What are the key steps in achieving HIPAA compliance?

Conduct all required audits and assessments. Perform regular risk analysis. Establish and enforce all required policies and procedures. Follow the checklist for more steps on ensuring HIPAA compliance for your organization.

Who has authority to enforce HIPAA compliance?

The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) is responsible for enforcing HIPAA compliance.

What are the fines associated with violating HIPAA compliance requirements?

Fines for HIPAA violations can range from $100 to $50,000 per violation (or per record). The maximum penalty is $1.5 million per year for violations of the same provision.

HIPAA Compliance Checklist

Q: Which organizations are subject to HIPAA?

Entities that must comply with HIPAA include: Healthcare providers Health plans Healthcare clearinghouses

The Health Insurance Portability and Accountability Act (HIPAA), as amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act, is designed to keep individuals’ medical information and health records safe. By achieving and maintaining HIPAA compliance, healthcare organizations can safeguard patients’ sensitive health information while mitigating the risks of data breaches and legal penalties.

This article details the key HIPAA and HITECH requirements and provides important resources so you can make sure your business is HIPAA compliant and avoid landing in the data breach headlines.

What is HIPAA compliance?

HIPAA compliance refers to adhering to the regulations set forth in the Health Insurance Portability and Accountability Act to ensure the privacy, security and integrity of individuals’ protected health information (PHI).

Organizations required to comply with HIPAA include healthcare providers, health plans and healthcare clearinghouses, as well as their business associates. HIPAA covered entities must ensure the privacy and data security of protected health information. Examples of PHI include:

Names of individuals
Full face photos and comparable images
Biometric identifiers
Email addresses
Telephone numbers
FAX numbers
Geographic data
Social Security numbers
Medical record numbers
Account numbers
Health plan beneficiary numbers
Certificate and license numbers
Vehicle identifiers and serial numbers
Device identifiers and serial numbers
Dates, except year
IP addresses
Web URLs
Any unique identifying number or code

What is HITECH?

The Health Information Technology for Economic and Clinical Health (HITECH) Act enhances HIPAA regulations by incentivizing providers to digitize medical and health records. The law penalizes failures to use electronic health records in meaningful ways and aims to encourage nationwide use of reliable, interoperable and secure electronic health data.

What are HIPAA rules and controls?

HIPAA rules include:

HIPAA Privacy Rule
HIPAA Security Rule
HIPAA Breach Notification Rule
HIPAA Enforcement Rule
HIPAA Omnibus Rule

HIPAA controls are policies, procedures and other measures that HIPAA covered entities need to put in place to safeguard PHI and comply with the HIPAA rules, as detailed below.

HIPAA Privacy Rule

The HIPAA Privacy Rule describes a set of standards that govern how PHI can be used and disclosed. This rule aims to enforce strict guidelines that govern the handling of sensitive health data, fostering patient confidentiality and privacy within healthcare systems.

Here are the HIPAA controls for Privacy Rule requirements:

Privacy policies and procedures: Covered entities must develop and enact a set of policies and procedures to ensure the privacy of PHI.

Personnel: HIPPA covered entities must:

Appoint a privacy official responsible for the development and administration of the entity’s privacy practices and resources.
Establish a point of contact that is responsible for receiving complaints and informing individuals about the entity’s privacy practices.

Workforce training and management: Covered entities must train all workforce members on privacy practices so that they can administer their functions in compliance with the Privacy Rule.

Mitigation: Covered entities must mitigate any harmful effects caused by use or disclosure of PHI that violates privacy policies or the HIPAA Privacy Rule.

Data safeguards: Covered entities must establish and maintain administrative, technical and physical safeguards to prevent both malicious and unintentional breaches of PHI.

Complaints: Covered entities must establish channels through which individuals can file complaints regarding privacy compliance.

Retaliation and waiver: A HIPAA covered entity may not retaliate against an individual for:

Exercising their rights as provisioned by the HIPAA Privacy Rule
Aiding an investigation carried out by HHS or other relevant authorities
Refusing to engage in any act believed to be in violation of the HIPAA Privacy Rule

Documentation and record retention: A covered entity must maintain all documentation created for the purpose of complying with Privacy Rule regulations (privacy policies and procedures, records of complaints, privacy practices notices, etc.) for at least six years after the creation or last effective date.

Exception: Fully insured group health plans are obliged to comply with requirements (7) and (8) only.

HIPAA Security Rule

The HIPAA Security Rule establishes guidelines that safeguard the integrity of electronic health records (EHR) and ensure they remain confidential and available.

The National Institutes of Standards and Technology (NIST) has an established set of guidelines to help organizations develop security practices that comply with the HIPAA Security Rule. They can also use the CIA Triad, where “CIA” stands for these three components:

Confidentiality: Ensure ePHI is not available or disclosed to unauthorized persons or processes.
Integrity: Ensure ePHI is not altered or destroyed in an unauthorized

Availability: Ensure ePHI is accessible and usable on demand by authorized persons.

HIPAA Security Rule requirements include the following types of controls for sensitive data:

Technical safeguards: Access controls, audit controls, integrity controls, person/entity authentication, transmission security
Physical safeguards: Facility access controls, workstation use, workstation security, device and media controls
Administrative safeguards: Security management process, assigned security responsibility, workforce security, information access management, security awareness and training, security incident procedures, contingency plans, evaluation, business associate plans and other procedures

Organizations often distinguish “required” and “addressable” safeguards:

Required safeguards must be followed to the letter; there is no room for interpretation.
Addressable requirements afford organizations some flexibility to account for unique infrastructural or technical limitations.

HIPAA Breach Notification Rule

The HIPAA Breach Notification Rule requires covered entities to notify certain parties when they suffer a breach of PHI. Specifically, the HIPAA Breach Notification Rule requires:

Individual notice: Covered entities are required to notify affected individuals upon discovering a PHI breach.
Media notice: If a breach is found to have affected more than 500 residents of a state or jurisdiction, the covered entities responsible must notify prominent media outlets serving the state or jurisdiction.
Notice to the Secretary: Covered entities must notify the Secretary upon discovering a PHI breach.

It is possible for entities to prove their due diligence and demonstrate low probability of PHI compromise based on adequate risk assessment procedures.

HIPAA Enforcement Rule

The HIPAA Enforcement Rule establishes standards for how to investigate data breaches and outlines a penalty structure for accountable parties.

HIPAA Omnibus Rule

The HIPAA Omnibus Rule:

Establishes a tiered penalty structure as required by HITECH

Introduces changes to the harm threshold and includes the final rule on Breach Notification for unsecured ePHI under the HITECH Act
Modifies HIPAA to include provisions from the Genetic Information Nondiscrimination Act (GINA), which prohibits disclosure of genetic information for underwriting purposes
Prevents use of PHI and personal identifiers for marketing purposes

HIPAA Omnibus Rule requirements include the following:

New Business Associate Agreements (BAAs): Before employing the services of a business associate, entities must sign a new HIPAA-compliant BAA
Business Associate Agreement updates: Existing Business Associate Agreements must be updated to comply with the Omnibus Rule.
Privacy policy updates: Privacy policies must be updated to comply with the Omnibus Rule changes.
Updated Notice of Privacy Practices (NPP): NPPs must be updated to cover information required by the Omnibus Rule.
Updated HIPAA staff training: Staff training on the Omnibus Rule amendments and definition changes must be provided and documented.

HIPAA Checklist

Use the following checklist to help your organization ensure compliance with HIPAA.

1) Audits and Assessments

Regularly perform an internal HIPAA audit, security assessment and privacy audit to support data security:

Determine which of the required annual HIPAA audits and assessments are applicable to your organization, according to HIPAA Rule SP 800-66, Revision 1, using the NIST guidelines.
Conduct the required audits and assessments, analyze and understand the results, and document any issues or deficiencies.
Create and document thorough remediation plans to address those issues and deficiencies.
Put the plans into action, review the results, and update the plan if the desired results were not achieved.

Handpicked related content:

Achieve and Maintain HIPAA Compliance with Less Effort and Expense

2) Risk Analysis

Regularly conduct a risk analysis in accordance with NIST guidelines:
- Perform entity-level risk assessment.
- Conduct risk assessments for systems that house PHI.
- Develop and implement a risk management policy.
- Evaluate the likelihood and impact of potential risks to PHI.
- Implement appropriate security measures for sensitive documents and identified risks.
- Establish security standards for best practices and maintenance.
3) Policies and Procedures

Make sure you have policies and procedures in place that follow all of the HIPAA rules. Keep documentation for annual reviews. In particular, be sure to develop and implement:
- Privacy policies and procedures for data usage, routine and non-routine disclosures, limiting requests for sensitive data, and similar issues.
- Policies for business associates. Make sure to amend existing contracts and agreements to comply with HIPAA regulations. Get satisfactory assurances in contracts and document sanctions for non-compliance.
- Procedures and deadline requirements for handling access requests and complaints regarding privacy. Be sure to get written permission from patients before using or disclosing PHI for treatment, payment and healthcare operations.
4) Data Safeguards

Implement safeguards to protect data integrity, availability and confidentiality.

Technical Safeguards
- Integrity controls and auditing: Implement integrity controls to ensure quality and accurate data. Have auditing systems in place that will track file access and modifications and alert you to suspicious activity.
- Encryption: Encrypt ePHI when transmitting over external networks to meet NIST cryptographic standards.
- Access controls, authorization and authentication: Make sure that only appropriate entities have access to sensitive electronic records. Limit access to passwords and key codes.
Physical Safeguards
- Document disposal: Shred sensitive documents before discarding them.
- Workstation security: Restrict workstations with access to PHI to specified individuals. Have policies in place that govern how and when these workstations may be used.
- Mobile device and media controls: If PHI can be accessed from mobile devices, establish policies that govern how to remove PHI from a device if it is lost or stolen or its owner leaves the organization.
Administrative Safeguards
- Security awareness and training for employees: Educate employees on PHI access governance and cybersecurity best practices, such as how to identify and report malware, so they properly understand the importance of their role in achieving and maintaining HIPAA compliance.
- Contingency plans: Craft a plan to preserve critical business operations during emergencies while still protecting the integrity and confidentiality of PHI.
5) Employee Training and Communications

Provide adequate cybersecurity training to all employees and educate team members on the importance of HIPAA compliance:
- Distribute privacy policies and procedures to all staff members.
- Ensure all staff members read and attest to the HIPAA policies and procedures you have established.
- Check that all staff members have gone through basic HIPAA compliance training.
- Document all HIPAA compliance training and staff member attestation of HIPAA policies and procedures.
- Develop sanctions and disciplinary policies and procedures in case of privacy violations.
6) Designated Privacy Official

Make an individual or office responsible for the development and implementation of your privacy policy. Ensure that the designated HIPAA compliance officer conducts annual HIPAA training for all members of staff.

7) Business Associates

Regularly check that all business associates are in compliance with HIPAA regulations:
- Identify all business associates who may receive, transmit, maintain, process or have access to PHI.
- Ensure that a Business Associate Agreement is in place with each business associate.
- Annually review BAAs and assess HIPAA compliance.
- Prepare written reports to document and prove your due diligence regarding your business associates.
8) Breach Notification Process Checklist

Establish systems and procedures for security incidents or breaches:
- Track and manage investigations of any incidents that impact the security of PHI.
- Establish standards and guidelines for mitigation as well as disciplinary policies and procedures in case of a breach.
- Establish a method to report all breaches and incidents.
- Develop procedures for notifying patients, the Office of Civil Rights?(OCR and (when applicable) the media about breaches.
How to Maintain HIPAA Compliance

Compliance is an ongoing process, not a one-time event. Take extra precautions to monitor and secure your data. Recognize the importance of regular risk assessment, staff training and strong data governance to protect your organization and your clients.

FAQ

1. Which organizations are subject to HIPAA?

Entities that must comply with HIPAA include:
- Healthcare providers
- Health plans
- Healthcare clearinghouses
2. What are the key steps in achieving HIPAA compliance?
- Conduct all required audits and assessments.
- Perform regular risk analysis.
- Establish and enforce all required policies and procedures.
Follow the checklist for more steps on ensuring HIPAA compliance for your organization.

3. Who has authority to enforce HIPAA compliance?

The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) is responsible for enforcing HIPAA compliance.

4. What are the fines associated with violating HIPAA compliance requirements?

Fines for HIPAA violations can range from $100 to $50,000 per violation (or per record). The maximum penalty is $1.5 million per year for violations of the same provision. Corrective action is often required alongside these fines to address the root cause of the violation and implement measures to prevent its recurrence.

5. What are the 4 HIPAA rules?

The 4 core HIPAA Rules are as follows:
- Privacy Rule
- Security Rule
- Breach Notification Rule
- Enforcement Rule
HIPAA also includes the Omnibus Rule, a major update designed to improve privacy, security and enforcement measures for safeguarding health information in the digital age.

6. What are the HIPAA requirements?

Refer to the article for a more detailed answer to this question, but the primary HIPAA requirements include:
- Privacy requirements: Covered entities must implement policies and procedures to protect patients’ protected health information (PHI).
- Security requirements: The Security Rule mandates the implementation of safeguards to protect electronic protected health information (ePHI) against threats or hazards to its integrity, confidentiality and availability.
- Breach notification requirements: Covered entities must notify affected individuals, the Secretary of Health and Human Services, and (in some cases) the media in the event of a breach of unsecured PHI.
7. How do you prove compliance with HIPAA requirements?

Proving HIPAA compliance involves demonstrating an organization’s practices for safeguarding protected health information (PHI). Some common ways an entity can exhibit HIPAA compliance include documenting procedures and policies, conducting risk assessments, creating incident response plans, and maintaining and monitoring audit trails.

Mike Tierney

Former VP of Customer Success at Netwrix. He has a diverse background built over 20 years in the software industry, having held CEO, COO, and VP Product Management titles at multiple companies focused on security, compliance, and increasing the productivity of IT teams.