If you are part of the healthcare industry or if your business needs to collect ePHI (electronic Protected Health Information) data, then you must make sure that your business is HIPAA compliant. Hence, you need to make sure you follow a proper HIPAA compliance checklist.
Over the past decade, the governing bodies of the HIPAA worked hard to ensure people’s privacy and security is valued overall when it comes to ePHI.
They have educated numerous healthcare centers to abide by the laws stated in HIPAA policies, through strict fining when breached.
So it is mandatory that if you are willing to have an online presence while needing to collect ePHI from consumers, then you must be HIPAA compliant.
Today, you will get a complete HIPAA checklist to make sure your business doesn’t get fined for any unwanted misconduct.
What Is HIPAA?
HIPAA basically is an acronym for the Health Insurance Portability and Accountability Act. It was issued in 1996 by the United States legislation.
It ensures the privacy of data and security of medical information of people. Today, the main reason this policy is important because of the rise in cybercrimes and identity thefts over the last couple of decades.
With risks such as fraudulent use of stolen social security, leaking of private medical information, blackmailing with possession of extremely personal data, etc, it is evident that strict security should be a top priority.
And HIPAA ensures every business, collecting sensitive medical data, maintains the topmost security measures.
The checklist will help you establish a business that will be ready to handle ePHI without risks.
The Main HIPAA Compliance Security Regulations
Now, before hopping into the checklist, it’s best to make sure you are aware of the main rules of HIPAA compliance.
You will first need to learn about the main HIPAA regulations:
- Privacy Rule
- Security Rule
What are the main components of privacy
i. HIPAA Privacy Rule
The HIPAA Privacy Rule controls who can use or have access to ePHI data and what data they can access.
It clearly states that only covered entities may handle ePHI. (A covered entity is a person who is a certified individual in a healthcare field such as doctors, nurses, and insurance companies.)
The Privacy Rule also requires a person’s consent before sharing his data.
It protects the following data of a person:
- Any dates related to medical activities (including it birthdate)
- Any contact information (phone, address, email, etc)
- Social Security number
- Medical record number(s)
- Images of medical treatments (such as x-ray)
- Photographs of the person
- Fingerprint or voice recognition control data
Basically, any past or present data that might be used to identify an individual, are prohibited from sharing without the person’s consent.
The person in question also has legal benefits with the following rules:
- You can only disclose PHI with the entity’s authorization. Any unauthorized acts can result in lawsuits.
- The person can request a copy of his/her health records. Once requested, the company holding the PHI must respond within 30 days, or they will be penalized.
- The person may request to make corrections to his/her records. And again, you must honored this, after strict verifications, within 30 days of the request.
So basically, the Privacy rule protects the PHI data of a person and gives him/her full control.
What are the main components of Security
ii. HIPAA Security Rule
The HIPAA Security Rule ensures the minimum security standards required for covered entities to manage electronic PHI (ePHI).
It involves 3 categories of security measures
a. Physical Security
The physical security meases states that the family should maintain high levels of security measures in the physical location of the data server.
Only selected people will be able to enter the facility. Only authorized personnel may maintain PHI data servers.
The location must be audited for HIPAA compliance by any creditable third party.
All devices and workstations must be protected from unauthorized access to data which involves both reading, writing, or editing of data without permissions from the administrative figures.
Plus, all sections of the location must have thorough real-time monitoring.
b. Administrative Security
HIPPA Security Rule also states the requirement of taking administrative action plans for protecting data.
There should a complete plan of handling different scenarios. For example, what actions will be taken immediately if an online threat is detected.
This security measure involves educating the employees to be aware of the HIPAA compliance and training them to handle various risk factors so that they are fully aware of what actions to take quickly.
The training should be in-depth. It should cover cases such as
- stopping a data breach before data is compromised
- stopping more further breach of data, etc.
Plus there should be proper backups kept, which should also be secured to the highest level.
HIPAA also requires you to keep documents and case studies of all incidents that may happen.
c. Technical Security
The technical security requirements involve strict control and monitoring of data.
Security measures such as two-factor authentication on the data management software and a high level of encryptions when transferring/transmitting any data will be the ideal action.
The company must make regular risk assessments to identify possible threats in security for PHI data. Even for email communication withing or outside partners should be encrypted according to HIPAA guidelines for protecting data leak or misuse. You can check our HIPAA compliant email service
There are also available for excepted video conferencing for keeping the data safe from leaking of any hacking attempt. Check out HIPAA compliant video conferencing
It’s best to hire a HIPAA consultant to monitor and ensure so that all technical security requirements are met.
What is the most common HIPAA violation
The most common cause of HIPAA violation are Theft by either internal or external cause, Unauthorized access / Disclosure, Hacking, Loss and Improper Disposal
The Breach Notification Rule
HIPAA makes sure that a person who’s PHI is stored has the highest priority.
Hence, it is mandatory that whenever there is a breach, you must notify the compromised entity within 60 days.
You must keep a detailed report of every breach which includes
- the number of PHIs compromised
- an explanation of how the breach occurred
- how it was identified, and
- the steps are taken so far.
For small breaches, you need to submit these reports to the Office of Civil Rights (OCR) once a year.
In care there is a breach that compromises over 500 PHIs, then you must report the event to the OCR immediately.
What are HIPAA requirements – A Checklist
Now that you know the main rules of HIPAA compliance, its time you follow the checklist to make sure you do not violate any HIPAA policies when setting up your business.
1. Physical HIPAA Compliance Checklist
- The 1st thing to maintain is to install security cameras throughout the facility.
- Enforce a sophisticated entrance verification. This could be retina or finger-print entrance, followed by facial recognition by a security guard.
- Thoroughly check any person who enters the facility for any unauthorized or suspicious devices at their disposal (even if it’s the president).
- List out a number of items and mark them as prohibited into the facility, for example, a pen drive.
- Keep a team to monitor the behavior of employees in order to catch suspicious activities.
- Initiate a security body search before anyone leaves the parameters to ensure no one carries any unauthorized devices outside the facility.
2. Administrative HIPAA Compliance Checklist
It is best to work with a HIPAA compliance expert consultant to plan out the administrative compliance activities.
- Educate yourself and all your employees about HIPAA compliance requirements.
- Create an action plan to decide what steps to take in different situations.
- Train employees to take action and various breaching situations.
- Monitor and perform regular risk assessments to find possible threats.
- Keep detailed documentation of all incidents.
- Pre-define the activities to conduct for cases where breaches do occur, ensuring that they meet all notification rules.
3. Technical HIPAA Compliance Checklist
- Limit access to various data on the workstation. You can do it by maintaining a well-designed network server with high levels of conditional security measures.
- Track servers to make sure that no one transfers data from any workstation unauthorized.
- Limit access to personal profiles on the workstation.
- Set an alert system to trigger when someone access PHI data unauthorized.
- Use high-level encryption when transferring data
- Apply strong firewall settings to block external access to data.
- Use encryption to mask software network paths.
- Initiate session timeouts.
- Keep backups of all PHI data in a secured server
- Use HIPAA compliant managed hosting service
- Make sure any online software services used, such as email service, must be HIPAA compliant
- Prepare a secured communication system for the entity to request his data or request to modify his PHI data. And set notifications for the right department so that the entity’s request is honored within 30 days.
4. Business HIPAA Compliance Checklist
- Work with a HIPAA compliant consultant to make sure that you follow all the compliance (above) accurately.
- Include a section in your business that defines all the HIPAA policies you will apply in your business.
- Get audited for HIPAA compliance by a third party. This will help to find flaws that you overlooked.
In case you will provide service to a healthcare center, then you should also prepare
- A Business Associate Agreement (BAA) that will state your responsibilities to protect the PHI, and consequences in case of failure to comply.
- A Service Level Agreement (SLA) which will identify the network infrastructure and all the security measures and actions you will take to minimize risks.
You will need to sign these with the companies you will provide service to.
- Hire at least one HIPAA compliance expert who should be available at all times with the customer service department. No queries should be handled in a way that is not HIPAA compliant.
- Hire experienced IT specialists to control server activity.
What is HIPAA in layman’s terms
If you are into healthcare storing patient’s data or business associate who has access to ePHI (electronic Protected Health Information) then both the parties need to follow the HIPAA guidelines.
In conclusion, the checklist here seems very simple, but if not followed with utmost efficiency, you will be in trouble.
Remember, a little violation can cost a fortune. So make sure you follow this checklist before deciding to start an online business in a related industry.