The Ultimate HIPAA Compliance Checklist For 2023 [Free Download] (2023)

FAQs

What are the changes to HIPAA in 2023? ›

For 2023, patient rights to access data are being more clearly defined, as well as the responsibility of healthcare organizations to: Respond to requests. Verify the identity of parties requesting PHI. Adequately handle data with third parties.

Box for healthcare: HIPAA-compliant cloud storage

All PHI stored in Box is secured in accordance with HIPAA, and Box signs Business Associate Agreements (BAAs) with all clients who plan to store PHI in the cloud.

According to the Office of Information and Regulatory Affairs, Office of Management and Budget, final action on the proposed rules—published in the Federal Register—to modify the HIPAA Privacy Rule is scheduled to occur in March 2023.

The US healthcare industry faces demanding conditions in 2023, including recessionary pressure, continuing high inflation rates, labor shortages, and endemic COVID-19.

The issues on the list include the public health workforce and legal authority, immunization, reproductive health, overdose prevention, mental health, data privacy and modernization, health equity, environmental health, tobacco and nicotine products, and HIV.

The HIPAA rules and regulations consists of three major components, the HIPAA Privacy rules, Security rules, and Breach Notification rules.

HIPPA has no meaning. HIPAA compliance is the correct term and if you were to type HIPPA compliance into a search engine like Google, the results would redirect to HIPAA results. Therefore, whether you spell it as "HIPAA" or "HIPPA", you will be directed to information about the US health law.

Google does not sign a business associate agreement with free Gmail users. Therefore, the free version of Gmail is not a HIPAA compliant solution. In order to stay away from costly fines, keep these steps in mind: Pay for Google Workspace to eliminate ads and secure your data from automated processing.

What spreadsheet is HIPAA compliant? ›

Smartsheet enables covered entities to store, access, and share protected health information (PHI). Its security and privacy services appear to meet or exceed HIPAA's regulatory requirements for protecting health data.

Just $6-$12 per month per user within your business. G-Suite is an incredible value not only from a security standpoint but from a marketing and business standpoint.

HIPAA violation fines can be issued up to a maximum level of $25,000 per violation category, per calendar year. The minimum fine applicable is $100 per violation.

A BAA is a contract between a covered entity and a business associate that requires both parties to protect personal health information under the rules and regulations of HIPAA. Apple® is not willing to sign a BAA; therefore, its services, including FaceTime®, are not technically HIPAA compliant.

Under HIPAA, your site must retain the authorization for at least six years after the subject has signed it. Covered entities may use or disclose health information that is de-identified without restriction under the Privacy Rule.

While close to 70% of Medicare beneficiaries with Medi-Cal (also known as dually eligible beneficiaries) receive their Medi-Cal benefits through a Medi-Cal managed care plan, in 2023 that number will increase to close to 100%.

Advanced technologies such as AI, cloud computing, robotics, wearables, and telehealth systems are just a few key trends that are taking the healthcare industry by storm. Because of this, healthcare leaders must find ways to ensure each patient's journey is secure, personalized, easy to navigate, and empowering.

The 20​23-2026 National Health Security Strategy (NHSS) presents a unique opportunity to reflect on lessons being learned in the ongoing COVID-19 pandemic and focus ​the Nation's priorities to address evolving public health challenges and be better prepared for future health security threats.

Most respondents to the 2022-2023 Global Risks Perception Survey (GRPS) chose “Energy supply crisis”; “Cost-of-living crisis”; “Rising inflation”; “Food supply crisis” and “Cyberattacks on critical infrastructure” as among the top risks for 2023 with the greatest potential impact on a global scale (Figure 1.1).

What are the 5 C's of compliance? ›

Summary: Calm, credible, clear, confident and courageous Compliance leadership keeps management, the Board, employees calm to manage crises and keep defenses strong to remain diligent against harm, including fraud, misconduct, and criminal activity.

When it comes to HIPAA, always remember the Golden Rule—treat others as you wanted to be treated. If you wouldn't be comfortable with your information being handled a certain way, its probably time to take a look at your company's HIPAA compliance.

Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit; Identify and protect against reasonably anticipated threats to the security or integrity of the information; Protect against reasonably anticipated, impermissible uses or disclosures; and.

Snooping on healthcare records of family, friends, neighbors, co-workers, and celebrities is one of the most common HIPAA violations committed by employees. When discovered, these violations can result in termination of employment but could also result in criminal charges for the employee concerned.

Can a non-medical person violate HIPAA? A non-medical person can violate because HIPAA applies to covered entities and business associates, and their workforces.

What information can be shared without violating HIPAA? All information can be shared without violating HIPAA provided it is shared for a permissible use or disclosure or the entity sharing the information has obtained a written authorization from the subject of the information.

Is Gmail HIPAA compliant? No the free version of Gmail is not HIPAA compliant. However, Google's G Suite offers a range of options for businesses that need to comply with HIPAA regulations.

Is emailing a HIPAA violation? ›

HIPAA does not prohibit the electronic transmission of PHI. Electronic communications, including email, are permitted, although HIPAA-covered entities must apply reasonable safeguards when transmitting ePHI to ensure the confidentiality and integrity of data.

Ensure you have end-to-end encryption for email

Email is a quick and easy way to communicate electronically, but it is not necessarily secure. Even services that encrypt messages in transit may not have the required level of security to make them HIPAA compliant.

Google Sheets has stated that it is HIPAA compliant. Google Sheets also offers a range of security features including access controls, auditing, and encryption. Google Sheets is part of G Suite, which uses high-level encryption to protect patient health information (PHI).

And the answer is YES! Google Docs (with a paid Google Workspace subscription, signed BAA and appropriately configured settings) can be HIPAA compliant. They clearly state this in Google's HIPAA Implementation Guide (linked at the end of this article).

However, Microsoft enables customers in their compliance with HIPAA and the HITECH Act and adheres to the Security Rule requirements of HIPAA in its capacity as a business associate.

To make Gmail HIPAA compliant, you must enter into a Business Associates Agreement with Google. Because Google is such a large company, the process of signing a Business Associates Agreement is different. Unlike your other Business Associates, Google will not send you a signed document.

In provisioning and operating the Zoom HIPAA Services, Zoom complies with the provisions of the HIPAA Security Rule that are required and applicable to it in its capacity as a business associate.

Google Workspace includes all core services available in the G Suite legacy free edition, such as Gmail, Drive, Calendar, Meet, and Chat.

On April 12, 2023, the Office for Civil Rights (OCR) at the U.S. Department of Health & Human Services (HHS) issued a Notice of Proposed Rulemaking (NPRM) to modify the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule to strengthen reproductive health care privacy.

Because Covered Entities and Business Associates are required to keep HIPAA-related papers for at least six years, in theory, HIPAA Certification has a shelf life of six years - although this may be considerably longer in reality.

What kind of phone message can be left under HIPAA? ›

The HIPAA Privacy Rule does permit health care providers to communicate via voicemail to their patients. This may be regarding their appointments, prescriptions, or other information about their care.

The HIPAA Rules generally do not protect the privacy or security of your health information when it is accessed through or stored on your personal cell phones or tablets. The HIPAA Rules apply only when PHI is created, received, maintained, or transmitted by covered entities and business associates.

Most SMS Messages are Not HIPAA Compliant

This is because they are not encrypted, cannot be recalled if sent to the wrong recipient, and can be intercepted on public Wi-Fi networks. Although mechanisms exist to resolve these issues with SMS messages, they are rarely used.

We recommend reviewing your authorization forms every few years or so however, to confirm none of the data has changed and anytime an outside event would require a new form (such as a name change, patient who turns 18, or other scenario).

Refusing to sign the acknowledgement does not prevent a provider or plan from using or disclosing health information as HIPAA permits. If you refuse to sign the acknowledgement, the provider must keep a record of this fact.

Should I sign this “HIPAA Authorization” for release of my medical records? No, you should not sign the HIPAA authorization for the release of your medical records. Often, the insurance company will act as though they cannot begin to decide how much money to offer you until they have all of your medical records.

The 3 types of HIPAA violations are administrative, civil, and criminal violations. Most administrative HIPAA violations are investigated by the Centers for Medicare and Medicaid Services (CMS), while civil HIPAA violations are investigated by the HHS´ Office for Civil Rights (OCR).

Criminal HIPAA violations and penalties fall under three tiers: Tier 1: Deliberately obtaining and disclosing PHI without authorization — up to one year in jail and a $50,000 fine. Tier 2: Obtaining PHI under false pretenses — up to five years in jail and a $100,000 fine.

Texting patient information to patients is allowed by HIPAA provided the Covered Entity has warned the patient that the risk of unauthorized disclosure exists and has obtained the patient´s consent to communicate by text. Both the warning and the consent must be documented.

The U.S. healthcare inflation rate, or the “the year over year change in the healthcare component of the U.S. Consumer Price Index,” was 3.06% in January 2023 — lower than it was at the end of 2022 (hovering around 4%) but higher than it was a year prior (2.47% in January 2022).

What is the US healthcare budget for 2023? ›

GENERAL BUDGET OVERVIEW

For Fiscal Year (FY) 2023-24, the Governor's Budget proposes a total of $144.4 billion, and 4,772 positions for the support of DHCS programs and services.

The Cybersecurity and Infrastructure Security Agency's (CISA) 2023-2025 Strategic Plan is the agency's first, comprehensive strategic plan since CISA was established in 2018. This is a major milestone for the agency: The CISA Strategic Plan will focus and guide the agency's efforts over the next three years.

Health care leaders are anticipating a turbulent 2023, according to a report from Deloitte. Staffing, inflation, shrinking margins, and supply chain issues are among the top concerns that will continue to challenge hospitals and health systems and have an outsized effect on overall strategy.

Artificial intelligence (AI) and robotics are expected to play an increasingly important role in the medical device sector in 2023. AI-driven devices, such as diagnostic instruments and surgical robots, are expected to become more advanced and more widespread.

Wearables, mHealth, telemedicine, and digital health solutions, all of these technologies have the potential to transform the healthcare system in 2023 and the coming years.