Healthcare

HIPAA Compliance Checklist for Healthcare 2021

 | 
November 15, 2021

You want to ensure HIPAA compliance to protect your patients’ personal medical information. But what exactly does this mean to you, the healthcare provider? We have the answers, so let’s take a step back and establish what HIPAA means for healthcare providers.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law in the United States. The act requires health care providers to safeguard protected health information (PHI) and electronically protected health information (ePHI) for patients. 

Any organization that collects, stores, or processes patient information needs to be aware of HIPAA and how it impacts its operations.

Protected Health Information (PHI)

The HIPAA Act does not cover all healthcare data or data handled by healthcare organizations-only protected health information (PHI).

Any health information that can be uniquely identified with a specific individual, in certain patient information, is protected health information.

The data that might be PHI include:

PHI data could consist of:

  • Birth/death date
  • First, middle, or last name
  • Photographs of identification
  • Address, phone number, email address, etc.
  • Biometric data
  • Account numbers, Social Security numbers, or other identification numbers
  • Information about a health condition, including treatment dates
  • Information about healthcare payments

PHI, including EHRs, must be protected under HIPAA by covered entities. These covered entities include:

  1. Health care providers - doctors, nurses, etc
  2. Health plans - Medicaid, Medicare, etc
  3. Healthcare clearinghouses - organizations that act as middlemen between health insurers and providers

Additionally, HIPAA affects the business associates of the covered entities, who have access to PHI protected by the law. 

Subcontractors, consultants, and technology providers are examples of business associates.

HIPAA Compliance Checklist

What can healthcare organizations do to ensure they are HIPAA compliant? In this section, we go over some of the must-dos and must-haves for healthcare organizations handling PHI.

Understand the HIPAA Privacy Rule

Healthcare organizations must follow HIPAA privacy rules when collecting, storing, and processing PHI, for example. The law defines what PHI, covered entities, and business associates are. 

Additionally, it discusses the situations where covered entities may disclose PHI without obtaining the individual's consent:

  • To each individual 
  • For treatment, payment, and healthcare operations reasons
  • For activities that benefit the public (e.g., for health authorities, police officers, or coroners; to protect victims of abuse or violence; for medical research, etc.)

Understanding the HIPAA Privacy Rule is critical to how you comply with it:

Understand HIPAA Security Regulations

The HIPAA Security Rule defines data security and cybersecurity for electronic health records. Covered entities and business associates must maintain three types of security measures:

  • Safeguards related to administrative processes (training and education to keep data secure, internal assessments and audits of security risks, etc.)
  • Safeguards on a physical level (e.g., security personnel in areas where sensitive data is located, workstation security, etc.)
  • Technical safeguards (e.g., access controls for IT systems, transmission security measures, encryption, etc.)

Organizations are not required to comply with any specific security or privacy practices under the HIPAA Security Rule. In contrast, covered entities must determine which measures will be most suitable and appropriate to follow ((including penalties for noncompliance as a motivator).

Understand the HIPAA Breach Notification Rule

It is required that organizations notify consumers if they become aware of unauthorized disclosure of PHI under the HIPAA Breach Notification Rule. 

Security issues related to healthcare data include physical break-ins, theft of IT equipment, hacking, ransomware, sending PHI to the wrong recipients, and public discussion of PHI.

The HIPAA Breach Notification Rule specifies the following:

  • After a data breach is discovered, all individuals affected must be notified within 60 days.
  • A breach that affects fewer than 500 individuals must be reported to HHS annually. For significant violations, HHS must be notified within 60 days of finding out.
  • Unless the organization can show a low probability of compromise, any improper use or disclosure of PHI constitutes a data breach.
  • As long as third parties lack the decryption key, the improper release of encrypted PHI does not constitute a data breach.

If you need to learn how FloatCare can simplify your ability to process data while staying compliant with HIPAA, contact us today!

Latest articles.

Article headline