HIPAA compliance guide and check list, a simple guide for SMBs
Did you know the Office of Civil Rights has received over 200,000 HIPAA Privacy Rule complaints? Given that the program has only been in place since 2003, that’s a staggering number for only 16 years.
How can you make sure your business maintains HIPAA compliance? Or if your business has to be HIPAA compliant? Don’t worry, we’re here to help!
Read on to find out what HIPAA compliance is and who needs to practice it. You’ll also find a simple checklist you can follow to make sure you’re being HIPAA compliant.
What is HIPAA Compliance?
Before we start, let’s recap what HIPAA is. The Health Insurance Portability and Accountability Act became law in 1996. The goal was to provide regulations for protecting medical data.
HIPAA aims to manage electronic billing, health care fraud, and confidential health information. The part of HIPAA most likely to be relevant to your business is the HIPAA Privacy Rule.
The HIPAA Privacy Rule establishes who needs to protect medical records. The Privacy Rule also establishes three fundamental rights for patients’ healthcare information:
- the right to grant disclosure,
- the right to a copy of their health records at any point, and
- the right to request record corrections.
A subset of the Privacy Rule is the HIPAA Security Rule. This rule pertains to electronic protected health information (ePHI). It establishes that businesses must administer certain safeguards to be HIPAA compliant.
To enforce these rules, the U.S. government passed another act, called the HITECH. This is short for the Health Information Technology for Economic and Clinical Health. HITECH is the company that raises penalties for any organization violating these rules.
Who Needs to Be HIPAA Compliant?
So, what types of businesses have to be HIPAA compliant? There are four classes of businesses:
- Businesses involved with health plans must be compliant. These include student and employee health plans. It also includes HMOs, Medicaid, and Medicare.
- Healthcare providers must be compliant. These include organizations or individuals that treat patients. This includes doctors and hospitals as well as pharmacies and lab technicians.
- Healthcare clearinghouses must be compliant. These include billing services and groups that process information from healthcare entities.
- Any businesses that associate with the above three must be compliant. This can include contractors, HR departments, and data processing companies. It also includes groups that store or destroy documents, transcriptions, and accountants.
Types of Safeguards
There are three types of safeguards required to protect electronic protected health information.
1. Physical Safeguards
Physical safeguards ensure that facilities storing the health data protect it. Only authorized individuals should be able to access the facility. Most data storage outsource centers already do this, but it’s best to check and be sure.
You also need to protect workstations and devices containing protected health information. So only authorized personnel should be able to access information stored there. There are also specifications for destroying these devices while protecting the information.
2. Technical Safeguards
There are four categories that technical safeguards must control.
- Integrity: You must make sure protected information is not altered or destroyed.
- Access: You must make sure only authorized individuals can access protected information.
- Transmission: You must protect information while transmitting or receiving it. This is usually done via encryption.
- Auditing: All systems using protected information should check access and activity. Only use approved hardware and software.
3. Administrative Safeguards
There are five categories that administrative safeguards have to cover.
- Workforce Training/Management: Employees working with protected information must learn security policies. Employees violating HIPAA compliance should receive sanctions.
- Security Personnel: At least one security official should check HIPAA security procedures.
- Evaluation Systems: Assess security procedures often.
- Security Management: Identify all possible security risks and put protective measures into place.
- Information Access Management: Who can access protected information? It should only be users who need that particular information.
Now that you know about the types of safeguards, you’re ready to see if you fulfill HIPAA compliance in each area!
HIPAA Compliance Checklist
Each safeguard has it’s own HIPAA compliance checklist to consider.
Checking Physical Safeguards
Anywhere that houses protected information needs to use these safeguards. That means no matter if your servers are on your premise or outsourced to a data center. Here are the physical safeguards you need to check on:
- Workstation Positioning and Use: Restrict which workstations can access electronic protected health information. Also, protect the surroundings of the workstation from prying eyes.
- Mobile Device Policies: Can users access protected information from mobile devices? If so, policies must be in place on what happens to these devices once the user leaves. How will the protected information get removed, and will the device get reused/resold?
- Facility Access Control: Who can access protected information storage areas? There should be safeguards preventing tampering, theft, and unauthorized access, too.
- Hardware Inventory: Record inventory, as well as each item’s movements. Also, create a copy of protected information before moving any hardware.
Checking Technical Safeguards
These focus on the technology protecting the electronic protected health information. It also checks data access. Here are the technical safeguards you need to check on:
- Protected Information Authentication: This checks if anyone has altered or destroyed protected information.
- Encryption/Decryption: Authorized devices must be able to encrypt messages leaving your server. They should also be able to decrypt messages once received.
- Access Control: Each user should have their own username and PIN. There should also be procedures for information disclosure in an emergency situation.
- Activity Logs/Audits: Attempts to access protected information should get recorded. It should also record what happened to that data after access.
- Automatic Log-Off: Log off devices after a certain period of time. This prevents unauthorized access at unattended devices.
Checking Administrative Safeguards
These safeguards focus on your auditing process. These ensure your business is at the leading edge of information protection. Your security and privacy officers should administer the following safeguards:
- Risk Assessments: Identify all areas using protected information. Also, determine all possible types of breaches that could happen.
- Risk Management Policy: Update your risk assessments. Establish punishments for employees that do not comply.
- Having a Contingency Plan (And Test It): What happens in an emergency? Don’t forget to test your plan, too. Also test your backup procedures.
- Employee Training: Document regular training of employees on identifying threats to protected information.
- Reporting Security Incidents: If there is a breach, how will your entity contain and report it?
- Restricting Access of 3rd Parties: Do you have parent organizations and subcontractors? Make sure they can’t access protected information unless they’re authorized.
HIPAA Compliance 2019: Now You’re Ready!
Now that you have your checklist, you’re ready to follow HIPAA compliance. Need proactive IT support for your HIPAA compliant business? Try RemarkableTEK!