The Ultimate HIPAA Compliance Checklist

The Ultimate HIPAA Compliance Checklist


In 2018, Anthem suffered a series of cyberattacks that led to the most significant health data breach in U.S. history. The breach exposed the protected health information of nearly 79 million people.

As a result, Anthem agreed to pay the U.S. Department of Health and Human Services (HHS) $16 million and take corrective action to settle violations of the Health Insurance Portability and Accountability Act (HIPPA) Privacy and Security Rules.

As you can see, HIPPA violations are expensive. So, do you have your HIPAA compliance checklist handy?

Any company that deals with protected health information (PHI) must have security measures in place to ensure compliance. 

In this article, we’ll give you a short HIPAA summary and provide you with a quick compliance checklist.

HIPAA Policy Rules

HIPAA compliant policies include multiple rules for data handling. These are the Privacy Rule, the Security Rule, the Omnibus Rule, and the Breach Notification Rule.

Privacy Rule

HIPAA’s strict Privacy Rule has well-defined limitations of how and when PHI is accessed. 

Without a patient’s consent, doctors and other medical staff cannot share their personal information is not even with law enforcement or insurance companies. To grant any outside person access to PHI, a patient must sign a consent form.

Security Rule

The Security Rules require businesses to provide physical, technical, and administrative safeguards while processing and storing electronic PHI (or ePHI).

All companies that deal with PHI must restrict access to PHI and train their staff accordingly. Any tools and software used to handle data must be secure and operated with care.

Omnibus Rule

The Omnibus Rule is for Business Associate Agreements (BAAs). BAAs are legal documents between a contractor and a healthcare provider. 

The rule states that no transaction of personal health data may be carried out without the agreement on HIPAA compliance between the two parties. The law also restricts anyone from using PHI for marketing or other purposes. 

Breach Notification Rule

If your business fails to comply with PHI confidentiality, you must disclose the breach to any patients and the HHS immediately.

The HHS and the Office of Civil Rights (OCR) must be notified immediately if the breach involves more than 500 PHI records. You’re also required to clarify the violation to the public in a press release. If the breach affects less than 500 people, it’s annually reported to the HHS.

A Simple HIPAA Compliance Checklist

If you’re still learning how to maintain HIPPA compliance, here’s a quick checklist. All covered entities and business associates must follow these guidelines to ensure they remain compliant.

  1. Track and trace all folders and files that contain PHI.
  2. Restrict access to PHI across your organizations allow limited access.
  3. Include the HIPAA compliance rules in all policies and procedures.
  4. In case of any issues, document your compliance policies and procedures to maintain and record of compliance.
  5. Regularly review the data security measures in place at your organization to detect any faulty processes or loopholes.
  6. Have a proper remedial plan lined out in case of any gap in compliance.
  7. Ensure that all business associates and covered entities in BAAs are also in compliance with HIPAA.
  8. Prepare with a procedure and documents, just in case of a PHI data breach.

Maintain Compliance with HIPAA Training

Sure, HIPAA compliance is strict, and it can be scary to face rules and regulations if you don’t fully understand compliance.

Instill confidence in your organization by enrolling in a HIPAA training program.

Want more information about HIPAA compliance requirements? Check out a list of our most popular courses to get started.