HIPAA Compliance Checklist for Healthcare 2022

January 17, 2023

You want to ensure HIPAA compliance to protect your patients’ personal medical information. But what exactly does this mean to you, the healthcare provider? We have the answers, so let’s take a step back and establish what HIPAA means for healthcare providers.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law in the United States. The act requires health care providers to safeguard protected health information (PHI) and electronically protected health information (ePHI) for patients. 

Any organization that collects, stores, or processes patient information needs to be aware of HIPAA and how it impacts its operations.

Protected Health Information (PHI)

The HIPAA Act does not cover all healthcare data or data handled by healthcare organizations-only protected health information (PHI).

Any health information that can be uniquely identified with a specific individual, in certain patient information, is protected health information.

The data that might be PHI include:

PHI data could consist of:

  • Birth/death date
  • First, middle, or last name
  • Photographs of identification
  • Address, phone number, email address, etc.
  • Biometric data
  • Account numbers, Social Security numbers, or other identification numbers
  • Information about a health condition, including treatment dates
  • Information about healthcare payments

PHI, including EHRs, must be protected under HIPAA by covered entities. These covered entities include:

  1. Health care providers - doctors, nurses, etc
  2. Health plans - Medicaid, Medicare, etc
  3. Healthcare clearinghouses - organizations that act as middlemen between health insurers and providers

Additionally, HIPAA affects the business associates of the covered entities, who have access to PHI protected by the law. 

Subcontractors, consultants, and technology providers are examples of business associates.

HIPAA Compliance Checklist

What can healthcare organizations do to ensure they are HIPAA compliant? In this section, we go over some of the must-dos and must-haves for healthcare organizations handling PHI.

Understand the HIPAA Privacy Rule

Healthcare organizations must follow HIPAA privacy rules when collecting, storing, and processing PHI, for example. The law defines what PHI, covered entities, and business associates are. 

Additionally, it discusses the situations where covered entities may disclose PHI without obtaining the individual's consent:

  • To each individual 
  • For treatment, payment, and healthcare operations reasons
  • For activities that benefit the public (e.g., for health authorities, police officers, or coroners; to protect victims of abuse or violence; for medical research, etc.)

Understanding the HIPAA Privacy Rule is critical to how you comply with it:

Understand HIPAA Security Regulations

The HIPAA Security Rule defines data security and cybersecurity for electronic health records. Covered entities and business associates must maintain three types of security measures:

  • Safeguards related to administrative processes (training and education to keep data secure, internal assessments and audits of security risks, etc.)
  • Safeguards on a physical level (e.g., security personnel in areas where sensitive data is located, workstation security, etc.)
  • Technical safeguards (e.g., access controls for IT systems, transmission security measures, encryption, etc.)

Organizations are not required to comply with any specific security or privacy practices under the HIPAA Security Rule. In contrast, covered entities must determine which measures will be most suitable and appropriate to follow ((including penalties for noncompliance as a motivator).

Understand the HIPAA Breach Notification Rule

It is required that organizations notify consumers if they become aware of unauthorized disclosure of PHI under the HIPAA Breach Notification Rule. 

Security issues related to healthcare data include physical break-ins, theft of IT equipment, hacking, ransomware, sending PHI to the wrong recipients, and public discussion of PHI.

The HIPAA Breach Notification Rule specifies the following:

  • After a data breach is discovered, all individuals affected must be notified within 60 days.
  • A breach that affects fewer than 500 individuals must be reported to HHS annually. For significant violations, HHS must be notified within 60 days of finding out.
  • Unless the organization can show a low probability of compromise, any improper use or disclosure of PHI constitutes a data breach.
  • As long as third parties lack the decryption key, the improper release of encrypted PHI does not constitute a data breach.

Understand the HIPAA Omnibus Rule

The HIPAA Omnibus Rule is introduced to manage several areas that had been overlooked by earlier updates to HIPAA. 

It amended definitions, defined processes and guidelines, and developed the HIPAA compliance checklist to conceal Business Associates and their subcontractors.

Business Associates are organized as any individual or organization that develops, maintains or transmits Protected Health Information in the study of performing functions on behalf of a Covered Entity. The term Business Associate also contains contractors, consultants, data storage companies, health information organizations, and any subcontractors employed by Business Associates.

The Omnibus Rule amends HIPAA regulations have five key areas:

  • Introduction of the final revisions as mandated beneath the HITECH Act.
  • Incorporation of the raised, tiered civil money penalty system as directed by HITECH.
  • Introduced modifications to the damage threshold and contained the final control on Breach Notification for Unsecured ePHI under the HITECH Act.
  • Change of HIPAA to contain the requirements made by the Genetic Information Nondiscrimination Act (GINA) to restrict the exposure of genetic knowledge for underwriting objectives.
  • Prevented the usage of PHI and personal identifiers for marketing goals.

Following the course of the HIPAA Omnibus Rule, to be HIPAA compliant, Covered Entities must currently:

  • Update Business Associate Agreements – Old BA agreements must be revised to take the Omnibus Rule into account. Business Associates must be produced in consciousness that they are secured by the same Security Rule and Privacy Rule regulations as covered entities, and must also execute the proper technical, physical, and administrative precautions to guard ePHI and personal identifiers. Business Associates must concede with patient access recommendations for facts, and data violations must be reported to the Covered Entity without delay, while help with breach notification systems must also be delivered.

If you need to learn how FloatCare can simplify your ability to process data while staying compliant with HIPAA, contact us today!

Latest articles.

Article headline