protecting passwords
- Security Incident Procedures (required) – Identify, document, and respond to security incidents
- Contingency Plan (required)
- Ensure accessible backups of ePHI and data restore procedures are in place; and, (addressable) periodically test and revise contingency plans
- Assess how critical specific applications and data are relative to contingency plan components
- Plan how to enable the continuation of critical business processes that protect the security of ePHI while operating in emergency mode
- Evaluations (required) – Conduct evaluations to see if changes in your business or the law require changes to your HIPAA compliance procedures
- Business Associate Agreements (required) – Use special contracts with business partners who will have access to your company’s PHI for compliancy, and select partners giving similar access through like agreements with other partners
3. HIPAA Enforcement Rule – This rule lists processes for investigations, defines penalties ($5000 and higher), and identifies procedures for hearings.
- Health care providers must notify patients when there is a breach in security in regards to PHI.
- HHS must be notified of the breach, and if it affects 500 patients or more, the media and public need to be notified as well.
In summary, HIPAA is really asking you to do 4 things:
- Put safeguards in place to protect patient health information.
- Reasonably limit uses and sharing to the minimum necessary to accomplish your intended purpose.
- Have agreements in place with any service providers that perform covered functions or activities for you. These agreements (BAAs) are to ensure that these service providers (Business Associates) only use and disclose patient health information properly and safeguard it appropriately.
- Have procedures in place to limit who can access patient health information, and implement a training program for you and your employees about how to protect your patient health information.