Compliance

HIPAA checklist: Compliance and patient data security

We’ve created a HIPAA checklist to help businesses in the healthcare industry navigate compliance and patient data security. Take a look!

February 3, 2023

HIPAA is a federal law in the US that includes vital information for the healthcare industry on patient data security and privacy. This article will present a comprehensive HIPAA checklist for administrative, technical, and physical safeguards and organization and policy requirements.

In the previous blog on our data protection laws collection, we covered California’s take on data privacy laws, explaining why it is crucial to comply with them if you’re an enterprise that deals in the U.S.

Now, it is time to go specific. Today we’ll focus on the health and healthcare industry, which, according to IBM’s study together with the Ponemon Institute, has the highest cost per data record breached.

HIPAA  ensures patient data security

HIPAA ensures patient data security

The Health Insurance Portability and Accountability Act (HIPAA) is the legislation in charge of protecting healthcare information. . This federal law was created in 1996 and provides guidelines on how healthcare providers, clearinghouses, and insurers must treat patient data in a secure manner. Under HIPAA, the patient’s health information (PHI) must be protected as it is stored or transmitted. It doesn't matter if the information was provided in written form, electronically, or verbally.  . Tough right?

Moreover, the US healthcare industry has been pushing high-security standards with electronic healthcare transactions,  code sets, and unique health identifiers, among other things. And yet, data breaches in healthcare continue to increase every year and cost trillions of dollars.

According to Healthcare IT News, the average overall cost of a healthcare security breach rose from $9.2 million in 2021, to $10.1 million in 2022, a 9.4% increase.

What happens if you don’t comply with HIPAA?

Most of the time, the complexity of the law can confuse organizations and cause weak executions. Because of that, it’s crucial to lay down HIPAA’s main requirements as clearly as possible. Especially considering that the law includes financial and criminal penalties for those who violate or fail to comply.

Certainly, when it comes to penalties, HIPAA is serious business. Violation fines range from $100 to $50,000 per violation (up to $1.5M a year per violation) and up to 10 years of imprisonment for those responsible, depending on the case.

HIPAA’s core rule is the Privacy Rule. This part of the legislation specifies that all identifiable health information is to be protected. This includes:

  • All of a patient’s health record history, physical or mental.
  • All health care or financial health care information related to the patient.
  • All personal details that could help identify the patient, like their name or address.

However, there is no restriction regarding the use of de-identified information or anonymized data.  If a string of information cannot be traced back to a patient, it will not be covered by HIPAA. See this summary to understand better the rules behind data disclosure and each specific case that allows it/restricts it.

Patient rights given by the Privacy Rule

The Privacy Rule gives people rights over their personal health information and limits who can access and review that information. It gives patients the following rights:

  • Request Medical Records — Individuals may ask for copies of their records in the format of their choice (electronic or paper) so that they can examine the content.
  • Correct Medical Records — Should any errors be detected in their medical information, individuals have the right to request corrections, then confirm that those changes have been made.
  • Use and Disclosure of Medical Information — An individual’s medical information must be disclosed when needed for patient care. This means that the PHI follows the individual wherever they seek care and is not the proprietary property of any organization that might have initially generated that data.
  • Receive Notifications — Make decisions about whether or not your data can be used and shared with notifications for data use purposes such as a marketing campaign, and get a report when it is shared.
  • File a Complaint — Individuals are entitled to complain to their provider or insurer if they believe their data is not being protected. They also may file a complaint with HHS.

If you want to better instruct patients on handling these rights, use this HIPAA infographic that describes an individual’s rights to their PHI.

Security requirements for Health entities

Let’s move to the second portion of the legislation: the Security Rule. This rule details the administrative, technical, and physical security requirements your entity must meet when protecting e-PHI (electronically protected health information).

The United States Department of Health and Human Services' quick obligations summary gives a snappy look into an entity’s obligations:

Contextual risk analysis

Unfortunately, the amount of requirements specified by HIPAA is not a quick summary. Do not fret! One of HIPAA’s strengths is that it’s contextual and flexible.

HIPAA adapts to each entity’s context. That’s why it requires an implemented and continuous risk analysis process. This will help you as an entity determine the likelihood of potential risks to e-PHI and select proper countermeasures according to the HHS’s suggestions. There are required safeguards (mandatory) and addressable ones (subject to an entity’s context).

This means the HHS takes your entity’s size, resources, and capabilities into consideration. Still, it is the entity’s responsibility to document its risk analysis process, taking note of the identified risks and the reasons behind the selection of the chosen implementations.

HIPAA checklist for administrative safeguard

These include internal procedures involving the management of administrative and human resources in favor of PHI’s security. We’ve prepared a checklist to give a better look at all Required and Addressable security standards below.

Use this table to evaluate those requirements not met by your entity, and utilize HHS’s detailed breakdown of each one of these as a guideline for implementing the right solution to the required standard.

Standards

Implementations: (R) = Required, (A) = Addressable

Security Management Process

• Risk Analysis (R)

• Risk Management (R)

• Sanction Policy (R)

• Information System Activity Review (R)

Workforce Security

• Assigned Security Responsible (R)

• Authorization/Supervision (A)

• Workforce Clearance Procedures (A)

• Termination Procedures (A)

Information Access Management

• Isolating Health Care Clearinghouse functions (R)

• Access Authorization (A)

• Access Security (A)

Awareness and Training

• Security Reminders (A)

• Protection From Malicious Software (A)

• Log-in Monitoring (A)

• Password Management (A)

Security Incident Procedures

• Response and Reporting (R)

Contingency Plan

• Data Backup Plan (R)

• Disaster Recovery Plan (R)

• Emergency Mode Operation Plan (R)

• Testing and Revision Procedures (A)

• Applications and Data Criticality Analysis (A)

Evaluation

• Constant Security Reassessments (R)

Business Associate Contracts and Other Arrangements

• Contract or Arrangements (R)

HIPAA checklist for physical safeguard requirements

These requirements cover measures taken to secure and protect physical access to e-PHI from environmental hazards, unwanted intrusions, and other threats. This extends from the office and, if the information is available there, can extend to the workforce's home or other locations where e-PHI is accessible.

Once again, the table displays physical security standards and their Required or Addressable implementations. To understand these implementations and how to execute them for HIPAA, read the HHS's summary on Physical Safeguards.

Standards

Implementations: (R) = Required, (A) = Addressable

Facility Access Controls

• Contingency Operations (A)

• Facility Security Plan (A)

• Access Control and Validation Procedures (A)

• Maintenance Records (A)

Workstation Use

• Workstation Usage Policies and Procedures (R)

Workstation Security

• Workstation Access Security Measures (R)

Device and Media Control

• Disposal (R)

• Media Re-use (R)

• Accountability (A)

• Data Backup and Storage (A)

HIPAA checklist for technical safeguard requirements

The following suggested implementations tackle technical security measures that need to be taken to protect e-PHI and control its access points.

Use the following HIPAA Checklist to verify the measures your entity has already taken. If necessary, visit the HHS's summary on technical safeguards for further detail about each implementation mentioned.

Standards

Implementations: (R) = Required, (A) = Addressable  

Access Control

• Unique User Identification (R)

• Emergency Access Procedure (R)

• Automatic Logoff (A)

• Encryption and Decryption (A)

Audit Controls

• Implement software/hardware/procedural systems that examine activity in information systems with PIH (R)

Integrity

• Mechanism to Authenticate Electronic Protected Health Information (A)

Person or Entity Authentication

• System to verify the identity of the user who requests access (R)

Transmission Security

• Integrity Controls (A)

• Encryption (A)

HIPAA checklist for organization and policies requirements

There is a group of requirements associated with the documentation and contractual binds behind HIPAA compliance that must also be addressed.  

These can be found in the following summary, detailing how your entity must relate with other entities that handle PHI and how the compliance choices must be documented.

Standards

Implementations: (R) = Required, (A) = Addressable

Business associate contracts or other arrangements

• Business Associate Contracts (R)

• Other Arrangements (R)

Requirements for Group Health Plans

• Implementation Specifications (R)

Policies and Procedures

• Written Security Policies and Procedures (R)

Documentation

• Time Limit (R)

• Availability (R)

• Updates (R)

HIPAA Compliance Checklist

Takeaways

First of all, HIPAA, contrary to the European General Data Protection Regulation (which we also covered in our data laws series), is tailored for the healthcare industry of the United States.

Furthermore, due to the sensibility of the data it protects, it is one of the best industry data protection and privacy legislation in the US,   and also one of the most difficult ones to comply with!

We advise you to review your case with former legal advice, management, AND experienced IT associates to help audit the entity’s current state and implement proper policies that adjust to  HIPAA’s needs.

On the same issue

Three crucial online student privacy laws

Get a deep understanding of the main student privacy laws that keep data safe in the digital classroom. Learn how these regulations work and what they mean.

September 28, 2023
keep reading
Simplify SOC 2 Compliance: A Comprehensive Guide for IT & MSP teams

In a world where "the cloud" isn't just a reference to where Simba's dad lives in "The Lion King", but a critical infrastructure for many organizations, SOC 2 compliance is vital

May 24, 2023
keep reading
Securing Student Data: Your Complete Guide to FERPA Compliance

FERPA is a bit like the 'Marauder's Map' from Harry Potter - in the wrong hands, student information could cause havoc, but in the right hands, it can guide.

May 17, 2023
keep reading
Navigating IT governance: a comprehensive guide to frameworks and benefits

IT governance: frameworks, benefits, and choosing the right one. Learn more for effective IT management.

May 9, 2023
keep reading