HIPAA Compliance Checklist

Once you've concluded you are handling protected health information (PHI), you will have to ensure your organization is HIPAA compliant. Compliance with HIPAA requires going through a series of steps that, altogether achieved, ensure you are in-line with the regulations set forth by the Department of Health and Human Services for patient health records.

Compliance achievement can take the form of checklist that walks through the 4 sets of rules within HIPAA: The Privacy Rule, Security Rule, Enforcement Rule, and Breach Notification Rule. While it is beyond the scope of this article to provide a comprehensive breakdown, we will provide a basic overview of what such a checklist entails.

The Privacy Rule presents standards that protect health records that apply to various health care providers that conduct their transactions electronically. It involves preventing impermissible uses of the PHI, ensure breach notification procedures are in place, ensure appropriate access to the PHI, and provide disclosures to the Secretary of HHS as needed.

The HIPAA Security Rule ensures that various safeguards are in place on Technical, Physical, and Administrative levels. Some are designated as 'required', and others designated as 'addressable' (required for certain organizations).

Technical safeguards deal with: unique user identification, emergency access procedures, automatic logoff, encryption/decryption, audit controls, and authentication systems and methods. Physical safeguards deal with the physical location and the facilities themselves, including: contingency operations, security plans, access control, maintenance records, workstation use, workstation security, disposal of documents, accountability, and data backup/storage procedures.

Administrative safeguards cover the conduct of workers in the organization, and provide measures in place to protect PHI. It requires establishing a privacy officer, conducting staff training, review documentation on a regular basis, performing a risk assessment, creating agreements with the various Business Associates (BA) that partner with your organization.

The Enforcement Rule and Breach Notification Rule are not necessarily actionable in advance, but they spell out the penalties and procedures for hearings related to HIPAA non-compliance, as well as procedures for dealing with a breach of unsecured PHI.

Though seemingly daunting, the HIPAA compliance checklist rules can be applied and enforced in your organization in a systematic manner through a checklist. In addition, automatic tools can enhance the value of a checklist by having systematized procedures to bring your organization into compliance.

Read More