HIPAA Compliance Checklist


The Health Insurance Portability and Accountability Act (HIPAA) was amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act to keep the medical information and health record of individuals safe. 

It is a must for all healthcare organizations to ensure HIPAA compliance, especially in situations like the ongoing pandemic. Creating a checklist for the requirements will ensure a quick and efficient process.

Even though the Office for Civil Rights (OCR) at The Department of Health and Human Services (HHS), the U.S. has said that it wouldn't impose any penalties for certain violations made during the COVID health emergencies, HIPAA rules still remain in effect, and any entity that is found to be non-compliant will have to face financial penalties. 

We will discuss the HIPAA compliance requirements that can serve as an essential checklist that can help you keep your business HIPAA compliant and prevent costly fines and penalties caused due to data breaches.

The Privacy Rule

Privacy rule

The privacy rule is to ensure that the Patient Health Information (PHI) is protected from unauthorized access. The HIPAA privacy rule was initially called "Standards For Privacy of Individually Identifiable Health Information." It gives patients rights over their health-related information, also called protected health information or PHI. 

This rule is applicable to all health plans, health care providers, and health care clearinghouses that undertake electronic health care transactions. These groups should follow the necessary limitations and conditions on using and disclosing PHI.

  • You need to have written policies, procedures, and standards of conduct. It should include written training standards and written penalties that employees are informed of when violated.

  • While you have a business with an associate (BA), you need to ensure that it is comprehensive and up-to-date to protect your organization from liabilities if your B.A. breaches any HIPAA regulations.

  • Implement administrative, technical and physical safeguards to ensure how PHI is used and keep track of who has access to it.

  • Have a complaint procedure in place where patients can file complaints to covered entities (C.E.)  about HIPAA compliance as per procedure and must also be notified that the complaints can be submitted to HHS as well.

  • Under the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule, patients can't be made to waive their rights as a means of obtaining treatment. Patients must not waive any Privacy Rule rights in order to receive treatment, payment for care, or enrollment in a health plan.

  • All the records of privacy policy notices, complaints, remediation plans, and other documentation must be safely stored in an accessible location for six years from their date of release. 

  • Appoint a privacy officer to develop and implement these privacy policies

The Security Rule

The Security Rule

The HIPAA Security Rule was created to notify the standards that must be applied and followed in order to protect and safeguard the electronically created, accessed, and stored PHI. This applies to everyone that has got access to confidential patient data. 

The word "access" is often interpreted as having the ability to read, write, modify or communicate ePHI data. It's also often used to indicate any personal identifiers that may reveal an individual's identity.

The three parts that belong to the security rule are technical, physical, and administrative safeguards. 

The legal terms surrounding each safeguard and standard can be confusing, so here is a simplified, comprehensive list for easy understanding.

Technical Safeguards

It refers to the technology that is used to protect ePHI and gives access to data. The only condition is that ePHI, whether at rest or transit, must be encrypted to the NIST standards once it is beyond an organization's internal firewalls. 

This is so that, in case of any breach of confidential patient data, it could be made unreadable, undecipherable, and unusable. From below, an organization can select whichever mechanisms are most appropriate to:

Implementing a means of access control- This means assigning a centrally-controlled unique username and PIN code for each user. You can also set up procedures to govern the release or disclosure of ePHI during an emergency.

Introduce a procedure to authenticate ePHI- This protection measure is a necessity to comply with HIPAA regulations. It confirms whether your ePHI has been tampered with or destroyed by an unauthorized user.

Implement tools for encryption and decryption. This guideline relates to the devices used by authorized users, which must be able to encrypt messages when they are sent beyond an internal firewalled server and decrypt the same when they are received.

Having activity logs and audit controls. The audit controls required under the technical safeguards are there to record attempted access to ePHI and log what is done with the data once it has been accessed.

Facilitate automatic log-off of P.C.s and devices. This feature will automatically log any approved personnel off of the device they are using if it is left unattended for a certain period of time. This prevents anyone from accessing data without permission if the device is left unattended.

Physical Safeguards

The physical protections focus on keeping your data safe regardless of where it is stored. For example, if your data is stored in the cloud, you still need to make sure that only authorized personnel can access it. In addition, there are specific guidelines for protecting your data in all locations.

Facility access controls must be in place. Following physical security procedures to ensure the safety of ePHI. This includes having access restricted to those who need it and taking precautions to prevent unauthorized physical access, tampering, or theft.

Policies for the use/positioning of workstations. Policies must be defined and enforced to restrict the use of workstations that have access to PHI. These policies should define any protections surrounding the workstation and how work is handled on them.

Policies for mobile devices. If every user can access ePHI on their mobile devices, you must create policies to remove ePHI if the user leaves the company or if the device is re-used, sold, etc.

Having hardware inventory of hardware. To ensure that all equipment is safeguarded, an inventory must be made. In addition, a retrievable copy of the ePHI must be taken before any steps are taken with the equipment.

Administrative Safeguards

The Administrative Safeguards consist of policies and procedures that bring privacy and security rules together. They are pivotal elements to any HIPAA compliance checklist, requiring the allocation of both a Security Officer and a Privacy Officer to protect ePHI. They are also responsible for governing the conduct of the workforce.

The OCR pilot audits have identified compliance with the risk assessments as a main area of non-compliance. Therefore, there will be risk assessments in later audit phases to ensure that an organization has done one and that they are thorough and ongoing.

Remember, a HIPAA-compliant risk assessment is not just a one-time requirement but a regular task that is done to ensure continued compliance.

Conducting risk assessments. The Security Officer's main tasks include the compilation of a risk assessment to identify any areas in which ePHI is being used and determine how it could be breached.

Having a risk management policy in place. The risk assessment must be performed at regular intervals with measures introduced to reduce the risks to an appropriate level. A sanctions policy for employees who fail to comply with HIPAA regulations must also be put in place.

Educating employees about security. It is the responsibility of all staff to be aware of policies and procedures around security threats and how to handle them. The introduction of training schedules is one step towards achieving this.

Creating a contingency plan. Whenever an emergency occurs, it is important that your organization has a contingency plan to ensure your continued operations while protecting your patient data.

Testing the contingency plan. The contingency plan should be tested periodically to ensure it's still addressing the needs of the business. There are also procedures to install in the event of an emergency to restore lost data.

Restricting third-party access. In order to maintain compliance with HIPAA, you have to ensure your ePHI isn't being accessed by unauthorized parties. This implies that you have to put in place the necessary measures, such as signing appropriate business associate agreements with business partners who will have access to the ePHI.

Reporting the security incidents. The reporting of security incidents is different from the Breach Notification Rule below in the sense that incidents can be contained before it escalates into a breach.

HIPAA Breach Notification Rule

breach notification

The HIPAA Breach Notification Rule says covered entities to notify certain parties where there is an unauthorized breach of PHI. It requires

Individual Notice: The (covered entity) C.E. should notify the individuals affected due to a PHI breach

Media Notice: If a particular breach has affected more than 500 residents of a state/jurisdiction, the (covered entity) C.E. responsible must inform the media outlet serving a state/jurisdiction.

Notice to the secretary: The covered entity must inform the secretary when they discover a PHI breach 

HIPAA Enforcement Rule

The HIPAA Enforcement Rule covers any breach of PHI, the penalties that could be imposed on covered entities, and the procedures for hearings.

Although penalties are not part of a HIPAA compliance checklist, covered entities should definitely be aware of them.

  • If the violation is a result of ignorance, a fine of $100- 50,000 may be imposed by the 

  • A violation that has occurred in spite of reasonable vigilance can attract a penalty of $1,000 – $50,000.

  • The fee is between $10,000 - $50,000 for any violation that is corrected within the first thirty days.

  • A violation due to willful neglect which is not corrected within thirty days will attract the maximum fine of $50,000.

Fines are imposed based on the number of records exposed in a breach, the level of negligence involved, and the risk posed by the exposure. If penalties are not paid, the penalty can go up to $1,500,000 per year per violation. These penalties also include criminal charges in extreme cases of willful neglect.

Victims can also file civil lawsuits for damages. The organizations that are most commonly subjected to enforcement action are private medical practices, hospitals, clinics, rehabilitation centers, insurance groups, and pharmacies.

The most common disclosure in health care and human services are:

  • Misusing and unauthorized disclosure of PHI

  • No protection for patient records

  • Patients unable to access their own records

  • Using or disclosing PHI to third parties more than necessary

  • No administrative or technical safeguards for ePHI

HIPAA Omnibus Rule

The HIPAA Omnibus Rule is a more complete and up-to-date system of regulations that include modifications to definitions, details on security and privacy policies, and an expanded set of regulations on Business Associates and their subcontractors.

The HIPAA Omnibus Rule includes:

  • A tiered civil money penalty structure as required by HITECH

  • The HHS has made changes to the thresholds for harm that will impact breaches of unsecured PHI under the HITECH Act. The HHS has also finalized its proposal to include notification requirements for breaches.

  • The Genetic Information Nondiscrimination Act aims to fully protect the privacy of individuals with regard to DNA results and testing. The provisions from the Genetic Information Nondiscrimination Act have been incorporated into HIPAA.

  • Prevents the use of PHI and personal identifiers for marketing purposes

HIPAA Omnibus Rule requirements include the following:

  • New Business Associate Agreements: Before taking the services of a Business Associate, all entities must sign a new HIPAA-compliant

  • Business Associate Agreement Updates: Compliance with the Omnibus Rule is paramount and necessitates the update of the existing BAA.

  • Privacy policy updates: Privacy policies must be updated to comply with the Omnibus Rule changes.

  • Updated notices of privacy practices: NPPs must be updated to cover information required by the Omnibus Rule.

  • Updated HIPAA training for Staff: Training should be provided and documented for staff on the Omnibus Rule amendments and definition changes.

The OCR started performing HIPAA compliance audits more rigorously in 2016. Businesses are equally concerned about audits, as they would not want to end up in a situation where their credibility is compromised. 

Before that, audits were performed only when complaints were raised, or there was a problem at a specific C.E. or B.A. So, in 2016 the OCR strengthened its review by implementing the second phase of audits. It is highly important to update your procedures and the related documents so that they are up-to-date with HIPAA.



The Ideal Cost Optimization Playbook to Control SaaS Spend

SaaS Management: 3 Key Challenges

A Framework to Eliminate SaaS Wastage

SaaS Vendor Management in 2022: The Definitive Guide

Symptoms of an Unoptimized SaaS Stack (+ Solutions)


The Ideal Cost Optimization Playbook to Control SaaS Spend

10% of company revenue is spent on SaaS. It’s a staggering metric, and a high percentage of income is wasted inefficiently on business tools. In comparison, companies spend, on average, 15% on employees annually.

SaaS Management: 3 Key Challenges

With this explosion of SaaS at companies, there arise SaaS challenges caused by apps getting out of your control. These SaaS challenges varies in three dimension: spend management, security and complance risks, and various SaaS operations tasks like automating SaaS procurments, renewals, employees onboarding and offboarding.

A Framework to Eliminate SaaS Wastage

‘Muda’ is used to describe any activity that uses resources but doesn't generate value. It is the Toyota system for identifying and eliminating waste in all forms. It is the same thing that helps Toyota sell more cars than Ford, General Motors, and Honda at a higher margin.

SaaS Vendor Management in 2022: The Definitive Guide

An obese SaaS stack leads to SaaS wastage. It's a disease! It not only causes financial issues but also gives you security and compliance problems. That's why you must keep tight control on your SaaS stack. And it begins with managing your SaaS vendors. 

Symptoms of an Unoptimized SaaS Stack (+ Solutions)

In this post, we've discussed 7 symptoms of an unoptimized SaaS stack and solutions to optimize the same.

Related Blogs

See More

  • Implementing Zero Trust - A SaaS Management Perspective- Featured Shot

    Implementing Zero Trust - A SaaS Management Perspective

    Zluri makes a backup of the data in those apps while canceling the user's licenses so that the admin can transfer it to the newly hired owner.

  • How SaaS Management Platforms helps in Eliminating Security Risks- Featured Shot

    How SaaS Management Platforms helps in Eliminating Security Risks

    An SMP gives a central place to discover SaaS apps in use throughout the organization automatically. It helps to manage and secure users, apps, data, files, folders, and user interactions within SaaS apps.

  • Top IT Security & Privacy Frameworks - Featured Shot

    Top IT Security & Privacy Frameworks

    Security and privacy frameworks provide a structure where you can manage procedures, rules, and other administrative tasks needed in your organization.