HIPAA. Just saying it will send chills down the spines of healthcare legal teams across the United States. If this is your first run-in with it, though, it stands for the Health Insurance Portability and Accountability Act, and it's the law of the land when it comes to protecting medical data. It's one of the most important pieces of legislation ever passed in thehealthcare industry. And it's kind of intimidating. Protecting patient data is at the core of the regulation, and mistakes can be extremely costly. But don't let all that scare you off — we got your back. We've put together a comprehensive HIPAA compliance checklist that'll help keep you and your team safe from the regulatory powers that be. HIPAA compliance is the process of making sure you, your team, and your business associates are adhering to all regulations outlined in theHealth Insurance Portability and Accountability Act. So who has to be compliant? The short answer is: everyone. The longer answer, however, includes: And covered entities, or everyone they do business with, including but not limited to: The entire point of HIPAA is to protect patients from unauthorized use or disclosure of their protected health information (PHI) or electronic Protected Health Information (ePHI). So while compliance can be a little bit of a hassle, it's most certainly a good thing. Now let’s get into the nitty-gritty. There are five basic rules of HIPAA compliance:TL;DR
What Is HIPAA Compliance?
HIPAA Privacy Rule | Patients must have access to and control over their own health information, and covered entities must have measures to protect that dataand the transmission of that data.. |
HIPAA Security Rule | Healthcare providers and covered entities must meet the administrative, physical and technical standards for the storage and protection of PHI and ePHI. |
HIPAA Omnibus Rule | All HIPAA-covered entities must provide a notice of privacy practices to their patients. |
HIPAA Breach Notification Rule | Covered entities are required to notify individuals when there is an unauthorized use or disclosure of their PHI. |
HIPAA Enforcement Rule | Covered entities must have a process in place to investigate and address any complaints of noncompliance. |
To be HIPAA compliant, you’ll need to take appropriate measures to ensure that your organization is meeting these requirements.
Why HIPAA Compliance Is Important
Well, for one, it's the right thing to do. By adhering to the requirements of HIPAA, you're protecting your patients.
If you ask your legal team, though, they might mention that there is another pretty big reason to remain compliant: noncompliance is expensive. Like, really, really expensive.
In fact, the average cost of a data breach in the healthcare industry exceeds$10 million. That includes Department of Health and Human Services fines of up to$1.9 millionper violation.
Noncompliance can also damage your organization's public image. After all, patients want to know that their health data is safe and secure.
Accidents happen — and they can be costly. But individuals knowingly violating HIPAA regulations for personal gain could face even steeper penalties. We’re talkin’ up to 10 years in the clinker.
If you don't keep up with HIPAA regulations, you're not only putting your patients at risk, but you’re also risking massive fines and a potential loss of business.
The Ultimate HIPAA Compliance Checklist
Wondering how you can make sure your organization is compliant with HIPAA regulations? Don't worry, we're here to help.
We've put together a handy HIPAA compliance checklist to make sure you cover all the bases:
1. Do a Risk Assessment
The first step to HIPAA compliance is conducting a comprehensive risk assessment based on the five rules we mentioned above.
This means evaluating the technology and devices you use, assessing your policies and procedures, analyzing the data that flows in and out of your system, and understanding how to secure sensitive patient information.
Remember:
- Patients must have access to their PHI
- PHI must be stored securely
- You must provide a notice of privacy practices to all patients
- You need a process in place to notify patients if their PHI is compromised
- You need a comprehensive procedure in place to investigate complaints of noncompliance
Risk assessments should be repeated on a regular basis so you can make sure you're up to date with the latest regulations and best practices.
Here are a few questions you can ask in your HIPAA risk assessment:
2. Implement Security Safeguards
Once the risks to PHI have been identified, you must develop a comprehensive security plan to address them. This security plan should include physical and digital safeguards designed to protect PHI and ePHI from unauthorized access, use, or disclosure.
- Physical safeguardsare things like locked doors and file cabinets, security cameras, and shredders for destroying confidential information.
- Digital safeguardsinclude things like software with bank-level security, contract management solutions that allow you toset permissions and roles, password protection, two-factor authentication, encryption, and firewalls.
You'll also want to perform due diligence on your business associates likecloud storage providers, vendors, or anyone else that may have access to or be in charge of PHI to ensure they're complying with these safeguards. Make sure security provisions are outlined in contracts and review them regularly in case you need to update them.
Here are a few questions you can ask to ensure your HIPAA security safeguards are satisfactory:
3. Establish Administrative Policies and Procedures
Written policies and procedures are the lifeblood of organizational compliance.
Create a policy for routine system maintenance and monitoring, incident reporting, and how to handle violations.
You'll also want to outline appropriate sanctions for employees who violate HIPAA rules. Make sure everyone in the organization knows who is responsible for ensuring compliance and when any audit reports or assessments must be completed.
Finally, arm your compliance officers andcontract managerswith top-tier contract management software.
Software with the ability to set permissions and roles for specific documents will ensure that PHI is safe from prying eyes and allow you to terminate access when employees change roles, leave the organization, or move on to another patient.
Here are a few questions you can ask to make sure your policies and procedures are adequate:
4. Create a Contingency Plan
We all know Murphy's Law: Anything that can go wrong will go wrong.
That's why it's important to prepare for anything and everything that could put PHI at risk.
Here are four key goals every HIPAA contingency plan should accomplish:
- Establish clear lines of communication:Define who will be responsible for contacting the proper authorities, communicating with patients and healthcare providers, and notifying employees in the event of a violation.
- Outline appropriate responses:Have a plan for responding to violations, taking corrective action, and responding to media coverage.
- Guarantee quick response times:Set deadlines for responding to violations and resolving issues as quickly as possible. Delaying action runs the risk of further damage and could result in more expensive fines.
- Test your plan regularly:Conduct drills and tabletop exercises with your staff. By testing your plan regularly, you can identify any weaknesses and make necessary adjustments before an actual emergency occurs.
Here are a few questions you can ask to make sure your contingency plan is sufficient:
5. Train Your Employees on HIPAA Compliance
Ever heard this one? “For the best return on your money, pour your purse into your head.”
When Ben Franklin said that, he wasn't talking about HIPAA, though he could have been!
Not only is training required under HIPAA law, but it's also got a great ROI.
Remember, a data breach could result in an eight-figure loss, so training your team on how to prevent a breach, or mitigate the damage if one does occur, could help you save a pretty penny.
So, who needs training? Everyone! That includes employees and business associates who handle PHI. And it shouldn’t be a one-off onboarding session, either. You’ll need to make sure you have routine refreshers as well.Here's a quick list of topics your training should cover:
- Overview of HIPAA rules
- Guidelines for keeping data secure
- Proper handling of PHI
- Reporting security breaches
- How to use HIPAA-compliant software
- Cybersecurity best practices
- Risk assessment protocols and procedures
6. Document Everything
Hansel and Gretel left breadcrumbs to find their way home. You might consider taking a page from their book!
When it comes to keeping your organization compliant, having a paper trail and a secure, organizedrepositoryis everything.
Compliance audits are inevitable, so compiling regular reports showcasing your compliance efforts is a must.
These reports should cover things like:
- All training that has taken place
- Policies and procedures
- Security measures
- Incident reports and complaints
- Any disciplinary actions taken for noncompliance
Hansel and Gretel made it home safely, and if you audit-proof your organization, you will, too!
Here is a quick checklist to ensure you’re documenting everything you need to be documenting:
7. Use the Right Software
You know that old saying, “you’re only as good as your tools”? Well, it couldn’t be truer when it comes to HIPAA compliance.
And these days, it's all about software. HIPAA-compliant software.
Whether you're managing contracts or organizing patient files, you need a system that fulfills at least a few basic requirements:
- Secure against unauthorized access
- Able to encrypt or otherwise protect sensitive data
- Accurately track who has accessed the data and when
- Accessible by only authorized personnel
- Ensures the confidentiality and integrity of all PHI
- Backs up all ePHI to ensure it can be accessed by patients in case of emergency
Remember: If you’re using a third party as your technology provider, you will need to do your due diligence to make sure their systems are in tip-top shape and following thebest practicesoutlined by the Department of Health and Human Services.
Here’s a quick checklist to ensure you’re following the best tech practices possible:
HIPAA Compliance Has Never Been Easier
Contract management software makes HIPAA compliance a walk in the park. With automated processes, detailed reports, user permissions and roles, and a secure, centralized digital repository for all your HIPAA documents, you can be sure you’re meeting the standards of compliance.
Want to see how you can beef up your compliance efforts today? Poke around ContractSafe's healthcare-specific contract management features during afree trial!
FAQs
What are the changes to HIPAA in 2023? ›
For 2023, patient rights to access data are being more clearly defined, as well as the responsibility of healthcare organizations to: Respond to requests. Verify the identity of parties requesting PHI. Adequately handle data with third parties.
How do you do a HIPAA compliance checklist? ›- Understand HIPAA Privacy and Security Rules. ...
- Determine if the Privacy Rule affects you. ...
- Protect the right types of patient data. ...
- Prevent potential HIPAA violations. ...
- Stay updated on HIPAA changes. ...
- Know how COVID affects HIPAA. ...
- Document everything. ...
- Report data breaches.
Box for healthcare: HIPAA-compliant cloud storage
All PHI stored in Box is secured in accordance with HIPAA, and Box signs Business Associate Agreements (BAAs) with all clients who plan to store PHI in the cloud.
According to the Office of Information and Regulatory Affairs, Office of Management and Budget, final action on the proposed rules—published in the Federal Register—to modify the HIPAA Privacy Rule is scheduled to occur in March 2023.
What to expect in 2023 in healthcare? ›The US healthcare industry faces demanding conditions in 2023, including recessionary pressure, continuing high inflation rates, labor shortages, and endemic COVID-19.
What are the health policy issues for 2023? ›The issues on the list include the public health workforce and legal authority, immunization, reproductive health, overdose prevention, mental health, data privacy and modernization, health equity, environmental health, tobacco and nicotine products, and HIV.
How do I make a compliance checklist? ›- Create and manage digital checklists.
- Attach and send photos.
- Keep track of checklist progress.
- Gather relevant data and information.
- Generate useful reports of checklist findings.
- And more!
The HIPAA rules and regulations consists of three major components, the HIPAA Privacy rules, Security rules, and Breach Notification rules.
What is the difference between Hippa and HIPAA? ›HIPPA has no meaning. HIPAA compliance is the correct term and if you were to type HIPPA compliance into a search engine like Google, the results would redirect to HIPAA results. Therefore, whether you spell it as "HIPAA" or "HIPPA", you will be directed to information about the US health law.
Is free Gmail HIPAA compliant? ›Google does not sign a business associate agreement with free Gmail users. Therefore, the free version of Gmail is not a HIPAA compliant solution. In order to stay away from costly fines, keep these steps in mind: Pay for Google Workspace to eliminate ads and secure your data from automated processing.
What spreadsheet is HIPAA compliant? ›
Smartsheet enables covered entities to store, access, and share protected health information (PHI). Its security and privacy services appear to meet or exceed HIPAA's regulatory requirements for protecting health data.
How much does HIPAA compliant Google cost? ›Just $6-$12 per month per user within your business. G-Suite is an incredible value not only from a security standpoint but from a marketing and business standpoint.
What is the fine for a HIPAA violation in 2023? ›HIPAA violation fines can be issued up to a maximum level of $25,000 per violation category, per calendar year. The minimum fine applicable is $100 per violation.
Is FaceTime HIPAA compliant 2023? ›A BAA is a contract between a covered entity and a business associate that requires both parties to protect personal health information under the rules and regulations of HIPAA. Apple® is not willing to sign a BAA; therefore, its services, including FaceTime®, are not technically HIPAA compliant.
How long is a HIPAA form valid? ›Under HIPAA, your site must retain the authorization for at least six years after the subject has signed it. Covered entities may use or disclose health information that is de-identified without restriction under the Privacy Rule.
Is medical changing in 2023? ›While close to 70% of Medicare beneficiaries with Medi-Cal (also known as dually eligible beneficiaries) receive their Medi-Cal benefits through a Medi-Cal managed care plan, in 2023 that number will increase to close to 100%.
What are the healthcare mega trends for 2023? ›Advanced technologies such as AI, cloud computing, robotics, wearables, and telehealth systems are just a few key trends that are taking the healthcare industry by storm. Because of this, healthcare leaders must find ways to ensure each patient's journey is secure, personalized, easy to navigate, and empowering.
What is the 2023 2026 National Health Security Strategy? ›The 2023-2026 National Health Security Strategy (NHSS) presents a unique opportunity to reflect on lessons being learned in the ongoing COVID-19 pandemic and focus the Nation's priorities to address evolving public health challenges and be better prepared for future health security threats.
What are the major global issues in 2023? ›Most respondents to the 2022-2023 Global Risks Perception Survey (GRPS) chose “Energy supply crisis”; “Cost-of-living crisis”; “Rising inflation”; “Food supply crisis” and “Cyberattacks on critical infrastructure” as among the top risks for 2023 with the greatest potential impact on a global scale (Figure 1.1).
What is the health topic for january 2023? ›- January 1-31: Cervical Health Awareness Month.
- January 1-31: Glaucoma Awareness Month.
- January 1-31: International Quality of Life Month.
- January 1-31: National Birth Defects Awareness/Prevention Month.
- January 1-31: National Blood Donor Month.
- January 1-31: National Radon Action Month.
What are the 5 C's of compliance? ›
Summary: Calm, credible, clear, confident and courageous Compliance leadership keeps management, the Board, employees calm to manage crises and keep defenses strong to remain diligent against harm, including fraud, misconduct, and criminal activity.
What are the 12 types of compliance requirements? ›- 1) Activities Allowed or Unallowed.
- 2) Allowable Costs/Cost Principles.
- 3) Cash Management.
- 4) Eligibility.
- 5) Equipment & Real Property Management.
- 6) Matching, Level of Effort, Earmarking.
- 7) Period of Performance.
- 8) Procurement, Suspension, & Debarment.
- Leadership.
- Risk Assessment.
- Standards and Controls.
- Training and Communications.
- Oversight.
When it comes to HIPAA, always remember the Golden Rule—treat others as you wanted to be treated. If you wouldn't be comfortable with your information being handled a certain way, its probably time to take a look at your company's HIPAA compliance.
What are 3 common HIPAA violations? ›- Losing Devices. In the last decade, over 800 device loss or theft incidents have been reported. ...
- Getting Hacked. ...
- Employees Dishonestly Accessing Files. ...
- Improper Filing and Disposing of Documents. ...
- Releasing Patient Information After the Authorization Period Expires.
Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit; Identify and protect against reasonably anticipated threats to the security or integrity of the information; Protect against reasonably anticipated, impermissible uses or disclosures; and.
What is the most common HIPAA violation? ›Snooping on healthcare records of family, friends, neighbors, co-workers, and celebrities is one of the most common HIPAA violations committed by employees. When discovered, these violations can result in termination of employment but could also result in criminal charges for the employee concerned.
Can a non medical person violate HIPAA? ›Can a non-medical person violate HIPAA? A non-medical person can violate because HIPAA applies to covered entities and business associates, and their workforces.
What information can be shared without violating HIPAA? ›What information can be shared without violating HIPAA? All information can be shared without violating HIPAA provided it is shared for a permissible use or disclosure or the entity sharing the information has obtained a written authorization from the subject of the information.
Is Gmail HIPAA compliant 2023? ›Is Gmail HIPAA compliant? No the free version of Gmail is not HIPAA compliant. However, Google's G Suite offers a range of options for businesses that need to comply with HIPAA regulations.
Is emailing a HIPAA violation? ›
HIPAA does not prohibit the electronic transmission of PHI. Electronic communications, including email, are permitted, although HIPAA-covered entities must apply reasonable safeguards when transmitting ePHI to ensure the confidentiality and integrity of data.
Why is email not HIPAA compliant? ›Ensure you have end-to-end encryption for email
Email is a quick and easy way to communicate electronically, but it is not necessarily secure. Even services that encrypt messages in transit may not have the required level of security to make them HIPAA compliant.
Google Sheets has stated that it is HIPAA compliant. Google Sheets also offers a range of security features including access controls, auditing, and encryption. Google Sheets is part of G Suite, which uses high-level encryption to protect patient health information (PHI).
Can Google Docs be HIPAA compliant? ›And the answer is YES! Google Docs (with a paid Google Workspace subscription, signed BAA and appropriately configured settings) can be HIPAA compliant. They clearly state this in Google's HIPAA Implementation Guide (linked at the end of this article).
Is Microsoft Excel HIPAA compliant? ›However, Microsoft enables customers in their compliance with HIPAA and the HITECH Act and adheres to the Security Rule requirements of HIPAA in its capacity as a business associate.
How do I make my Gmail HIPAA compliant for free? ›To make Gmail HIPAA compliant, you must enter into a Business Associates Agreement with Google. Because Google is such a large company, the process of signing a Business Associates Agreement is different. Unlike your other Business Associates, Google will not send you a signed document.
Is Zoom HIPAA compliant? ›In provisioning and operating the Zoom HIPAA Services, Zoom complies with the provisions of the HIPAA Security Rule that are required and applicable to it in its capacity as a business associate.
Is there a free version of Google Workspace? ›Google Workspace includes all core services available in the G Suite legacy free edition, such as Gmail, Drive, Calendar, Meet, and Chat.
What is the HIPAA rule 2023? ›On April 12, 2023, the Office for Civil Rights (OCR) at the U.S. Department of Health & Human Services (HHS) issued a Notice of Proposed Rulemaking (NPRM) to modify the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule to strengthen reproductive health care privacy.
Does a HIPAA certificate expire? ›Because Covered Entities and Business Associates are required to keep HIPAA-related papers for at least six years, in theory, HIPAA Certification has a shelf life of six years - although this may be considerably longer in reality.
What kind of phone message can be left under HIPAA? ›
The HIPAA Privacy Rule does permit health care providers to communicate via voicemail to their patients. This may be regarding their appointments, prescriptions, or other information about their care.
Are personal cell phones HIPAA compliant? ›The HIPAA Rules generally do not protect the privacy or security of your health information when it is accessed through or stored on your personal cell phones or tablets. The HIPAA Rules apply only when PHI is created, received, maintained, or transmitted by covered entities and business associates.
Why is SMS not HIPAA compliant? ›Most SMS Messages are Not HIPAA Compliant
This is because they are not encrypted, cannot be recalled if sent to the wrong recipient, and can be intercepted on public Wi-Fi networks. Although mechanisms exist to resolve these issues with SMS messages, they are rarely used.
We recommend reviewing your authorization forms every few years or so however, to confirm none of the data has changed and anytime an outside event would require a new form (such as a name change, patient who turns 18, or other scenario).
Can I decline HIPAA authorization? ›Refusing to sign the acknowledgement does not prevent a provider or plan from using or disclosing health information as HIPAA permits. If you refuse to sign the acknowledgement, the provider must keep a record of this fact.
Should you decline HIPAA authorization? ›Should I sign this “HIPAA Authorization” for release of my medical records? No, you should not sign the HIPAA authorization for the release of your medical records. Often, the insurance company will act as though they cannot begin to decide how much money to offer you until they have all of your medical records.
What are the 3 types of HIPAA violations? ›The 3 types of HIPAA violations are administrative, civil, and criminal violations. Most administrative HIPAA violations are investigated by the Centers for Medicare and Medicaid Services (CMS), while civil HIPAA violations are investigated by the HHS´ Office for Civil Rights (OCR).
What is a Tier 1 violation of HIPAA? ›Criminal HIPAA violations and penalties fall under three tiers: Tier 1: Deliberately obtaining and disclosing PHI without authorization — up to one year in jail and a $50,000 fine. Tier 2: Obtaining PHI under false pretenses — up to five years in jail and a $100,000 fine.
Is texting patients HIPAA compliant? ›Texting patient information to patients is allowed by HIPAA provided the Covered Entity has warned the patient that the risk of unauthorized disclosure exists and has obtained the patient´s consent to communicate by text. Both the warning and the consent must be documented.
What is the medical trend increase for 2023? ›The U.S. healthcare inflation rate, or the “the year over year change in the healthcare component of the U.S. Consumer Price Index,” was 3.06% in January 2023 — lower than it was at the end of 2022 (hovering around 4%) but higher than it was a year prior (2.47% in January 2022).
What is the US healthcare budget for 2023? ›
GENERAL BUDGET OVERVIEW
For Fiscal Year (FY) 2023-24, the Governor's Budget proposes a total of $144.4 billion, and 4,772 positions for the support of DHCS programs and services.
The Cybersecurity and Infrastructure Security Agency's (CISA) 2023-2025 Strategic Plan is the agency's first, comprehensive strategic plan since CISA was established in 2018. This is a major milestone for the agency: The CISA Strategic Plan will focus and guide the agency's efforts over the next three years.
What are the healthcare pain points for 2023? ›Health care leaders are anticipating a turbulent 2023, according to a report from Deloitte. Staffing, inflation, shrinking margins, and supply chain issues are among the top concerns that will continue to challenge hospitals and health systems and have an outsized effect on overall strategy.
What is the medical device industry in 2023? ›Artificial intelligence (AI) and robotics are expected to play an increasingly important role in the medical device sector in 2023. AI-driven devices, such as diagnostic instruments and surgical robots, are expected to become more advanced and more widespread.
What are the disruptive technologies in healthcare 2023? ›Wearables, mHealth, telemedicine, and digital health solutions, all of these technologies have the potential to transform the healthcare system in 2023 and the coming years.