HIPAA compliance is regulated by the Department of Health and Human Services (HHS) and enforced by the Office for Civil Rights (OCR). In 2013, the final Omnibus rule was enacted, binding business associates - or third-party vendors - to the Health Insurance Portability and Accountability Act. This modification added another level of compliance complexity to an industry not accustomed to operating in the cybersecurity domain - the healthcare industry.

To clear up any confusion regarding HIPAA and help prevent the costly repercussions of noncompliance, this post contains a free checklist covering the bulk of necessary efforts to achieve and maintain HIPAA compliance.

To strengthen your foundational knowledge of HIPAA and its series of national standards, read this post.

Free HIPAA Compliance Checklist (9 Stages)

The action items in this checklist outline a compliance action plan to help entities progress beyond the common confusion and frustrations surrounding HIPAA compliance.

Comparing your current compliance program against this checklist could also identify any HIPAA compliance gaps that need to be addressed to avoid a costly violation.

Download the HIPAA compliance checklist >

1. Appoint a HIPAA Privacy Officer and Security Officer

HIPAA-covered entities must appoint a HIPAA security officer and a HIPAA privacy compliance officer. As per 164.308(a)(2), it's a mandatory HIPAA compliance requirement to have both roles filled. Small operations could assign both roles to the same individual, but larger operations should appoint separate individuals for each role to make the workload easier to manage. Larger organizations are also recommended to establish a Privacy Oversight Committee to oversee policy creation against changing HIPAA regulatory standards.

Learn how to choose an ideal HIPAA compliance product >

The HIPAA regulation doesn’t provide clear guidelines about the roles and responsibilities of HIPAA Privacy Officers and HIPAA Security Officers. This intentional omission allows Covered Entities to design responsibility lists based on their unique compliance workloads.

To offer more concrete guidance, the common duties for each role are outlined below:

The common responsibilities of a HIPAA Privacy Officer include:

  • Developing a HIPAA-Compliant privacy program - if one isn’t implemented.
  • Ensuring privacy policies protect the organization’s Protected Health Information (PHI) - if a HIPAA-compliant program has been implemented.
  • Overseeing and conducting annual HIPAA-compliant employee privacy training.
  • Maintain up-to-date knowledge about state and federal laws that are relevant to HIPAA compliance.
  • Investigating cybersecurity incidents, such as data breaches, where ePHI or PHI has been compromised.
  • Ensuring Business Associate Agreements (BAA’s) are always kept up-to-date.
  • Scheduling annual self-audits and Security Risk Assessments (SRA).

The common responsibilities of a HIPAA Security Officer include:

  • Development of security policies for protecting PHI and ePHI.
  • Development of policies for preventing, detecting, and responding to data breaches involving ePHI.
  • Development of a Disaster Recovery Plan.
  • Development of an Incident Response Plan and remediation plans.
  • Designing mechanisms and processes for mitigating PHI compromise.
  • Developing mechanisms for protecting ePHI both in static and transit modes.
The overlap in duties between HIPAA Security Officers and HIPAA Privacy Officers is the reason why smaller organizations can appoint the same individual for both roles.

2. Perform Annual HIPAA Training in the Workplace

All staff in your workplace - including members of the Privacy Oversight Committee if one has been established - must undergo yearly training. This training is obligatory for all staff, including those that don’t directly interact with PHI’s. The reason for this blanket requirement is that every individual in your workplace is likely to eventually become exposed to some form of PHI.

For example, cleaning staff could involuntarily read personal medical records while cleaning paper from workstations. Or a new employee might recognize a celebrity while using health information technology. Without privacy rule training covering how to handle such PHI exposures, the celebrity could get outed in a social media post, resulting in a very serious HIPAA violation.

The most important topics that must be covered in these training sessions include:

  • How to Identify PHI
  • What is the Minimum Necessary Rue?
  • The importance of ensuring patient data confidentiality
  • Patient rights
  • The implications and penalties for the disclosure of PHI
  • How to respond to PHI exposures.
  • Penalties for HIPAA violation.
  • How to respond to data breaches involving patient health information.

It’s very important to document all training sessions so that evidence of compliance in this area can be readily provided during audits and OCR investigations.

To ensure all training sessions are documented correctly, make sure the following details are included:

  • Date training was conducted.
  • The frequency of this type of training.
  • Who was the training conducted for?
  • Signed attestations of all training attendees
To further demonstrate the effectiveness of Privacy Training efforts to auditors and OCR investigators, monitor training progress with a learning management system.

3. Document all HIPAA Compliance Efforts

Make a habit of documenting every detail of your HIPAA compliance program, not just staff training sessions. In the event of an audit or data breach, extensive documentation could prove that necessary actions were taken to ensure ongoing compliance with HIPAA’s security standards, helping you avoid a costly HIPAA violation.

When HIPAA documentation begins to feel excessive, you’ve reached an appropriate level of documentation.

4. Keep all Logs Updated

A commonly overlooked documentation area is keeping up-to-date records of all logs. These logs will be requested during breach investigation efforts. If you can’t provide them, you won’t be able to prove that response efforts following a data breach event were sufficient enough to avoid a HIPAA violation.

Three categories of log records should be meticulously documented:

  • Assets Logs - Document all assets, regardless of their active status, with access to PHI. Documentation should identify the location of each asset and its state of encryption.
  • Access Logs - Document all PHI access attempts, internally and externally (by vendor and contractors). Access logs will identify which party last accessed PHI at the time of a security event - evidence that could absolve you from a HIPAA violation.
  • Breach Logs - Document all data breaches, including near breaches.

5. Have BAA's for Every Vendor You Work With

According to HIPAA, covered entities can only outsource operations involving protected health information to third parties if they sign an agreement ensuring the complete protection of all PHI at all times.

These third-party services are referred to as “Business Associates” under HIPAA, and the contract that binds them to PHI protection is referred to as “Business Associate Agreements” or BAA’s.

A Business Associate Agreement specifies a Business Associate's security standards and responsibilities in terms of ePHI and PHI protection.

BAA’s should always be signed, even for the simplest administrative assignments.

In 2016, Raleigh Orthopedic Clinic used a third-party service provider to convert X-rays into electronic media and allowed the vendor to harvest the silver from the X-rays. The orthopedic clinic did not ensure a BAA was signed before the arrangement, and because protected health information was disclosed during the business operation, this constituted a HIPAA violation resulting in a $750,000 fine payable to the Office for Civil Rights (OCR).

A graphic that reads "meeting the third-party risk requirements of HIPAA

Learn how to meet the third-party risk requirements of HIPAA

Read blog >

6. Implement Appropriate Security Safeguards

To comply with the security rule, three categories of safeguards must be implemented to ensure the most comprehensive level of ePHI security.

Administrative Safeguards

Administrative safeguards for healthcare organizations and healthcare providers include:

  • Annual workplace training covering compliance with the HIPAA Security and Privacy Rule.
  • Documentation of security management processes.
  • Regular HIPAA audits

Physical Safeguards

Physical safeguards for healthcare organizations and healthcare providers include:

  • Securing all physical devices and workstations with access to health records.
  • Limiting physical access to storage areas and devices housing ePHI to approved personnel.
  • Monitoring access to physical devices storing ePHI.

Technical Safeguards

Technical safeguards for healthcare organizations and healthcare providers include:

  • Implementing Multi-Factor Authentication (MFA) across all user accounts.
  • Implement access control policies ensuring ePHI is only accessible to approved personnel.
  • Enforcing the use of hard tokens in the multi-factor authentication process for remote endpoints like laptops.
  • Ensure data is encrypted at rest and in transit.
  • Implementing firewalls and anti-virus software.
  • Ensuring all security software is kept updated with the latest security patches,
  • Enforcing strong password policies.
  • Encrypting traveling laptops.
  • Ensure all email communications are encrypted in line with HIPAA policies.
  • Implement security controls addressing the vulnerabilities discovered in a risk analysis.

Identifying third-party security vulnerabilities that could negatively impact HIPAA compliance is best done with a risk assessment that maps to HIPAA requirements. The UpGuard platform includes a HIPAA questionnaire for determining the cybersecurity risks of vendors with access to Protected Health Information.

HIPAA Questionnaire on the UpGuard Platform
HIPAA Questionnaire on the UpGuard Platform

Request a free 7-day trial of UpGuard >

7. Perform an Annual Security Risk Analysis (SRA)

An SRA is a comprehensive annual self-audit assessing the resilience of all three categories of security safeguards - administrative, physical and technical. This audit should be an honest analysis of all HIPAA security measures and the areas of your HIPAA compliance program at greatest risk of an evaluation. All risks should be assigned a severity rating to identify vulnerabilities that should be prioritized in remediation efforts. A risk matrix could assist in this effort.

The Risk Matrix feature by UpGuard identifies third-party risks that should be prioritized.
The Risk Matrix feature by UpGuard identifies third-party risks that should be prioritized.

8. Implement a HIPAA Compliance Gap Assessment Tool

Whether you’re a HIPAA-covered entity needing to become HIPAA compliant or a business associate, a mechanism for tracking compliance progress will provide structure and an end-point to your compliance journey.

The best method of identifying compliance gaps is by mapping security questionnaire responses to HIPAA’s security standards. UpGuard's security questionnaire feature automatically maps responses to popular frameworks and regulations, including HIPAA, to help covered entities identify compliance gaps in preliminary self-audits and vendor assessments.

Compliance gap list on the UpGuard platform.
Compliance gap list on the UpGuard platform.

9. Implement a Clear Breach Notification Protocol

To comply with the HIPAA breach notification rule, a clear breach notification protocol needs to be established. This protocol should be a step-by-step guide for internal staff to follow in the event of a security incident, similar to an Incident Response Plan.

Beyond being a mandatory requirement for the breach notification rule, this protocol will ground your internal teams during the stressful moments of a cyberattack, helping them steadily progress through appropriate incident responses when emotions are clouding sound judgment.

The faster data breach response times that result from such a breach response checklist will also likely decrease data breach damage costs and even the potential of a HIPAA violation. A data breach doesn’t necessarily lead to a HIPAA violation. If a HIPAA-Covered Entity can prove that a breach was unintentional and that appropriate response action was taken in the form of a breach response checklist, repercussions could be avoided.

But for a non-violation to be possible, both covered entities and business associates must report all breaches to the OCR and all impacted patients. The breach notification protocol must clearly explain the notification mechanisms for each party during such events.

UpGuard Supports Compliance with HIPAA

UpGuard offers a Vendor Risk Management solution to help healthcare entities track emerging security risks for each of their business associates. By also offering a HIPAA-specific security questionnaire, UpGuard helps HIPAA-covered entities identify the specific third-party vulnerabilities hindering HIPAA compliance, supporting the establishment of a streamlined and efficient HIPAA compliance program.

Ready to see
UpGuard in action?

Ready to save time and streamline your trust management process?