UPDATE: Looking for how to report a HIPAA compliance violation? Visit this HHS.gov complaint reporting page.
It’s 3 am and you’ve had so much coffee, Juan Valdez just called to ask for time off. If you could just practice medicine, your life would be 9 million times easier. The thicket of HIPAA compliance is a gigantic labyrinth that prevents you from doing what you do best: helping people.
You’re not alone. The 12.5 million health care workers in the U.S. all have to clear HIPAA hurdles several times daily. Multiple, morphing rules and leapfrogging technology create a Herculean task. To ease the pain, MedPro has created this guide with 71 action items to achieve true HIPAA compliance.
What Is HIPAA Compliance?
The definition of HIPAA compliance is as simple as “obeying HHS laws to guard Protected Health Information (PHI) from leaks.” That’s a deceptively simple statement, since being compliant requires organizations to follow all the standards in at least three major “Rules.” To make the struggle even harder, some of those Rules are over 500 pages each.
HIPAA, or the Health Information Portability and Accountability Act, governs the use and handling of patient PHI.
This guide won’t make you HIPAA compliant. It’ll guide you toward compliance with a plain English list of 71 action items under all the major Rules.
To be fully compliant, it’s crucial to read the rules themselves. We’ve provided links to each at the end of each section. That said, the language in them can be dense and legalistic. This guide, by contrast, can help you understand the Rules more quickly.
Further, it’s important that all staff be fully trained in HIPAA compliance. Ready to take that step? See MedPro’s compliance training page here.
Who Must Be Compliant?
All HIPAA Compliance standards in this guide apply to “covered entities.” That is, businesses and other organizations that work with PHI (Protected Health Information). Covered entities include:
- Private Practices
- Nursing Homes
- Health Plans
Business Associates of covered entities must also be compliant. A business associate is any entity that helps a covered entity perform its health care functions.
How to Be HIPAA Compliant
To be HIPAA compliant, a covered entity has to follow all the major HHS compliance laws. Those govern Protected Health Information in physical and electronic form. They also control how facilities and employees interact with that information, and what to do in case of a breach. Finally, some of the rules update earlier versions or set penalties for violations.
What Rules Must I Follow?
HIPAA compliance depends on following the regulations in the following three Rules. They’re not short, finite rules like, “Don’t share PHI” or, “Put all sharps in the red biohazard containers.” They’re long, legal documents from HHS, similar to the instructions that accompany IRS tax forms. The major compliance rules to follow are:
- The Privacy Rule
- The Security Rule
- The Breach Notification Rule
There’s also an Omnibus Rule, an Enforcement Rule, the HITECH Act, and standards governing HIPAA transactions. The rest of this guide pulls together 71 key action items from all these rules combined..
The HIPAA Compliance Checklist
The checklist below gives action items for the HIPAA Privacy, Security, and Breach Notification Rules, plus the other compliance acts and standards.
All the items below are “musts” unless they say to follow them “where reasonable.” Even in cases where adhering to the standards isn’t “reasonable,” organizations often must create a substitute method of addressing the issue. In any case, they have to document their reasoning for non-compliance.
1. How to Be in HIPAA Compliance with the Privacy Rule
The first major HIPAA compliance hurdle comes in the form of the Privacy Rule. This is the foundation of the Act itself. It outlays all the standards for defending PHI against unauthorized access. Introduced in 1996, it has since been altered and amended by later laws. The 22 action items below detail how to be compliant with the act. That said, it’s vital to read and understand the Privacy Rule itself. That can be easier said than done, which is why we’ve provided the plain English action items below.
Follow These 10 General Privacy Rule Compliance Standards
The first 10 HIPAA Compliance action items address the general, administrative, and organizational levels of an organization. They include assigning a privacy officer, creating and following compliance policies and procedures, and training employees.
- Have Privacy Policies & Procedures. Create and abide by written procedures and policies that follow the guidelines in the HIPAA Privacy Rule.
- Keep all Protected Health Information (PHI) Secure. Secure the identity and past, present, or future condition of each patient. Also guard details of health care provided to patients or that will be provided.
- Train Employees. All employees and volunteers must be trained in HIPAA compliance policies and procedures. Put penalties in place for employees who violate the privacy rules.
- Have a Breach Plan. Have a plan to limit and manage the harmful effects of unauthorized PHI disclosures.
- Maintain a Complaints Channel. Create procedures for patients and others to complain about the entity’s HIPAA compliance policies and procedures. Detail those complaint procedures in a Privacy Notice (described later).
- Use a Business Associate Agreement (BAA). Have a BAA for each business associate. In it, impose written rules on PHI that the associate must follow.
- Obey Required Disclosures. Disclose PHI to individuals (or their representatives) on request, and to HHS during an investigation into compliance. This doesn’t include psychotherapy notes, data collected for use in legal proceedings, lab results with access prohibited by the CLIA Act, or information from some research labs. In cases of denial, the patient is entitled to a review by another licensed health care professional.
- Follow PHI Disclosure Rules. There are a number of situations where covered entities can disclose PHI. These include reasons of treatment, health care operations, payment, public interest, and others. For the full list, see this HHS Privacy Rule document.
- Get Authorization. Get written authorization before disclosing PHI for any reason not related to payment, health care operations, treatment or other reasons permitted under step #8. Get authorization in specific, written terms. This includes disclosure of psychotherapy notes, or disclosures for marketing purposes.
Respect Minimum PHI Disclosure Rules
These next two HIPAA compliance action items order entities to disclose only the minimum amount of PHI necessary in any situation.
- Disclose the Minimum Necessary. Whatever the reason for a PHI disclosure, have policies and procedures to disclose only the minimum data necessary to fulfill that purpose.
- Have Access Procedures. Have policies and procedures that identify the employees who need access to PHI. Then have a way so only those employees get access. Further, make sure those employees only get access to the specific PHI they need to do their jobs. This relates to all access methods, but it’s covered in more detail under the Security Rule.
Create a Privacy Notice and Uphold Individual Rights
This group of five action items for HIPAA compliance orders covered entities to create, maintain, and distribute a privacy notice. It also addresses certain patient rights such as requests to alter PHI.
- Create a Privacy Notice. Provide and display a Privacy Notice outlining the organization’s privacy practices. Describe the ways the organization uses and discloses PHI. State the organization’s duty to protect privacy and to provide this notice. Also explain the entity’s duty to follow the rules in the notice. Describe patient rights, including complaints to HHS and to the organization itself. For several excellent model privacy notices, see this HHS page.
- Distribute the Privacy Notice. Give the notice to each new patient on enrollment, and once every three years after that. Obtain a signed, written receipt from each patient.
- Make Changes to Flawed PHI. Change patient PHI on patient request when it’s incomplete or inaccurate. After making a patient-requested change, disclose it to others at the patient’s request. Also share the change with individuals whose reliance on the old data might cause harm to the patient. (For example if an employer thinks an employee has a highly contagious disease because of incorrect PHI.) When a request for PHI change is denied, supply the denial in writing.
- Disclose Disclosures. On request, tell patients about any disclosures of PHI in the last six years. This excludes disclosures for payment, treatment, health care operations, for disaster relief, or for certain other reasons (see the HHS document at the end of this section).
- Respect Patient Contact Methods. Comply with patient requests to disclose PHI by the means they choose. For example, an organization that currently discloses PHI only by mailed letter must disclose the data by phone instead if the patient requests it.
Here are the last four action items from the HIPAA Privacy Rule. They include the use of data safeguards, prohibitions on retaliation against patients, an order to retain records, and standards for “personal representatives.”
- Use Data Safeguards to Protect PHI. The Security Rule lays out dozens of rules for electronic data protection. This rule refers to physical data safeguards like document shredding or locking file cabinets.
- No Retaliation, No Waivers. Organizations can’t retaliate against patients for exercising their rights. Further, an entity is out of HIPAA compliance when it tries to get a patient to waive privacy rights as a condition for receiving treatment or for other benefits.
- Retain Records. Keep copies of all privacy policies, procedures, complaints, privacy notices, and other HIPAA records for six years.
- Obey “Personal Representatives.” For PHI purposes, treat a patient’s personal representative just like you would treat the patient. A personal representative is legally authorized to make decisions about a patient’s health care. A covered entity can disobey this rule if it believes the representative is abusing the patient or otherwise causing harm.
- Obey the Privacy Rule First. If a State law disagrees with the Privacy Rule, obey the Privacy Rule. An exception is, if the State law provides stricter privacy protection than the Rule, obey the State law. Another is, State laws that mandate the reporting of child abuse or for other public health risks take precedence.
For a deeper dive into how to achieve compliance with the HIPAA Privacy Rule, see this HHS HIPAA Privacy Rule Summary.
2. How to Be in HIPAA Compliance with the Security Rule
The HIPAA Security Rule is arguably the most important and comprehensive part of HIPAA as a whole. Being in compliance with this rule is very nearly the crux of HIPAA compliance in general.
The Security Rule sets out dozens of safeguards for Electronic Protected Health Information (EPHI). The safeguards fall into three distinct categories: Technical, Physical, and Administrative. There’s quite a bit of overlap between these standards and the ones in the Privacy Rule above. As with the rest of this article, the list below is a summary. To be fully HIPAA compliant, it’s crucial to go to the full HHS documentation.
Administrative Safeguards to Comply With
The Administrative Safeguards in the Security Rule cover security management, workforce security, information access management, awareness, training, contingency plans, and more. There are 22 action items in this section. This is the core of HIPAA compliance.
Security Management Process
- Risk Analysis. Conduct a regular risk analysis to assess EPHI vulnerabilities.
- Risk Management. Have a plan to reduce risk to EPHI, based on the findings from the risk analysis.
- Sanction Policy. Enact penalties for employees who break internal HIPAA compliance rules.
- Information System Activity Review. Implement procedures to review data logs in IT networks that could hide signs of EPHI breaches.
Assigned Security Responsibility
- Assigned Security. Assign a HIPAA security officer or officers to develop plans for, implement, and oversee HIPAA compliance.
- Authorization and/or Supervision. When reasonable, have a way to check identity and/or supervise employees working with EPHI, or working in places where EPHI can be accessed.
- Workforce Clearance Procedure. Where reasonable, have a way to evaluate the need of each employee to access EPHI. Also evaluate the level and type of EPHI they should be able to access.
- Termination Procedures. Where reasonable, when employees are terminated, also terminate their access to EPHI.
Information Access Management
The standards in this section ensure HIPAA compliance with authorizing or denying access to EPHI.
- Isolating Health Care Clearinghouse Functions. Clearinghouses that are part of larger entities must prevent the larger entity from unauthorized access to EPHI.
- Access Authorization. Where reasonable, have a way to grant access only to authorized users of EPHI.
- Access Establishment and Modification. Where reasonable, have ways to control, evaluate, and update each user’s right to access EPHI through various methods (workstations, software, etc.)
Security Awareness and Training
The standards in this HIPAA compliance section ensure employees understand and comply with all EPHI policies and procedures.
- Security Reminders. When reasonable, perform periodic “security updates.” This doesn’t mean software updates, but the renewal of employee training and knowledge concerning HIPAA compliance.
- Protection from Malicious Software. When reasonable, have procedures to detect, report, and defend against malicious software. Regularly remind employees about the existence and use of those procedures.
- Log-in Monitoring. Where reasonable, have ways to monitor login attempts and report irregularities.
- Password Management. When reasonable, have guidelines for creating, changing, and guarding passwords.
Security Incident Procedures
- Response and Reporting. Flag all HIPAA security incidents, address them, and document them. These might include stolen passwords, virus attacks, physical break-ins, or the failure to terminate the access privileges of a former employee.
Full HIPAA compliance requires a security contingency plan to respond to emergencies like fires, disasters, or system failure.
- Data Backup Plan. Have a way to create and maintain exact copies of all EPHI in a recoverable form.
- Disaster Recovery Plan. Have procedures to restore EPHI data when it’s lost for any reason.
- Emergency Mode Operation Plan. Have procedures so that during emergencies, EPHI protection will continue unabated.
- Testing and Revision Procedures. Test and revise contingency plans periodically.
- Applications and Data Criticality Analysis. Where reasonable, create a prioritized list that ranks the importance of each piece of EPHI-related software. This list is a guide for which systems and software get attention first during a disruptive incident.
- Evaluation. Perform periodic evaluations of all security plans and procedures (both technical and nontechnical). Determine whether those safeguards still adequately protect EPHI.
Business Associate Contracts and Other Arrangements
- Written Contract or Other Arrangement. Maintain Business Associate Agreements (BAAs) with all business associates. (See this guide to BAAs for more info.)
For more information on administrative safeguards for HIPAA compliance, see this HHS.gov document.
Physical Safeguards to Comply With
This group of nine HIPAA compliance safeguards covers breach potential in the physical world. It includes access controls on entering and exiting facilities, and on workstations and other devices.
Facility Access Controls
- Contingency Operations. Where reasonable, have contingency plans for physical security and continued access to EPHI during emergency system restoration. For example, during power losses or disaster events.
- Facility Security Plan. Where reasonable, have ways to guard equipment from illicit physical access. This could mean locked doors, signage, alarms, cameras, engraving, security badges, and/or security guards.
- Access Control and Validation Procedures. Where reasonable, have ways to control physical access to EPHI areas. Limit access to authorized personnel only.
- Maintenance Records. Where reasonable, have methods to document all repairs and updates to physical structures in EPHI-related areas. “Repairs and updates” could refer to construction or changing locks.
- Workstation Use. Have policies and procedures that dictate the use of different workstations or different classes of workstations. This may mean turning them so they’re viewed only by authorized personnel, adding privacy screens, or using screen savers protected by passwords.
- Workstation Security. Have physical safeguards to prevent unauthorized people from accessing any workstation. This means identifying all EPHI-related workstations and evaluating current security measures.
Device and Media Controls
These HIPAA compliance safeguards control portable physical EPHI devices that can be taken out of a facility.
- Disposal. Have an approved way to dispose of unneeded EPHI and/or the hardware that contains it.
- Media Reuse. When electronic media is reused, have procedures to remove all EPHI from it first.
- Accountability. Where reasonable, keep records of where each piece of hardware/media is at all times, and who is responsible for it.
- Data Backup and Storage. Where reasonable, before equipment is moved, create exact copies of all EPHI on it.
For a more detailed look at all the physical safeguards for HIPAA compliance outlined above, see this HHS.gov physical safeguards document.
Technical Safeguards to Comply With
The last group of nine HIPAA compliance safeguards from the Security Rule deals with technical controls. The standards in this section govern authorized access to EPHI, including usernames, passwords, and data encryption.
- Unique User Identification. Assign a unique electronic identifier (like a name or number) to each EPHI user, so all access can be tracked.
- Emergency Access Procedure. Have a method for approved access during emergencies like power outages.
- Automatic Logoff. Where reasonable, automatically log workers off the system after a predetermined interval.
- Encryption and Decryption. Where reasonable, encrypt EPHI during storage.
- Audit Control. Record and examine activity in systems that use EPHI.
- Integrity. Use electronic mechanisms to ensure that EPHI data isn’t corrupted. (The entity decides which mechanisms to use.)
- Authentication. Use a method to verify the identity of anyone accessing EPHI. (This could be a password, PIN, key, smart card, token, fingerprint, or similar.)
- Integrity Controls. Where reasonable, ensure that EPHI isn’t corrupted during transmission via email, internet or other means.
- Encryption. Where reasonable, encrypt EPHI during transmission over the internet, via email or by other means.
For a deeper understanding of how to be HIPAA compliant with the technical safeguards of the HIPAA Security Rule, See this HHS technical safeguards document.
3. How to Comply with the HIPAA Breach Notification Rule
The third important component of HIPAA compliance is the Breach Notification Rule. While the Privacy and Security Rules dictate how to protect PHI, this rule defines what to do in the event of a failure.
Generally, the rule orders covered entities to disclose breaches to the HHS Office for Civil Rights (OCR). It also orders disclosure to the affected individuals, and in some cases to the media. The action items below give the details for handling breaches, including timing and other details.
- File Breach Reports with OCR. All PHI breaches must be reported to the HHS Office for Civil Rights (OCR). File the reports via the OCR’s online Breach Portal.
- Notify Patients of Breaches. Send a written notice about the breach to each affected individual by first class mail. Email can be used if the patient agrees in advance. If contact info can’t be found for more than 10 patients, post a notice online or in major media outlets for 90 days. Include a toll free number to provide further info. Send individual notifications without unreasonable day and at least within 60 days of the breach’s discovery. Include information about the breach and what patients can do to protect themselves.
- Report Breaches with 500+ Affected People Quickly. Report all PHI breaches affecting more than 500 people at least within 60 days of the breach discovery and “without unreasonable delay.”
- Report Breaches with <500 Affected People Annually. Report PHI breaches that affect less than 500 people annually to HHS OCR.
- Report Large Breaches to the Media. Report breaches of PHI for more than 500 patients to the media in the affected area, usually as a press release. Make media reports without unreasonable delay and no later than 60 days after discovery.
- Keep Records of Breach Notifications. Maintain records of all individual, media, and OCR breach notifications.
For more information about achieving HIPAA compliance with the Breach Notification Rule, see this HHS Breach Notification Rule page.
4. The HIPAA Omnibus Rule and HIPAA Compliance
The HIPAA Omnibus Rule went into effect in 2013. It added new regulations to HIPAA, amending those standards already in the Privacy Rule, Security Rule, and Breach Notification Rule.
The good news if you’re a health care “covered entity,” looking to be HIPAA compliant? The Omnibus Rule changes are already incorporated in the Privacy Rule, Security rule, and Breach Reporting Rule items above. One exception:
Respecting Patient’s Insurance Company Requests. When a patient pays cash and asks to keep the service private, don’t report that service to the patient’s insurance company.
That said, there’s no substitute for reading the full 500+ page HIPAA Omnibus Rule.
5. HIPAA Compliance and the Enforcement Rule
The HIPAA Enforcement Rule establishes penalties for non-compliance with the Privacy Rule and the Security Rule. Those penalties address four different categories of violations: Ignorance of the law, reasonable cause, willful neglect with correction, and willful neglect without correction.
Where more than one identical violation happens in the same calendar year, the fine for infractions in any category raises to more than $1,500,000. There is some speculation that “more than one identical violation” can mean simply a single breach affecting more than one patient.
What Are the Penalties for HIPAA Non-Compliance?
Here are penalty dollar figures per violation, for the four categories of HIPAA violations:
- $100 to $50,000+ for violations where the covered entity or the business associate didn’t know about the violation, and/or couldn’t have reasonably known.
- $1,000 to $50,000+ for violations due to reasonable cause (not willful neglect).
- $10,000 to $50,000+ for violations due to willful neglect. This covers cases where the violation was corrected 30 days from when the entity or business associate knew about the violation.
- $50,000 for violations due to willful neglect that aren’t corrected within 30 days of learning about them.
6. How the HITECH Act Affects HIPAA Compliance
The HITECH Act was created in 2009. Some parts of it affect HIPAA compliance and some don’t.
The act ordered health care companies to begin using Electronic Health Records (EHRs). That part of the law doesn’t affect this compliance checklist. The act states that all EHR must comply with existing regulations in the Privacy and Security Rules. This likewise doesn’t change how organizations comply with HIPAA.
Mainly, for compliance purposes, the HITECH Act altered the other rules (Breach Notification, Enforcement). Those changes are already included in our action items above. They include setting penalties for violations, stipulations on how to report breaches, and forcing business associates to comply with the Privacy and Security Rules.
Generally, if you’re already following the standards in the Privacy, Security, and Breach Notification Rules, you’re already HIPAA compliant under the HITECH Act as well. As always, this article is no substitute for reading and understanding the HITECH Act itself.
7. How to Be Compliant with HIPAA Standard Transactions
HHS adopted certain transaction standards for some actions involving PHI. Covered entities must use these standards when performing these actions. The standard transactions include:
- Health claims and encounter information.
- Enrollment and/or disenrollment in a health plan.
- Eligibility for health plans.
- Payment and remittance advice.
- Premium payments for health plans.
- Status of health claims.
- Referral authorization and certification.
- Coordination of benefits.
The standard transactions are highly technical and don’t fit into the scope of this article. To comply with the standards, HHS refers organizations to view the ANSI ASC X12N standards implementation guide at the Washington Publishing Company (WPC) website. The page linked to by HHS however returns a 404 “File Not Found” error.
Achieving HIPAA compliance is no easy task. Covered entities, or any organizations handling protected health information, must comply with the HIPAA Security and Privacy Rules, as well as the Breach Notification Rule, the Omnibus Rule, and the HITECH Act. Failure to comply with these laws can result in fines over $1.5 million. Maintaining compliance with HIPAA is vital for the survival of any health care entity.