logo

HIPAA Compliance Checklist: How to Be HIPAA Compliant in 2024

The Health Insurance Portability and Accountability Act (HIPAA), as amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act, is designed to keep individuals’ medical information and health records safe. By achieving and maintaining HIPAA compliance, healthcare organizations can safeguard patients’ sensitive health information while mitigating the risks of data breaches and legal penalties. 

This article details the key HIPAA and HITECH requirements and provides important resources so you can make sure your business is HIPAA compliant and avoid landing in the data breach headlines. 

What is HIPAA compliance?  

HIPAA compliance refers to adhering to the regulations set forth in the Health Insurance Portability and Accountability Act to ensure the privacy, security and integrity of individuals’ protected health information (PHI).  

Organizations required to comply with HIPAA include healthcare providers, health plans and healthcare clearinghouses, as well as their business associates. HIPAA covered entities must ensure the privacy and data security of protected health information. Examples of PHI include: 

  • Names of individuals 
  • Full face photos and comparable images 
  • Biometric identifiers 
  • Email addresses 
  • Telephone numbers 
  • FAX numbers 
  • Geographic data 
  • Social Security numbers 
  • Medical record numbers 
  • Account numbers 
  • Health plan beneficiary numbers 
  • Certificate and license numbers 
  • Vehicle identifiers and serial numbers 
  • Device identifiers and serial numbers 
  • Dates, except year 
  • IP addresses 
  • Web URLs 
  • Any unique identifying number or code 

What is HITECH? 

The Health Information Technology for Economic and Clinical Health (HITECH) Act enhances HIPAA regulations by incentivizing providers to digitize medical and health records. The law penalizes failures to use electronic health records in meaningful ways and aims to encourage nationwide use of reliable, interoperable and secure electronic health data. 

What are HIPAA rules and controls? 

HIPAA rules include:  

  • HIPAA Privacy Rule  
  • HIPAA Security Rule 
  • HIPAA Breach Notification Rule 
  • HIPAA Enforcement Rule 
  • HIPAA Omnibus Rule 

HIPAA controls are policies, procedures and other measures that HIPAA covered entities need to put in place to safeguard PHI and comply with the HIPAA rules, as detailed below.  

HIPAA Privacy Rule 

The HIPAA Privacy Rule describes a set of standards that govern how PHI can be used and disclosed. This rule aims to enforce strict guidelines that govern the handling of sensitive health data, fostering patient confidentiality and privacy within healthcare systems.  

Here are the HIPAA controls for Privacy Rule requirements: 

  1. Privacy policies and procedures: Covered entities must develop and enact a set of policies and procedures to ensure the privacy of PHI. 
  1. Personnel: HIPPA covered entities must: 
  • Appoint a privacy official responsible for the development and administration of the entity’s privacy practices and resources.  
  • Establish a point of contact that is responsible for receiving complaints and informing individuals about the entity’s privacy practices. 
  1. Workforce training and management: Covered entities must train all workforce members on privacy practices so that they can administer their functions in compliance with the Privacy Rule. 
  1. Mitigation: Covered entities must mitigate any harmful effects caused by use or disclosure of PHI that violates privacy policies or the HIPAA Privacy Rule. 
  1. Data safeguards: Covered entities must establish and maintain administrative, technical and physical safeguards to prevent both malicious and unintentional breaches of PHI. 
  1. Complaints: Covered entities must establish channels through which individuals can file complaints regarding privacy compliance. 
  1. Retaliation and waiver: A HIPAA covered entity may not retaliate against an individual for: 
  • Exercising their rights as provisioned by the HIPAA Privacy Rule 
  • Aiding an investigation carried out by HHS or other relevant authorities 
  • Refusing to engage in any act believed to be in violation of the HIPAA Privacy Rule 
  1. Documentation and record retention: A covered entity must maintain all documentation created for the purpose of complying with Privacy Rule regulations (privacy policies and procedures, records of complaints, privacy practices notices, etc.) for at least six years after the creation or last effective date. 
  1. Exception: Fully insured group health plans are obliged to comply with requirements (7) and (8) only. 

HIPAA Security Rule  

The HIPAA Security Rule establishes guidelines that safeguard the integrity of electronic health records (EHR) and ensure they remain confidential and available.  

The National Institutes of Standards and Technology (NIST) has an established set of guidelines to help organizations develop security practices that comply with the HIPAA Security Rule. They can also use the CIA Triad, where “CIA” stands for these three components: 

  • Confidentiality: Ensure ePHI is not available or disclosed to unauthorized persons or processes. 
  • Integrity: Ensure ePHI is not altered or destroyed in an unauthorized 
  • Availability: Ensure ePHI is accessible and usable on demand by authorized persons. 

HIPAA Security Rule requirements include the following types of controls for sensitive data: 

  • Technical safeguards: Access controls, audit controls, integrity controls, person/entity authentication, transmission security 
  • Physical safeguards: Facility access controls, workstation use, workstation security, device and media controls 
  • Administrative safeguards: Security management process, assigned security responsibility, workforce security, information access management, security awareness and training, security incident procedures, contingency plans, evaluation, business associate plans and other procedures 

Organizations often distinguish “required” and “addressable” safeguards: 

  • Required safeguards must be followed to the letter; there is no room for interpretation. 
  • Addressable requirements afford organizations some flexibility to account for unique infrastructural or technical limitations. 

HIPAA Breach Notification Rule 

The HIPAA Breach Notification Rule requires covered entities to notify certain parties when they suffer a breach of PHI. Specifically, the HIPAA Breach Notification Rule requires: 

  • Individual notice: Covered entities are required to notify affected individuals upon discovering a PHI breach. 
  • Media notice: If a breach is found to have affected more than 500 residents of a state or jurisdiction, the covered entities responsible must notify prominent media outlets serving the state or jurisdiction. 
  • Notice to the Secretary: Covered entities must notify the Secretary upon discovering a PHI breach. 

It is possible for entities to prove their due diligence and demonstrate low probability of PHI compromise based on adequate risk assessment procedures.  

HIPAA Enforcement Rule 

The HIPAA Enforcement Rule establishes standards for how to investigate data breaches and outlines a penalty structure for accountable parties. 

HIPAA Omnibus Rule 

The HIPAA Omnibus Rule: 

  • Establishes a tiered penalty structure as required by HITECH 
  • Introduces changes to the harm threshold and includes the final rule on Breach Notification for unsecured ePHI under the HITECH Act 
  • Modifies HIPAA to include provisions from the Genetic Information Nondiscrimination Act (GINA), which prohibits disclosure of genetic information for underwriting purposes 
  • Prevents use of PHI and personal identifiers for marketing purposes 

HIPAA Omnibus Rule requirements include the following: 

  • New Business Associate Agreements (BAAs): Before employing the services of a business associate, entities must sign a new HIPAA-compliant BAA  
  • Business Associate Agreement updates: Existing Business Associate Agreements must be updated to comply with the Omnibus Rule. 
  • Privacy policy updates: Privacy policies must be updated to comply with the Omnibus Rule changes. 
  • Updated Notice of Privacy Practices (NPP): NPPs must be updated to cover information required by the Omnibus Rule. 
  • Updated HIPAA staff training: Staff training on the Omnibus Rule amendments and definition changes must be provided and documented. 

HIPAA Checklist 

Use the following checklist to help your organization ensure compliance with HIPAA. 

1) Audits and Assessments 

Regularly perform an internal HIPAA audit, security assessment and privacy audit to support data security

  • Determine which of the required annual HIPAA audits and assessments are applicable to your organization, according to HIPAA Rule SP 800-66, Revision 1, using the NIST guidelines. 
  • Conduct the required audits and assessments, analyze and understand the results, and document any issues or deficiencies. 
  • Create and document thorough remediation plans to address those issues and deficiencies. 
  • Put the plans into action, review the results, and update the plan if the desired results were not achieved. 
Former VP of Customer Success at Netwrix. He has a diverse background built over 20 years in the software industry, having held CEO, COO, and VP Product Management titles at multiple companies focused on security, compliance, and increasing the productivity of IT teams.