The ultimate HIPAA compliance checklist (with PDF)

Companies operating in the U.S. healthcare system need to comply with HIPAA data protection and security guidelines. Organizations must ensure they have implemented the necessary measures to attain HIPAA compliance. Failure to maintain compliance can result in substantial financial penalties and negative publicity.

The major HIPAA requirements are defined in the HIPAA Privacy Rule, HIPAA Security Rule, and Breach Notification Rule. A prerequisite to any HIPAA compliance exercise is to read and understand the rules and determine which apply to your business.

The following HIPAA compliance checklist outlines the steps a company should take to establish and maintain HIPAA compliance.

In this article: 

• First steps
• Compliance with the HIPAA Privacy Rule
• Compliance with the HIPAA Security Rule
• Document all processes and procedures
• Address gaps and violations
• Compliance with the HIPAA Breach Notification Rule
• How data loss prevention promotes HIPAA compliance
• HIPAA compliance checklist (PDF download)
• Frequently asked questions

Fi‎rst steps

• Determine your status. Determine if your organization is a Covered Entity or Business Associate. 
• Understand your obligations under HIPAA even if your organization is not considered a Covered Entity or Business Associate. 
• Assign responsibility. Designate a HIPAA Compliance Officer, or alternatively, divide these responsibilities between a HIPAA Privacy Officer and a HIPAA Security Officer, as outlined below.

Co‎mpliance with the HIPAA Privacy Rule

‎‎‎‎The HIPAA Privacy Rule requires covered entities and business associates to implement appropriate safeguards to protect the privacy of protected health information (PHI). Covered entities are required to take reasonable steps to limit the use, disclosure, and requests for PHI to the minimum necessary to accomplish a specific purpose.

Patients' rights need to be effectively addressed to comply with the HIPAA Privacy Rule. Covered entities must ensure that the following requirements are met.

• Designate a HIPAA Privacy Officer to develop, implement, and enforce HIPAA-compliant policies.
• Understand how PHI can be used and disclosed in compliance with HIPAA and when an individual's authorization is required.
• Implement policies and procedures for using and disclosing PHI in compliance with HIPAA.
• Provide training to all new members of the workforce within a reasonable period of time after they join the company. 
• Provide training to workforce members whose job functions or responsibilities are impacted by changes to the regulations or your company’s policies and procedures. 
• Identify risks to the privacy of PHI and implement safeguards to minimize these risks.
• Make risk analysis an ongoing process and adapt to changes in the risk landscape as necessary. 
• Provide patients with a Notice of Privacy Practices explaining their rights and how PHI will be used.
• Develop policies and procedures for obtaining authorization, access requests, and consent from patients. Regularly review and update your policies and procedures. 
• Develop and document a plan to respond to an incident that damages systems containing PHI.

Co‎mpliance with the HIPAA Security Rule

‎The Security Rule requires the implementation of appropriate administrative, technical, and physical safeguards to protect electronic PHI (ePHI). Covered entities must address these four general provisions of the Security Rule:

• Ensure the confidentiality, integrity, and availability of all ePHI they create, receive, maintain or transmit.
• Identify and protect against reasonably anticipated threats to the security or integrity of the information.
• Protect against reasonably anticipated, impermissible use or disclosure.
• Ensure compliance by everyone in their workforce.

Compliance with the Security Rule requires a covered entity to implement the following safeguards:

Administrative safeguards

• Implement a security and risk assessment process to identify and address vulnerabilities that affect ePHI security. Make this an ongoing process. 
• Designate a HIPAA Security Officer responsible for developing and implementing security procedures and policies.
• Enact role-based access policies to limit access to ePHI.
• Institute workforce training and management policies to address violators.
• Perform periodic assessments to evaluate the effectiveness of security measures.

Physical safeguards

• Limit physical access to facilities processing ePHI to authorized personnel and monitor it with measures such as key cards or guards.
• Develop policies and procedures to define the proper use, access, and disposal of workstations, mobile devices, and electronic media.

Technical safeguards

• Implement access controls to limit access to systems containing ePHI.
• Provide audit controls to monitor and record activity on IT systems that store or process ePHI.
• Develop and implement written policies and procedures to ensure ePHI is not improperly destroyed or modified.
• Regularly review and update your policies and procedures. 
• Maintain and update your IT infrastructure to secure PHI. 
• Implement technical measures such as encryption to prevent unauthorized access to ePHI during transmission.

Do‎cument all processes and procedures

‎All procedures, processes, and policies related to HIPAA compliance should be documented and readily available to present as evidence in an audit. This includes the results of risk assessments, training records, and documentation on vulnerability mitigation efforts. Having the appropriate documentation is essential for providing proof of an organization’s attempts to address compliance issues if an incident occurs. 

Ad‎dress gaps and violations

As risks or violations are identified, develop and implement corrective action plans to minimize risks or eliminate non-compliance issues. 

Record all identified risks, violations, and incidents, as well as your remediation efforts. 

Co‎mpliance with the HIPAA Breach Notification Rule

The Breach Notification Rule requires covered entities to notify affected individuals, the HHS Secretary, and in some cases the media following a breach involving PHI.

• Notices must be sent to individuals affected by the breach by first-class mail or email if the individual has consented to electronic communication. The notices must be sent within 60 days of discovering the breach.
• Fill out electronic forms found on the HHS website to notify the Secretary of a breach. Notification must be within 60 days if more than 500 individuals are affected or annually if the number of individuals is smaller.
• Notify the media if more than 500 residents of a State or jurisdiction are affected. This type of notification is usually done via a press release.

Ho‎w data loss prevention promotes HIPAA compliance

‎A data loss prevention (DLP) solution promotes HIPAA compliance by addressing several of the required safeguards. A DLP platform helps protect the privacy and security of PHI by prohibiting access to the information by unauthorized users. It accomplishes this feat by automatically enforcing an organization’s data handling policy which should include access controls to restrict the use and disclosure of PHI.

The Reveal Platform by Next provides customers with an effective method of protecting PHI. The software deploys next-gen agents that use machine learning and advanced analytics to identify and categorize data at the point of risk. The tool creates baselines at deployment and recognizes suspicious behavior that may indicate risks to PHI.

Reveal stops the deliberate or accidental misuse of sensitive data. The tool also offers education in the form of instructive messages when an individual violates data handling policies. This education helps build a more security-conscious workforce that understands how to keep PHI secure and comply with HIPAA regulations.

Give Reveal a try with a free demo and see how it can help your business maintain HIPAA compliance.

HI‎PAA Compliance Checklist (PDF download)

To help you stay on top of HIPAA regulations, we've created a handy PDF checklist. This downloadable HIPAA compliance checklist covers all essential aspects of HIPAA compliance, ensuring your organization adheres to the latest guidelines for protecting patient privacy and data security.

Download now: HIPAA Compliance Checklist (PDF)

Fr‎equently asked questions

Why do organizations need a Privacy and Security Officer?

Organizations need a Privacy and Security Officer because someone needs to take the lead and responsibility for implementing the necessary processes to maintain HIPAA compliance. In many cases, this individual performs these roles in addition to other tasks. Having a focal point for compliance streamlines the process and provides a resource for other employees to learn about HIPAA guidelines.

Who must be notified in the event of a data breach?

All individuals whose information was involved in the breach need to be notified within 60 days of the incident. The Secretary of HHS gets notified within 60 days in cases where the information of more than 500 individuals has been compromised. The media is also notified when over 500 individuals in a specific State or jurisdiction are affected by the breach.

Why are physical safeguards necessary?

Physical safeguards are necessary to protect PHI from being stolen or viewed by unauthorized individuals. Electronic media needs to be disposed of properly or have all PHI removed from it before being reused to eliminate the chance of PHI falling into the wrong hands. Physical safeguards have become more important with the rise in the use of mobile devices to access and store sensitive data such as PHI.