HIPAA Compliance Checklist: Steps to Take to Become HIPAA-Compliant
Exceed TeamBlogHealthcare

HIPAA Compliance Checklist: Steps to Take to Become HIPAA-Compliant

8 min
Dec 11 2020
HIPAA is essential for any organization and individual dealing with healthcare. What is it, and how to be compliant with it? Are telehealth apps and websites also a subject of HIPAA? Let’s find out the answers to all these questions.
HIPAA stands for the Health Insurance Portability and Accountability Act. The American government adopted it in 1996, and since that, the legislation has been regulating the rules on how any medical information must be kept and shared. There have been some amendments to HIPAA throughout the years, and the most significant of them is HITECH (Health Information Technology for Economic and Clinical Health). Nowadays, healthcare providers apply electronic medical records to collect and keep all the necessary information about patients. This is why the authorities have created more HIPAA standards to follow and added compliance guidelines. Health records are sensitive information that must stay safe, while HIPAA compliance becomes even more important during the global pandemic.

FAQ on HIPAA Compliance

In what countries is HIPAA relevant?

The Act primarily affects Americans and also regulates medical records of other countries’ citizens who receive treatment in the US.

What kinds of organizations are required to be HIPAA-compliant?

Each organization or an individual that must follow HIPAA regulations is called a Covered Entity. There is a wide range of them, divided into three categories:
  • Healthcare providers – all kinds of hospitals, outpatient clinics, home healthcare companies, pharmacies, laboratories, medical equipment companies, etc;
  • Healthcare clearinghouses – community health information systems, billing services, repricing companies, etc;
  • Health insurance plans – can be employer-sponsored or federal/state.
All these organizations and people working in them must be HIPAA-compliant to ensure the security of PHI (protected health information) while creating, managing, and transmitting data.
Note: According to HIPAA, an individual employee is not a Covered Entity. Only an organization (e.g., a hospital) is responsible for HIPAA compliance and can be fined for breaching. Healthcare workers can only become Covered Entities by offering self-insured health cover or an EAP.

What is a Business Associate?

It is an official name for a business or a person granting services to a Covered Entity. It can be a lawyer, an accountant, an IT specialist, or a company providing cloud storage services, data encryption, etc. Only after Business Associates sign the Agreement, they are allowed to perform their functions that can include access to PHI. During the process of working with medical records, a Business Associate must maintain HIPAA compliance just like a Covered Entity.

Which authority is responsible for HIPAA compliance?

There are two legislatures – HHS (U.S. Department of Health and Human Services) and OCR (The Office for Civil Rights).

What are the penalties for not being HIPAA-compliant?

If a company or an individual violates the principles of HIPAA, it can lead to various consequences – a fine, a civil action lawsuit, or a criminal charge. Fines depend on the seriousness of a violation, starting from $100 per record. In some cases, a financial penalty can reach $50,000 per each breach of HIPAA compliance. The maximum fine is $1.5 million a year for violations of the same nature.

How is HIPAA compliance enforced during the COVID-19 emergency?

OCR and HHS are providing enforcement discretion during the pandemic. It means that a Covered Entity might not get punished for some violations made in emergency situations. However, HIPAA remains in effect, and compliance with its standards and regulations is required for all healthcare organizations and their partners.
contact form logo
Start growing with us!

Why is HIPAA compliance significant?

You must keep HIPAA compliance to ensure your patients’ privacy and to protect your organization from ransomware attacks. Specialists report many targeted cybercrimes in the healthcare sector – criminals use sophisticated methods to steal data and then make money from healthcare providers. Being HIPAA-compliant is critical today, as many companies operate large and complex networks and store data in the cloud.
Hipaa compliance checklist
The key areas to take care of when you follow HIPAA compliance rules

HIPAA Compliance Checklist

How to keep patient data protected? What steps should you take to become HIPAA-compliant? A great way is following official guidelines or a handy checklist. Major steps to ensure HIPAA compliance:
  1. Define the level of access to PHI for your organization or business.
  2. Perform audits and assessments. In order to be HIPAA-compliant, do audits regularly.
  3. Do the risk analysis. It must also be conducted on a regular basis.
  4. Study the required HIPAA rules and procedures. Enforce them in your organization.
  5. Make data protection arrangements – technical, administrative, paper-based, etc.
  6. Train your employees to become HIPAA-compliant.
  7. Seek professional HIPAA compliance advice, if necessary.
Now let’s discover those steps in detail.

Audits and Assessments for HIPAA Compliance

You must regularly carry-out audits within your company. Security assessments will help you be compliant with HIPAA and enable medical data protection. You can use this checklist:
  • Follow HIPAA Rule SP 800-66 and regulations provided by the NIST (National Institute of Standards and Technology) to define the list of annual audits and assessments for your specific kind of business or organization.
  • Carry out all audits and assessments, find gaps and inconsistencies, and document each case to make necessary improvements.
  • Make a thorough plan to fix all the found issues and reach compliance with HIPAA.
  • After all the actions have been taken, make a review of your achievements.
  • Update your HIPAA compliance plan if necessary, and put it into action again.

Risk Analysis to be Compliant with HIPAA

The checklist for risk analysis includes the following operations:
  • Studying each entity of your organization.
  • Doing risk assessments for all systems that contain electronic PHI and require HIPAA compliance.
  • Assessing the potential risks’ likelihood and damage.
  • Developing a risk management framework for your organization.
  • Implementing effective security measures to avoid risks and protect sensitive documents.
  • Establishing and following HIPAA security standards in your organization.

Procedures to Make your Business HIPAA-compliant

Study the HIPAA Security Rule, the HIPAA Privacy Rule, and the HIPAA Breach Notification Rule. All your inner documentation should be annually reviewed to find and eliminate any issues. Here is a checklist of privacy procedures you should implement and follow daily:
  • HIPAA-compliant data usage – including inappropriate access prevention, routine and occasional disclosures, data requests limitation, etc.
  • Communication with business associates – creating appropriate contracts and amending the existing ones according to HIPAA compliance rules.
  • Processing privacy complaints, access requests, and similar cases.
  • Patients permission – ask for a written version of it every time you’re going to use or disclosure secured data. Your business must remain HIPAA-compliant during any healthcare procedure, including treatment, payment, etc.

Data Protection Measures for HIPAA Compliance

Safe measures for medical data help keep them confidential, as well as available and well-integrated in your systems. The HIPAA compliance checklists for technical measures:
  • Use relevant auditing systems. They should keep track of access instances and file modifications and alert you in case of suspicious actions.
  • Enable integrity control. It provides quality and accuracy on information and helps to stay compliant with HIPAA.
  • Encryption of medical information. Remember about HIPAA standards when you transmit data through external networks.
  • Enable secure access to information, including authorization and authentication of your employees who have access to patients’ electronic records. The best way is to use good passwords and key codes.
The HIPAA compliance checklist for physical measures:
  • Enable the appropriate disposal of sensitive documents – make sure to shred them before throwing away.
  • Make sure that only specific, trusted employees have access to workstations with electronic medical records. In order to be compliant with HIPAA, your organization must have special policies on how your staff members use such workstations.
  • Create a policy for mobile device access. If your employees use mobile devices to watch PHI, you must ensure HIPAA compliance by deleting any protected information. It becomes crucial if a device is lost, stolen, or no longer used for that purpose (e.g., if your employee leaves the organization.)
The HIPAA compliance checklist for administrative measures:
  • Raise security awareness – your employees with access to PHI must learn how to be HIPAA-compliant and use cybersecurity practices (e.g., identifying and reporting malware.)
  • Create a plan for emergencies – your staff members should know how to maintain confidentiality and follow HIPAA rules in stressful situations, etc.

HIPAA Compliance for Employees

Members of your staff working with medical records should have an in-depth understanding of cybersecurity and HIPAA compliance. Provide appropriate training and communications regularly. The HIPAA compliance checklist for staff training:
  • Spread information about HIPAA procedures and regulations to all employees.
  • Test your staff members’ knowledge of HIPAA standards.
  • Ensure among your staff necessary training on HIPAA compliance.
  • Make attestation on HIPAA compliance and document the results.
  • Create a system of sanctions for HIPAA violations and security breaches.
  • Appoint a person (or create a department if your company is big) to be responsible for all matters related to privacy, data protection, and HIPAA compliance.
  • Make sure that your HIPAA compliance/privacy/security officer carries out annual HIPAA training for all employees.

HIPAA Compliance for Business Associates

Every time you apply to a third party, they must sign a Business Associate Agreement. It includes important information about medical data access, return and utilization of records, etc.
Hipaa compliance for business associates
Business Associates are various companies and individuals
The HIPAA compliance checklist for communication with Business Associates:
  • Make a list of third-party organizations and individuals who have permission for receiving, transmitting, processing or having any other access to patients’ records.
  • Make sure that a Business Associate Agreement is appropriately created (follow HIPAA regulations) and signed.
  • Review the Agreement every year and assess your partners’ HIPAA compliance.
  • Make written reports regarding your work with Business Associates.

HIPAA Compliance Incidents

Breaches in your security systems may happen unexpectedly, and you have to establish special procedures for such incidents. The HIPAA compliance checklist for dealing with incidents:
  • Conduct an investigation of each security incident.
  • Assess an incident’s impact on your HIPAA compliance.
  • Create guidelines for your staff on how to be compliant with HIPAA standards.
  • Develop disciplinary procedures.
  • Choose a method for your employees to report a security breach and other incidents with HIPAA compliance.
  • Create notifying procedures. In case of any breaches, you’ll have to inform your patients, the OCR, and maybe the media.

HIPAA Compliance 2021 – Checklist for IT

In addition to the original rules from the HIPAA compliance checklist, there are specific modern-era regulations for your company’s IT department or the specialists you may outsource. What should you do to increase the security of electronic medical records? The HIPAA compliance checklist for messaging and databases:
  • Implement new technologies. Apply a secure messaging system instead of personal mobile devices. These systems use encrypted text messages and allow access only to authorized personnel. Such precautions will help your organization be compliant with HIPAA standards.
  • Protect email communications. You must enforce protective measures for sending text messages and attachments. Also, remember that any email with the PHI should be treated as a part of the medical records. In this case, being HIPAA-compliant means encrypting emails and archiving them securely for six years minimum.
  • Always remember data protection. Most of the breaches happen when staff members transmit information via open networks without encryption or have their mobile devices lost or stolen. This is why HIPAA compliance is strongly connected with the importance of data encryption. Use a firewalled server for internal communications. Implement encryption systems for external transmission of medical data. Before sending, convert all information into ciphertext – it’s unreadable without a unique security key. All these measures will ensure your HIPAA-compliance in 2021.
  • Enhance your cyber protection. Medical records are highly valuable on the black market and therefore attract lots of cybercriminals. To be compliant with HIPAA, you must prevent phishing or hacking attacks and the unintentional downloading of malware. Implement a web content filter and passwords to protect your databases.
Hipaa compliance checklist for it
Rules to be HIPAA compliant and avoid cyber threats
There are many other cases when you have to remain compliant with HIPAA. Sometimes your company needs to apply to third parties for specific services that you can’t conduct in-house. You can achieve HIPAA compliance through strict requirements for your Business Associates. They might be:
  • SaaS providers;
  • hosting companies;
  • software developers, etc.
You have to create HIPAA-compliant agreements with people and businesses that will transmit patients’ medical records while providing services for you. This way, you’ll protect your systems from illegal access.

HIPAA Compliance for Telehealth Apps and Social Media in 2021

Companies that build E-health apps should also be compliant with HIPAA regulations. Such apps can collect, keep, and transmit patients’ medical information to provide consultations with certified doctors. During the current pandemic, many people practice social distancing and self-isolation, and healthcare companies offer new telehealth services. This option is also available for those who use Medicare and Medicaid. In order to support healthcare providers and patients, the authorities exercised enforcement discretion, which means special (emergency) regulations for HIPAA compliance. If a platform for E-health services isn’t fully compliant with HIPAA, it may not receive sanctions and penalties for that. Telehealth remote communications usually include text, audio- or video chats between a user (patient) and a consultant (medical doctor). According to the OCR regulations, the use of HIPAA-compliant platforms is considered preferable. However, in the situation of the global pandemic, the authority allows to use various "non-public facing" software. Such products allow only chosen people (for example, a doctor and a patient) to participate in remote communication. "Non-public facing" communication tools can be HIPAA-compliant if they work like:
  • Zoom;
  • FaceTime;
  • Google Hangouts video;
  • Facebook Messenger Chat, etc.
Nowadays, social media is also one of the sources of conducting communications and sharing information. Are there special regulations of HIPAA compliance for social networking? Although most of HIPAA rules were enacted many years ago, we can apply the basic ones to present-day realities. All social media apps and websites must be compliant to HIPAA – it means you need a patient’s permission to share any personal medical information via these channels. If a company makes such a violation of HIPAA, it may receive a penalty.
contact form logo
Have more questions?
Contact us!

Bottom Line

Compliance with HIPAA regulations is essential for all healthcare providers, including telehealth apps’ owners. Their partners like SaaS providers, web development businesses, and hosting companies must also be HIPAA-compliant. To determine whether your organization must follow the HIPAA compliance guidelines, please approach a professional lawyer for a consultation. If you’re planning to develop a telehealth app or other solution for healthcare, you most certainly need to study HIPAA compliance practices.
Popular articles
Rate this article!
35 ratings, average: 4.77 out of 5
Adapt quickly to remote working model
Have a web app in mind?
We can help you