The Ultimate HIPAA Compliance ChecklistGreg Garner
The Ultimate HIPAA Compliance Checklist
In 2018, Anthem suffered a series of cyberattacks that led to the most significant health data breach in U.S. history. The breach exposed the protected health information of nearly 79 million people.
As a result, Anthem agreed to pay the U.S. Department of Health and Human Services (HHS) $16 million and take corrective action to settle violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules.
As you can see, HIPAA violations are expensive. So, do you have your HIPAA compliance checklist handy?
Any company that deals with protected health information (PHI) must have security measures in place to ensure compliance.
In this article, we’ll give you a short HIPAA summary and provide you with a quick compliance checklist.
A HIPAA Compliance Officer is essential in making sure your compliance plan is being carried out throughout the organization. Many healthcare organizations have a compliance officer, or a compliance committee to handle these responsibilities. There are a number of duties attached to this position that weigh heavily on whether or not your organization meets the criteria under the HIPAA Laws and Regulations. The compliance team or officer should be certified by the AAPC or Health Care Compliance Association so that your organization can confidently move forward.
Duties of an Internal Compliance Officer or Committee
There are a number of elements involved in this position, and having an outline of the duties that must be carried out is key. The compliance officer(s) must start with:
- Performance of a Baseline Assessment
- Drafting of formal compliance program documents.
- Review of all relevant documentation and coordination of an organization-wide audit.
- Review of all current areas of noncompliance.
- Distribution of documentation compiled for compliance plan.
After the initial coordination and distribution, the plan must be reviewed and updated on a consistent basis to ensure all employees are well trained and internal protocols are met. This checklist outlines additional compliance duties:
- Development, coordination and training of all employees and members of the organization. The initial training must be comprehensive and cover the entire corporate compliance plan.
- Performing audits of the training records to be maintained by the organization.
- Reviewing all independent contractor agreements to ensure compliance is being met and all laws are followed.
- Coordination and screening of all employees, independent contractors and other agents of the organization, doing thorough checks to make sure all contractors are operating within their scope and guidelines. Every effort must be made to check with the U.S. Government Accountability Office and cumulative sanction report to make sure no contractors or agents are debarred.
- Conducting audits both internally and externally to make sure all compliance efforts are strictly adhered to. Every department within the organization must be examined, including all administrative areas and laboratories that are regulated under HIPAA and OSHA guidelines. This includes the coordination, training and auditing of all compliance manuals.
- Development of policies and programs when noncompliance issues need to be reported. A reporting system must be in place that all employees and agents are aware of to notify the compliance officer or team when noncompliance issues are brought to light.
- Coordination of any investigations that highlight deficiencies in the current reporting system or any deficiencies that are identified through period assessments of the plan and internal compliance.
- Coordination of any actions taken to correct noncompliance issues that have been identified.
- Maintaining all necessary files related to the compliance plan. Every component must be documented, in addition to all training schedules, a listing of all employees who have been trained, reports of screenings, reports of noncompliance, investigations and corrective actions.
- Report to the board of directors on the progression of the initial implementation of the plan.
- Develop a working budget to accommodate all training needs and compliance duties.
HIPAA Policy Rules
HIPAA compliant policies include multiple rules for data handling. These are the Privacy Rule, the Security Rule, the Omnibus Rule, and the Breach Notification Rule.
HIPAA’s strict Privacy Rule has well-defined limitations of how and when PHI is accessed.Â
Without a patient’s consent, doctors and other medical staff cannot share their personal information is not even with law enforcement or insurance companies. To grant any outside person access to PHI, a patient must sign a consent form.
The Security Rules require businesses to provide physical, technical, and administrative safeguards while processing and storing electronic PHI (or ePHI).
All companies that deal with PHI must restrict access to PHI and train their staff accordingly. Any tools and software used to handle data must be secure and operated with care.
The Omnibus Rule is for Business Associate Agreements (BAAs). BAAs are legal documents between a contractor and a healthcare provider.
The rule states that no transaction of personal health data may be carried out without the agreement on HIPAA compliance between the two parties. The law also restricts anyone from using PHI for marketing or other purposes.
Breach Notification Rule
If your business fails to comply with PHI confidentiality, you must disclose the breach to any patients and the HHS immediately.
The HHS and the Office of Civil Rights (OCR) must be notified immediately if the breach involves more than 500 PHI records. You’re also required to clarify the violation to the public in a press release. If the breach affects less than 500 people, it’s annually reported to the HHS.
HIPAA laws continue to be violated with data breaches occurring in covered entities and by their business associates. With so many rules and regulations, and so much data being transmitted and, recorded, can HIPAA enforce civil or criminal penalties with so many organizations both knowingly and unknowingly in violation on a frequent basis?
Data breaches continue to rise, with data security methods proving ineffective at keeping violations at bay. In 2014, there were 11,840,968 violations through the end of July according to the HHS, which includes the record breach by CHS in August. One of the main reasons for continued violations is the lack of critical infrastructure software, which can be costly to not only maintain, but in frequent updates. There are a number of violations that go unreported every year, and covered entities who do not have sufficient security protocols and officers in place keep HIPAA compliance intact.
One of the main problems with HIPAA compliance is the process. There are many organizations who still do not understand everything that needs to take place and how it could affect their facilities. These covered entities are having a hard time adapting to the frequent changes within the laws, and in the implementation of software that will assist with the infusion of new technology and software that is needed to combat cybercrimes.
One of the main concerns is that in cyberspace, how will organizations be able to safety determine that their online protocols are working correctly? With the use of technology on smart devices and their usage within the healthcare setting, it is difficult to determine whether or not software or apps being used are fully compliant. There is no specific protocol in place to check the viability of applications and software being used in the cloud, and the prevalence of PHI being compromised from an online server is much greater than the risk within the facility. Although having a 3rd party confirm the security of an organization’s online use and protection of PHI, this is not a set standard at the moment.
Additionally, organizations that do not have a compliance officer on hand often miss the mark on compliance, as their resources are pulled from a number of places instead of compliance being handled by that one department. As the laws continue to take shape and enforcement becomes a huge issue, this will hurt many organizations.
These are indications that there are serious problems within the compliance methods for HIPAA which will continue to grow. Once the OCR start their regulatory efforts and issuing penalties and fines, organizations will make a more concerted effort in putting protocols in place to ensure total compliance. Making sure your organization is taking all the necessary steps to develop, enforce and maintain HIPAA compliance is one of the most important things you can do. It is important to work toward implementing procedures that work effectively on and off-line to ensure the security of your organization and the safety of PHI.
A Simple HIPAA Compliance Checklist
If you’re still learning how to maintain HIPPA compliance, here’s a quick checklist. All covered entities and business associates must follow these guidelines to ensure they remain compliant.
- Track and trace all folders and files that contain PHI.
- Restrict access to PHI across your organizations allow limited access.
- Include the HIPAA compliance rules in all policies and procedures.
- In case of any issues, document your compliance policies and procedures to maintain and record of compliance.
- Regularly review the data security measures in place at your organization to detect any faulty processes or loopholes.
- Have a proper remedial plan lined out in case of any gap in compliance.
- Ensure that all business associates and covered entities in BAAs are also in compliance with HIPAA.
- Prepare with a procedure and documents, just in case of a PHI data breach.
Maintain Compliance with HIPAA Training
Sure, HIPAA compliance is strict, and it can be scary to face rules and regulations if you don’t fully understand compliance.
Instill confidence in your organization by enrolling in a HIPAA training program.
Want more information about HIPAA compliance requirements? Check out our most popular courses to get started.