By Alex Hunter
Last updated on January 6, 2022
Owing to the increasing number of healthcare security breaches, the US Department of Health and Human Services (HHS) imposes strict rules on companies dealing with protected health information (PHI) by using the Health Insurance Portability and Accountability Act (HIPAA).
Failure to comply with the act results in substantial fines, criminal charges, and civil litigations. HIPAA covers the essential criteria of:
- Breach Notification
Introduced in 1996 by Bill Clinton, the HIPAA is a federal law that provides a set of rules and regulations to protect healthcare and medical data. It sets security standards for electronic healthcare billing, storing patients’ healthcare information, and handling medical data. It ensures that healthcare data is kept private at all costs.
The HIPAA also provides guidelines for notifying patients of a security breach and requires healthcare organizations to secure their infrastructure by handling things at all technical levels.
Being aware of HIPAA compliance guidelines is essential to prevent huge fines, disciplinary action, and/or penalties. Ignorance of HIPAA regulations is not considered a justifiable defense by the Office for Civil Rights (OCR) of the US Department of Health and Human Services.
HIPAA Compliance Terminology
Covered entities and business associates should follow HIPAA guidelines to protect and secure Protected Health Information (PHI). In other words, if you are a covered entity or a business associate, you must be HIPAA compliant. Before understanding if your company is HIPAA compliant, it is necessary to evaluate some technical terminology associated with the HIPAA.
|Protected Health Information (PHI)||HIPAA intends to protect and safeguard the basic healthcare data of every individual.|
|Covered Entity||Any healthcare field or entity that accesses PHI. Covered entities can be medical providers, clearinghouses, health insurers or employer-sponsored health plans.|
|Business Associates||Individuals who work with covered entities in a non-healthcare capacity, i.e., people that maintain the PHI stored by covered entities.|
Rules and Components of HIPAA
It is also helpful to understand the rules and components of HIPAA. After all, you can’t comply with something you are unfamiliar with.
The privacy rule regulates the disclosure and use of PHI by covered entities. These entities can disclose PHI to law enforcement to facilitate treatment or other cases if written authorization is received. When PHI is disclosed, covered entities must make sure that only the minimum necessary information is released and notify individuals of their PHI disclosure.
Complementing the privacy rule, the security rule pertains only to electronic PHI. It lays out administrative, physical, and technical safeguards. Administrative safeguards include policies and procedures that show how the entity complies with the act, while physical safeguards control the physical access to protected data. On the other hand, technical safeguards control access to computer systems that contain PHI.
The enforcement rule sets the financial penalties for violating HIPAA rules and establishes the procedure for hearings of HIPAA-related violations. It states that covered entities must apply corrective measures if noncompliance is established. Noncompliance can be established if there is:
- Misuse and nonconforming disclosure of PHI.
- Lack of protection of health information.
- Lack of safeguards for electronic PHI.
- Disclosure of more than the minimum necessary PHI.
A new addition to the HIPAA guidelines, the HIPAA Omnibus Rule expands the definition of business associates to include storage companies, consultants, and subcontractors, and it has also increased the civil penalties for HIPAA violators.
The HIPAA Breach Notification regulates how a breach notification must be issued if a breach occurs. If more than 500 PHI records are affected, you must notify HHS and OCR, and all minor violations (less than 500 records) must be reported to HHS once a year.
HIPAA Compliance Checklist
HIPAA’s needs and demands have changed over time with advancements in technology. HIPAA has been updated multiple times, with more rules added over the years because of the constant rise in security breaches in the healthcare industry. Noncompliance can result in fines varying from $100 to as high as $1.5 million per year.
To be compliant with the different rules of the HIPAA, consider the following checklists for each of the aforementioned rules.
Compliance checklist for the HIPAA Privacy Rule
- Respond to patient requests promptly, as HIPAA gives you 30 days to get back to patients.
- Inform patients of data sharing policies using an NPP (Notice of Privacy Parties).
- Train your personnel to understand which data can and cannot be shared.
- Ensure that the integrity of PHI is maintained at all costs.
- Ensure that you get permission from the patient to use their PHI.
- Update your authorization forms.
Compliance checklist for the HIPAA Security Rule
- Encrypt all electronically protected health information (ePHI) when it is transmitted over an external network.
- Control user access to and govern the release or disclosure of ePHI.
- Identify and authenticate ePHI to protect it.
- Encrypt all endpoint devices.
- Control all activity audits.
- Enable automatic logoff after a certain time frame.
- Control physical access to the facility.
- Protect mobile devices by removing data before devices are circulated to other users.
- Track all the servers that store ePHI.
- Manage all workstations centrally to ensure proper use.
- Conduct risk assessments regularly, and deploy required measures to resolve risks.
- Train employees on ePHI access protocols and on how to recognize cybersecurity.
- Build contingency plans to achieve ongoing business continuity.
- Prevent unauthorized access to ePHI.
- Document and log all security incidents.
- Test your contingency plan regularly.
Compliance checklist for the HIPAA Enforcement Rule
- Report HIPAA violations to OCR.
- Fix what caused any breach.
Compliance checklist for the HIPAA Omnibus Rule
- Refresh your business associate agreements to reflect the Omnibus Rule.
- Get signed copies of the new Business Associate Agreement (BAA) from stakeholders.
- Update the NPPs to cover information that requires authorization, the right to opt-out of correspondence, and the new breach notification requirements.
- Train your staff to be aware of the new Omnibus Rule adjustments.
Compliance checklist for the HIPAA Breach Notification Rule
- Make sure that you know the notification process for HIPAA in case breaches occur.
- If more than 500 PHI have been compromised:
– Notify the Department of Health and Human Services.
– Issue a press release about the breach.
– Provide OCR with the list of PHI and the explanation of how the violation occurred.
– Provide OCR with the list of all unauthorized entities that access the PHI. Also, indicate if the PHI was accessed or was just available.
– Provide OCR with the mitigation steps that were undertaken to deal with the breach.
- If less than 500 PHI have been compromised, you can report all smaller violations to HHS in a single batch.
Generic HIPAA Compliance Checklist
Apart from the above-mentioned checklists, a generic HIPAA compliance checklist (a compliance checklist for individual rules) ensures that you stay on top of the game. To make certain that your organization is compliant:
- Conduct annual self-audits for security risk assessments, privacy assessments, and physical, asset, and device audits.
- Identify the gaps in your system, and document them.
- Create remediation plans to address the identified gaps.
- Document the remediation plans, review and update them annually, and retain the remediation plans in your records.
- Ensure that all employees complete their annual HIPAA training. Make one person responsible for the training, and ensure that you maintain documentation proving that all employees have received training.
- Make sure that all employees legally attest to your organizational policies and procedures that incorporate HIPAA rules.
- Identify all your business associates and vendors, and include them in signing necessary agreements that comply with HIPAA.
- Create a clearly defined incidence response plan in case of a breach.
- Ensure you can provide the required reporting of minor or major breaches.
- Make sure that your organizational employees have instant but secure access to PHI from anywhere at any time.
- Deploy a solution that facilitates better access, security, mobility, and easier management of organizational infrastructure.
Parallels RAS Helps Organizations Requiring HIPAA Compliance
Parallels® Remote Application Server (RAS) is a virtual desktop and application delivery solution that enables healthcare providers to create their own secure, private cloud. It is a perfect solution for healthcare providers who need to maintain a HIPAA-compliant infrastructure.
Parallels RAS improves your healthcare infrastructure by improving accessibility, security, and mobility. It also allows for single-pane-of-glass management and auto-provisioning, and auto-scaling.
Parallels RAS provides secure access to desktops, applications, and patient data from any device, at any time, from any location, improving PHI accessibility to clinicians. Full redundancy offered by load balancing ensures that downtime is reduced while providing a seamless end-user experience.
With the use of Parallels RAS, you can provide medical staff with compliant, secure, on-the-go access to PHI. Security measures such as multifactor authentication, customized policies, and advanced filtering are implemented to comply with the HIPAA Security Rule. Since all the data is stored centrally, monitoring the data is easier, thus making it possible to conform to HIPAA and other medical guidelines.
Be it a mobile device, Chromebook, MacBook, or Windows desktop, Parallels RAS allows every endpoint to access healthcare and diagnostic desktop applications easily. Therefore medical staff can respond to emergencies quickly by receiving real-time updates and alerts on the go.
Single pane of glass
Medical administrators can manage the entire infrastructure from a centralized console. This ensures that monitoring resources, managing connected devices, defining security policies, and providing helpdesk assistance are straightforward.
Auto-provisioning and auto-scaling
Medical IT infrastructure can be scaled up or down automatically as Parallels RAS creates, releases, removes and load balances Windows Servers based on predefined criteria.
Parallels RAS has all the features necessary to comply with the HIPAA Privacy, Security, Enforcement, Omnibus, and Breach Notification Rules, making it a must-have for your medical organization.
Download the 30-day trial of Parallels RAS today!
How do we become HIPAA compliant? ›
To become HIPAA compliant, you will need to study the full text of the Administrative Simplification Regulations (45 CFR Parts 160, 162, and 164) – which the Department of Health and Human Services' Office for Civil Rights has condensed into 115 pages – and apply those rules to your own business.What are the 5 steps towards HIPAA compliance? ›
- Appoint a HIPAA privacy and security officer.
- Conduct HIPAA training for all your employees.
- Develop and enforce HIPAA policies and procedures.
- Analyze the current state of your HIPAA compliance by completing a security risk analysis (SRA)
Do I need to be HIPAA Compliant? HIPAA applies to healthcare providers, health plans and healthcare clearinghouses who transmit data electronically. So basically, every provider, such as your doctor, dentist, pharmacy, hospital, etc. would need to be compliant.What are the 4 main rules of HIPAA? ›
The HIPAA Security Rule Standards and Implementation Specifications has four major sections, created to identify relevant security safeguards that help achieve compliance: 1) Physical; 2) Administrative; 3) Technical, and 4) Policies, Procedures, and Documentation Requirements.What is HIPAA compliance checklist? ›
A HIPAA compliance checklist is a resource organizations use to understand the steps involved in achieving and maintaining HIPAA compliance. With a HIPAA compliance checklist, organizations can also discover how to create safeguards that protect their PHI.How long does it take to become HIPAA compliant? ›
How long does the training take? The average time for a person to complete the Awareness training is 1.5 hours from start to taking the final exam and getting their certificate. The Security training is also 1.5 hours long.What are the 3 HIPAA implementation requirements? ›
Broadly speaking, the HIPAA Security Rule requires implementation of three types of safeguards: 1) administrative, 2) physical, and 3) technical. In addition, it imposes other organizational requirements and a need to document processes analogous to the HIPAA Privacy Rule.What is the first step in compliance with HIPAA? ›
- The Privacy Rule.
- The Security Rule.
- The Breach Notification Rule.
It gives patients more control over their health information. It sets boundaries on the use and release of health records. It establishes appropriate safeguards that health care providers and others must achieve to protect the privacy of health information.
What is the difference between HIPAA certified and HIPAA compliant? ›
HIPAA compliance is a process you complete internally, and failure to do so results in penalties and fines. HIPAA certifications are typically obtained through third-party experts or organizations and are usually optional.What is a compliance checklist? ›
A compliance checklist is exactly what it sounds like – a detailed cognitive and comprehensive list used to aid in the completion of a procedure or task. It is essentially a guide to make sure that everything is running smoothly.What is a legal compliance checklist? ›
A legal compliance checklist is used to determine if an organization has met all regulatory requirements in order to legally operate and avoid litigation. use this digitized legal compliance checklist to assess if an organization is operating in accordance with applicable laws.How often is HIPAA compliance training required? ›
According to the Security Rule, HIPAA training is required periodically. Most covered entities meet this requirement by holding annual training sessions. Annual training helps to protect the employer and employees by ensuring employees are: “Refreshed” on HIPAA regulations.How can I get free HIPAA certification? ›
U.S. Department of Health & Human Services
One of the most obvious places to visit in order to find free HIPAA internal training is the official website of the U.S. Department of Health & Human Services. Their site links to several computer-based training modules which need to be downloaded in order to access.
HIPAA requires that both covered entities and business associates provide HIPAA training to members of their workforce who handle PHI. This means that even small physician's offices need to train their personnel on HIPAA. Doctors need to be trained. Nurses need to be trained.What are 4 HIPAA identifiers? ›
Protected health information includes many common identifiers (e.g., name, address, birth date, Social Security Number) when they can be associated with the health information listed above.What are the 7 steps in the compliance program? ›
- Implementing written policies and procedures. ...
- Designating a compliance officer and compliance committee. ...
- Conducting effective training and education. ...
- Developing effective lines of communication. ...
- Conducting internal monitoring and auditing.
- Access controls. The goal of HIPAA is to prevent misuse of PHI. ...
- End-to-end encryption. ...
- Activity monitoring. ...
- Emergency measures. ...
- Physical storage security. ...
- Regular audits. ...
- Increase cybersecurity. ...
- Invest in employee training.
- Strive to maintain least-privileged access from the beginning of your Office 365 implementation. ...
- Use Microsoft's end-to-end encryption to protect PHI. ...
- Use Microsoft Information Protection to prevent users from mistakenly sending PHI to unauthorized users.
What does it mean to be HIPAA certified? ›
HIPAA certification means a healthcare organization has been found to meet the standards of the Privacy, Security, and Breach Notification Rules of HIPAA. Usually this means a third-party certification company conducts an audit of your organization to see if your practices match up with HIPAA requirements.What are the 3 rules of HIPAA? ›
- The Privacy Rule.
- The Security Rule.
- The Breach Notification Rule.
Training is a critical component of HIPAA compliance. It ensures all employees are up to date on what steps to take to guarantee the privacy and security of protected health information (PHI). Training educates employees on the details of the HIPAA Act. It helps them gain an understanding of their role in compliance.