HIPAA is one of, if not the biggest health regulations in the world. HIPAA stands for Health Insurance Portability and Accountability Act of 1996 and it is a federal law that requires the creation of national standards to protect the sensitive health information of patients from being disclosed or used without the patient’s consent or knowledge. To help companies with their HIPAA compliance we have created a HIPAA checklist that you can use to help assess your company’s HIPAA compliance.
1. Determine which of the required annual audits and assessments apply to your organization.
Based on your organization’s size, architecture and processes your audit requirements will be different. Typically, any system that stores or processes personal health information will be subject to an audit.
2. Conduct the required audits and assessments, analyze the results, and document any deficiencies.
Once you understand what is in scope for an audit/assessment then a thorough audit of the company needs to be done. If any deficiencies are found these need to be corrected and then confirmed by the organization that performs the audit to prove compliance. You should keep a detailed record of what needs to be changed according to your audit and have plans to have them corrected. This should be required periodically to make sure the plans are being acted on.
3. Get consent from your patients
Be sure to get written permission from patients before their health information is collected and used for anything. Be sure to mention the purposes for which that information is to be used.
4. If the organization has not already done so, appoint a HIPAA Compliance, Privacy, and/or Security Officer.
Every organization should have someone that is designated to oversee the compliance of the organization, this title is referred to as a HIPAA Compliance Privacy/security officer.
5. Ensure the designated HIPAA Compliance Officer conducts annual HIPAA training for all members of staff.
You should perform annual HIPPA training for all members of staff. This training should include how to properly handle personal health information as well as when and how to report potential privacy issues.
6. Ensure all three types of security controls are put in place for protecting patient information
HIPAA’s security rules require that you have three types of controls in place: Technical safeguards, Physical safeguards, and administrative safeguards. Within each of these categories, some required controls must be implemented in the organization and some optional controls that are simply best practices.
7. Perform due diligence on Business Associates to assess HIPAA compliance and annually review BAAs.
You need to assess all business associates that you use for handling PHI per HIPAA’s standards. You are liable for the compliance of any third parties that you share patient information. This expectation should be outlined in your business associate agreement (BAA).
8. Review processes for staff members to report breaches and how breaches are notified to HHS OCR.
You should have clear processes for staff members to report potential data breaches as well as processes for notifying the HHS OCR and any affected individuals. This should include the nature of the PHI involved, the unauthorized person who assessed or used the PHI, whether it was acquired or viewed and how the risk of damage was mitigated.
9. Use encryption wherever possible
While HIPAA regulations do not demand the use of encryption in every situation, most HIPAA-related breaches could be avoided if all ePHI was encrypted. This prevents people from being able to read or use that information even if they can steal it, so we highly recommend doing this wherever possible to avoid data leaks. How to get more free content
If you like this article and would like to read more of our content for cybersecurity insights, tips and tricks feel free to follow us on our social media. If you’re a struggling business owner who needs help in assessing their business’s cybersecurity posture feel free to take advantage of our free introductory assessment and we’ll help you figure out a game plan for keeping your company safe.