If you’re building a healthcare compliance program, this resource will help you preserve patients’ privacy and safeguard the security of their medical information to build a posture of HIPAA compliance.
The Health Insurance Portability and Accountability Act (HIPAA) requires any organization receiving, storing, transmitting, or processing protected health information (PHI) to keep that information private and secure.
HIPAA Compliance Checklist
Achieving HIPAA compliance is not one-size fits all. It will depend on how your business handles PHI.
Some questions to keep in mind while evaluating the requirements that will apply to your business are the following:
- Do you manage PHI internally within your environment and systems or externally?
- What type of PHI is it and in what volume?
- Do you share or transmit PHI with other businesses?
HIPAA classifies organizations into two types based on how they handle PHI:
- Covered Entities
- Business Associates
Your business is considered a Covered Entity if it is a healthcare provider, health plan, or healthcare clearinghouse that is involved in the transmission of PHI. This includes hospitals, doctors, clinics, and health insurance companies.
Your business is considered a Business Associate if you are a vendor or subcontractor with access to PHI. This includes accountants, billing companies, cloud storage providers, web hosts, and lawyers.
Step 1: Create a dedicated project team
It’s critical to form a HIPAA compliance team that will be able to focus and manage the process internally. They will help set priorities across the organization to aid with the implementation of the compliance program.
Be sure to include stakeholders from across your organization, beyond IT and legal, because PHI may play a role across functions of your organization. Your team will need support from all levels of the organization. Therefore, you’ll want to get buy-in and it’s important to have a comprehensive team.
Step 2: Perform a HIPAA Risk Assessment
The goal of your HIPAA risk assessment is to identify and prioritize risks to the privacy and security of PHI based on their impact and probability. To do so it’s critical that your team understand how information flows within your organization – from the point of data collection, through processing, and discarding.
Performing the Risk Assessment is required for all HIPAA regulated businesses, whether you are considered a Covered Entity or a Business Associate.
Step 3: Build a Compliance Plan
Based on your prioritized risks, develop a plan to implement the HIPAA Security Rules requirements of administrative, physical, and technical safeguards.
Administrative safeguards include having a risk management process in place, training employees on a periodic basis, and planning incident responses.
Physical safeguards refer to the privacy and security of access to physical spaces like server rooms or labs, or devices like endpoints.
Technical safeguards include firewalls, passwords, and other hardware and software-based controls that safeguard PHI.
Step 4: Provide Business Associate Agreements to Relevant Vendors
Now that you’re implementing your HIPAA compliance plan, it’s important to identify which vendors you are, or will be, sharing PHI with to ensure compliance from them. Those vendors with whom you exchange PHI will be considered Business Associates and once you’ve identified who they are, you’ll need to provide them with a business associate agreement to sign.
Business associate agreements are how you will ensure that your vendors are following HIPAA’s rules for handling PHI. After they have been signed, it’s important to re-evaluate your vendors’ risks on a periodic basis via third-party risk assessments. This will help your team manage risk on an on-going basis.
Step 5: Continuously Implement Your Compliance Plan
Ensuring the privacy and security of patients’ medical data demands an on-going dedication to compliance. Achieving HIPAA compliance is merely a snapshot of managing PHI at a specific moment. Subsequent events could potentially compromise PHI – such as a lost laptop, breaches, or inadvertent PHI disclosure to unauthorized personnel.
Therefore, as your team builds a HIPAA compliance program, view it as a dynamic process. Compliance with HIPAA is not a one-time accomplishment but an ongoing journey. Reach out to our team to see how we can help make it a smoother ride!