HIPAA COMPLIANCE CHECKLIST: STEPS TO TAKE TO BECOME HIPAA-COMPLIANT
8 min
Dec 11 2020
Alex К HIPAA Compliance Checklist: Steps to Take to Become HIPAA-compliant
Alex КTechnical writer
Danil L HIPAA Compliance Checklist: Steps to Take to Become HIPAA-compliant
Danil LWeb Developer
HIPAA is essential for any organization and individual dealing with healthcare. What is it, and how to be compliant with it? Are telehealth apps and websites also a subject of HIPAA? Let’s find out the answers to all these questions.
HIPAA stands for the Health Insurance Portability and Accountability Act. The American government adopted it in 1996, and since that, the legislation has been regulating the rules on how any medical information must be kept and shared. There have been some amendments to HIPAA throughout the years, and the most significant of them is HITECH (Health Information Technology for Economic and Clinical Health). Nowadays, healthcare providers apply electronic medical records to collect and keep all the necessary information about patients. This is why the authorities have created more HIPAA standards to follow and added compliance guidelines. Health records are sensitive information that must stay safe, while HIPAA compliance becomes even more important during the global pandemic.

FAQ ON HIPAA COMPLIANCE

In what countries is HIPAA relevant?

The Act primarily affects Americans and also regulates the medical records of other countries’ citizens who receive treatment in the U.S.

What kinds of organizations are required to be HIPAA-compliant?

Each organization or an individual that must follow HIPAA regulations is called a Covered Entity. There is a wide range of them, divided into three categories:
All these organizations and people working in them must be HIPAA-compliant to ensure the security of PHI (protected health information) while creating, managing, and transmitting data.
Note: According to HIPAA, an individual employee is not a Covered Entity. Only an organization (e.g., a hospital) is responsible for HIPAA compliance and can be fined for breaching. Healthcare workers can only become Covered Entities by offering self-insured health cover or an EAP.
Hipaa compliance during covid
HIPAA compliance is essential during the pandemic

What is a Business Associate?

It is an official name for a business or a person granting services to a Covered Entity. It can be a lawyer, an accountant, an IT specialist, or a company providing cloud storage services, data encryption, etc. Only after Business Associates sign the Agreement, they are allowed to perform their functions that can include access to PHI. During the process of working with medical records, a Business Associate must maintain HIPAA compliance just like a Covered Entity.

Which authority is responsible for HIPAA compliance?

There are two legislatures – HHS (U.S. Department of Health and Human Services) and OCR (The Office for Civil Rights).

What are the penalties for not being HIPAA-compliant?

If a company or an individual violates the principles of HIPAA, it can lead to various consequences – a fine, a civil action lawsuit, or a criminal charge. Fines depend on the seriousness of a violation, starting from $100 per record. In some cases, a financial penalty can reach $50,000 per each breach of HIPAA compliance. The maximum fine is $1.5 million a year for violations of the same nature.

How is HIPAA compliance enforced during the COVID-19 emergency?

OCR and HHS are providing enforcement discretion during the pandemic. It means that a Covered Entity might not get punished for some violations made in emergency situations. However, HIPAA remains in effect, and compliance with its standards and regulations is required for all healthcare organizations and their partners.

Why is HIPAA compliance significant?

You must keep HIPAA compliance to ensure your patients’ privacy and to protect your organization from ransomware attacks. Specialists report many targeted cybercrimes in the healthcare sector – criminals use sophisticated methods to steal data and then make money from healthcare providers. Being HIPAA-compliant is critical today, as many companies operate large and complex networks and store data in the cloud.
Hipaa compliance checklist
The key areas to take care of when you follow HIPAA compliance rules

HIPAA COMPLIANCE CHECKLIST

How to keep patient data protected? What steps should you take to become HIPAA-compliant? A great way is following official guidelines or a handy checklist. Major steps to ensure HIPAA compliance:
  1. Define the level of access to PHI for your organization or business.
  2. Perform audits and assessments. In order to be HIPAA-compliant, do audits regularly.
  3. Do the risk analysis. It must also be conducted on a regular basis.
  4. Study the required HIPAA rules and procedures. Enforce them in your organization.
  5. Make data protection arrangements – technical, administrative, paper-based, etc.
  6. Train your employees to become HIPAA-compliant.
  7. Seek professional HIPAA compliance advice, if necessary.
Now let’s discover those steps in detail.

Audits and Assessments for HIPAA Compliance

You must regularly carry-out audits within your company. Security assessments will help you be compliant with HIPAA and enable medical data protection. You can use this checklist:

Risk Analysis to be Compliant with HIPAA

The checklist for risk analysis includes the following operations:

Procedures to Make your Business HIPAA-compliant

Study the HIPAA Security Rule, the HIPAA Privacy Rule, and the HIPAA Breach Notification Rule. All your inner documentation should be annually reviewed to find and eliminate any issues. Here is a checklist of privacy procedures you should implement and follow daily:

Data Protection Measures for HIPAA Compliance

Safe measures for medical data help keep them confidential, as well as available and well-integrated in your systems. The HIPAA compliance checklists for technical measures:
The HIPAA compliance checklist for physical measures:
The HIPAA compliance checklist for administrative measures:

HIPAA Compliance for Employees

Members of your staff working with medical records should have an in-depth understanding of cybersecurity and HIPAA compliance. Provide appropriate training and communications regularly. The HIPAA compliance checklist for staff training:

HIPAA Compliance for Business Associates

Every time you apply to a third party, they must sign a Business Associate Agreement. It includes important information about medical data access, return and utilization of records, etc.
Hipaa compliance for business associates
Business Associates are various companies and individuals
The HIPAA compliance checklist for communication with Business Associates:

HIPAA Compliance Incidents

Breaches in your security systems may happen unexpectedly, and you have to establish special procedures for such incidents. The HIPAA compliance checklist for dealing with incidents:

HIPAA Compliance 2021 – Checklist for IT

In addition to the original rules from the HIPAA compliance checklist, there are specific modern-era regulations for your company’s IT department or the specialists you may outsource. What should you do to increase the security of electronic medical records? The HIPAA compliance checklist for messaging and databases:
Hipaa compliance checklist for it
Rules to be HIPAA compliant and avoid cyber threats
There are many other cases when you have to remain compliant with HIPAA. Sometimes your company needs to apply to third parties for specific services that you can’t conduct in-house. You can achieve HIPAA compliance through strict requirements for your Business Associates. They might be:
You have to create HIPAA-compliant agreements with people and businesses that will transmit patients’ medical records while providing services for you. This way, you’ll protect your systems from illegal access.

HIPAA COMPLIANCE FOR TELEHEALTH APPS AND SOCIAL MEDIA IN 2021

Companies that build E-health apps should also be compliant with HIPAA regulations. Such apps can collect, keep, and transmit patients’ medical information to provide consultations with certified doctors. During the current pandemic, many people practice social distancing and self-isolation, and healthcare companies offer new telehealth services. This option is also available for those who use Medicare and Medicaid. In order to support healthcare providers and patients, the authorities exercised enforcement discretion, which means special (emergency) regulations for HIPAA compliance. If a platform for E-health services isn’t fully compliant with HIPAA, it may not receive sanctions and penalties for that. Telehealth remote communications usually include text, audio- or video chats between a user (patient) and a consultant (medical doctor). According to the OCR regulations, the use of HIPAA-compliant platforms is considered preferable. However, in the situation of the global pandemic, the authority allows to use various "non-public facing" software. Such products allow only chosen people (for example, a doctor and a patient) to participate in remote communication.
Hipaacompliant remote communications
These and similar apps are recommended for remote doctor-patient communication
"Non-public facing" communication tools can be HIPAA-compliant if they work like:
Nowadays, social media is also one of the sources of conducting communications and sharing information. Are there special regulations of HIPAA compliance for social networking? Although most of HIPAA rules were enacted many years ago, we can apply the basic ones to present-day realities. All social media apps and websites must be compliant to HIPAA – it means you need a patient’s permission to share any personal medical information via these channels. If a company makes such a violation of HIPAA, it may receive a penalty.

BOTTOM LINE

Compliance with HIPAA regulations is essential for all healthcare providers, including telehealth apps’ owners. Their partners like SaaS providers, web development businesses, and hosting companies must also be HIPAA-compliant. To determine whether your organization must follow the HIPAA compliance guidelines, please approach a professional lawyer for a consultation. If you’re planning to develop a telehealth app or other solution for healthcare, you most certainly need to study HIPAA compliance practices.
Most popular questions

What is HIPAA and where is it relevant?

HIPAA stands for the Health Insurance Portability and Accountability Act. It primarily affects Americans and also regulates the medical records of other countries’ citizens who receive treatment in the United States.

What businesses and organizations must be HIPAA-compliant?

HIPAA is essential for any organization and individual dealing with healthcare. The official list includes:
  • Healthcare providers (hospitals, outpatient clinics, home healthcare companies, pharmacies, laboratories, medical equipment companies, etc.)
  • Healthcare clearinghouses
  • Health insurance plans

What is the general checklist for HIPAA compliance?

  • Define the level of access to PHI for your organization or business.
  • Perform audits and assessments. In order to be HIPAA-compliant, do audits regularly.
  • Do the risk analysis. It must also be conducted on a regular basis.
  • Study the required HIPAA rules and procedures. Enforce them in your organization.
  • Make data protection arrangements – technical, administrative, paper-based, etc.
  • Train your employees to become HIPAA-compliant.
  • Seek professional HIPAA compliance advice, if necessary.
BLOG LATEST
Popular articles
GOT AN IDEA? LET'S DISCUSS!
Share your project’s scope, timeline, technical requirements, business challenges, and other details you consider necessary. Our team will study them and contact you soon. Let’s make an exciting product together!
By sending this form I confirm that I have read and accept the Privacy Policy
Book a consultation!
Igor Teterevlyov
Igor TeterevlyovHead of Sales Department
CONTACT US
WELCOME TO OUR OFFICES
Georgia
Russia