The divide between what is required for compliance under HIPAA regulation and the misconceptions that healthcare professionals have about being compliant is more extensive than ever. When she was appointed in late 2015, Jocelyn Samuels, director of the Office of Civil Rights (OCR) announced her plan to start on a new wave of audits. Extensively reported upon, these Phase 2 audits are reaffirming that the over $10 million in fines levied against non-compliant Covered Entities (CE’s) and Business Associates (BA’s) seen in 2015 alone is set to become the norm, and perhaps even grow over the coming months.
Compliancy Group is here to make sure that you’re not the one being hit with these fines. We’ve compiled this checklist to help guide you through some of the most often overlooked components of total HIPAA compliance, and to help ready you for this sweeping new series of audits that OCR has lined up.
First, let’s familiarize ourselves with some basic information regarding how to become HIPAA compliant.
While the rest of this HIPAA compliance checklist will go deeply into detail on what each component of HIPAA regulation requires, here are HHS’s Seven Fundamental Elements of an Effective Compliance Program to get you started:
- Implementing written policies, procedures, and standards of conduct.
- Designating a compliance officer and compliance committee.
- Conducting effective training and education.
- Developing effective lines of communication.
- Conducting internal monitoring and auditing.
- Enforcing standards through well-publicized disciplinary guidelines.
- Responding promptly to detected offences and undertaking +corrective action.
Marc Haskelson, CEO of Compliancy Group comments that “The HIPAA regulations apply to all healthcare organizations whether large or small, Covered Entities, or Business Associates. It is provided to these organizations to secure protected health information in a organized manner. This organized management is contained in the The Seven Elements, and are the absolute bare minimum, non-negotiable skeleton of any compliance program.
HIPAA regulation has grown since its initial implementation in 1996, and now includes specific rules surrounding the use and dissemination of protected health information (PHI) and electronic protected health information (ePHI). Below, we’ll get into some of the particulars.
The HIPAA Compliance Checklist: The Privacy Rule
The HIPAA Privacy & Security Rule is a series of national regulations concerned with safeguarding patients’ PHI and medical records from unauthorized access. It gives patients the primary rights over their own health information. The rule applies to health plans, healthcare clearinghouses, and health care providers that make certain electronic healthcare transactions. These groups are required to have appropriate limitations and conditions on the use and disclosure of PHI.
- Implement written policies, procedures, and standards of conduct: Ensure that you have written training standards as well as written penalties that employees are informed of in the case of a violation.
- Have BA agreements in place: When conducting business with a BA, you need to ensure that you have comprehensive, up-to-date agreements in place to protect your firm from liability in the event that a BA breaches HIPAA regulation.
- Data safeguards: Maintain administrative, technical, and physical safeguards to monitor use or disclosure of PHI.
- Complaints procedures: Implement procedures where patients can file a complaint to the CE about its HIPAA compliance, and patients must be informed that complaints may also be submitted to HHS.
- Retaliation and waiver: Retaliation can’t be taken out against a patient who exercises their rights under the Privacy Rule. Patients cannot be made to waive their Privacy Rule rights as a means of obtaining treatment, payment, or enrollment.
- Documentation and record retention: Records of all privacy policies, privacy practice notices, complaints, remediation plans, and other documentation must be stored and accessible for six years after their initial creation.
- Privacy personnel: Ensure that an appointed privacy officer is in place to develop and implement the rest of these privacy policies.
The HIPAA Compliance Checklist: The Security Rule
The HIPAA Security Rule outlines specific regulations that are meant to prevent breaches in the creation, sharing, storage, and disposal of ePHI. Since its adoption, the rule has been used to manage patients’ confidentiality alongside changing technology. And now, with the growing trends of cloud computing and online and remote document sharing, the protection of ePHI is becoming more important than ever.
These safeguards each require different standards that need to be implemented in order to be deemed fully compliant. The legal jargon that surrounds each safeguard and standard can be confusing, so we’ve broken them down into a simple, but comprehensive list below.
The HIPAA Security Rule Checklist: Administrative Safeguards
Administrative safeguards should be in place to establish policies and procedures that employees can reference and follow to ensure that they’re maintaining compliance. Each of these standards should be documented as a written policy, accessible to all employees so that they understand the necessary steps they should be taking to maintain patients’ confidentiality.
Standard 1. Security Management Process
- Risk Analysis should be done to assess confidentiality of ePHI
- Risk Management measures should be implemented to assess potential breaches in ePHI
- Sanction Policies should be extended to employees who fail to comply with policies and procedures
- Information System Activity Reviews should be in place so that system activity is regularly monitored
Standard 2. Assigned Security Responsibility
- Security Responsibility should be assigned to an employee who can regularly monitor, develop, and maintain privacy policies and procedures
Standard 3. Workforce Security
- Employees who are meant to deal with ePHI should undergo Authorization and Supervision
- Workforce Clearance Procedures should govern who is and isn’t allowed access to ePHI
- Termination Procedures should be in place so that employees who have left a practice can no longer have access to ePHI that they’ve previously had access to
Standard 4. Information Access Management
- Clearinghouses that are part of larger organizations need to have properly Isolated Access to ePHI
- Employees should be given Access Authorization depending on whether or not their role requires that they handle ePHI
- Access to ePHI should be governed by strict rules for when and how it is granted, Established, or Modified
Standard 5. Security Awareness and Training
- Security Reminders should be regularly communicated
- Protection from Malicious Software should be a priority to prevent ePHI from being compromised
- Log-in Monitoring should be in place to detect any unauthorized access to ePHI
- Password Management should be implemented for creating, changing, and protecting employees’ passwords
Standard 6. Security Incident Procedures
- Breaches and their ramifications need to have documented Response and Reporting procedures
Standard 7. Contingency Plan
- A Data Backup Plan is required to ensure that there are ways to retrieve ePHI that has been lost because of a malfunction or a breach
- Disaster Recovery Plans should be in place to ensure that any lost ePHI can be fully restored
- Emergency Mode Operation Plans should be established so that employees can properly access and handle ePHI, while maintaining privacy, in the event of an emergency
- Contingency procedures should be Tested and Revised on an ongoing basis to address faults or flaws
- Contingency procedures should be go through Applications and Data Criticality Analysis to ensure that contingency plans are as streamlined as possible
Standard 8. Evaluation
- The technical and non-technical elements of ePHI security should be regularly Evaluated, particularly when moving offices or changing operations
Standard 9. Business Associate Contracts and Other Arrangements
- Written Contracts or Other Arrangements need to document that BAs will comply with all ePHI security measures.
The HIPAA Security Rule Checklist: Physical Safeguards
Physical safeguards should guide the creation of policies and procedures that focus on protecting electronic systems and ePHI from potential threats, environmental hazards, and unauthorized intrusion. And as is the case with administrative safeguards, each of these standards should be documented as a written policy, accessible to all employees so that they understand the necessary steps they should be taking to maintain patients’ confidentiality.
Standard 1. Facility Access Controls
- Procedures should be in place to establish Contingency Operations plans that allow access to the physical office and stored data in the event of an emergency
- A Facility Security Plan needs to be well established to protect equipment that stores ePHI from unauthorized access and theft
- Access Controls and Validation Procedures should govern when, how, and to whom access to equipment is granted
- Maintenance Records should document modifications to the physical facility such as renovations or changing doors or locks
Standard 2. Workstation Use
- Workstation Use policies need to specify the use, performance, and physical attributes of equipment and workstations where ePHI is accessed
Standard 3. Workstation Security
- Workstation Security should entail physical safeguards that govern who can access workstations and equipment where ePHI is accessible
Standard 4. Device and Media Controls
- Disposal of hardware or equipment where ePHI has been stored needs to be strictly managed
- Policies should be in place to determine how and when ePHI should be removed from equipment or electronic media before Re-use
- Hardware and equipment that has access to ePHI should be Accountable and, if necessary, tracked
- Data Backup and Storage procedures should entail the creation of exact copies of ePHI
The HIPAA Security Rule Checklist: Technical Safeguards
Technical safeguards are the last piece of the Security Rule. They’re meant to provide written, accessible, policies and procedures that monitor user access to systems that store ePHI.
Standard 1. Access Control
- Employees should be granted Unique User Identification in the form of a username or ID number that can be used to identify and track system usage
- Procedures should be in place that determine Emergency Access protocols and authorization
- Systems that store ePHI should be built with an Automatic Logoff function after inactivity
- Encryption and Decryption methods should be built into systems that store ePHI
Standard 2. Audit Controls
- Audit Controls must regularly monitor, record, and store system usage and ePHI access
Standard 3. Integrity
- In order to ensure that ePHI hasn’t been accessed, altered, or destroyed without authorization, a Mechanism to Authenticate ePHI should be built into the system
Standard 4. Person or Entity Authentication
- Person or Entity Authentication needs to be in place to ensure that only authorized employees or users have access to certain data and ePHI
Standard 5. Transmission Security
- Any ePHI that is transmitted electronically needs to be protected by Integrity Controls to ensure that it hasn’t been modified in the process
- Any stored ePHI should be Encrypted
Where to Go From Here…
Even with this checklist in hand, the process of achieving full compliance is extensive–and that’s where Compliancy Group comes in.
Compliancy Group’s web-based compliance solution, The Guard, simplifies HIPAA compliance. It provides clients with a complete, web-based tool to achieve compliance, to illustrate this to the HHS and their patients, and to maintain that compliance through continued monitoring and support.
Compliancy Group is recognized as the industry leader in HIPAA compliance for healthcare professionals. The Guard has been endorsed by industry leaders such as Think About Your Eyes, the Telebehavioral Health Institute, Telehouse, eClinicalWorks, and AOAExcel.