Healthcare facilities gather and manage volumes of critical patient information that, if lost or stolen, could result in patient identity theft and delayed care. In 1996, the Health Insurance Portability and Accountability Act, or HIPAA, prompted lawmakers to build a set of privacy laws governing the management and security of patient information.
Using this HIPAA security rule checklist, you can see how these standards apply to your organization and take steps to obtain compliance.
What is the HIPAA Privacy Rule?
The Department of Health and Human Services issued a set of orders that standardized privacy law for all individuals and organizations that would manage patient health data. These accountable organizations are known as covered entities and are liable for all mandates expressed in the Standards for Privacy of Individually Identifiable Health Information, also known as the HIPAA Privacy Rule.
“A major goal of the Privacy Rule is to assure that individuals’ health information is
properly protected while allowing the flow of health information needed to provide
and promote high quality health care and to protect the public’s health and well being.” – United States Department of Health and Human Services
These privacy standards arrived as medical professionals started to digitize medical records. Taking advantage of digital documentation allows all healthcare-related organizations to better serve patients, since managing digital records is far more efficient than managing hard copies of medical records.
To Whom Does the HIPAA Privacy Rule Apply?
The HIPAA Privacy Rule applies to what are referred to as covered entities. These agencies assist in the administration of healthcare services, to include treatments, insurance payments, and more.
What are Covered Entities?
A covered entity includes private medical practices, hospitals, and any auxiliary organization that must access protected health information to operate. Often, there are several healthcare-related agencies working together to assist a patient in receiving the medical care that they require.
The Privacy Rule identifies a covered entity as one of the following:
- Health Plans
- Insurance providers
- Medicare/Medicaid insurers or supplemental insurers
- Employer-sponsored plans
- Government-sponsored plans
- Church-sponsored plans
- Coop plans
- Healthcare Providers
- Healthcare Clearinghouses
The Privacy Rule also applies to non-covered entities that serve as third-party vendors or business associates to a covered entity.
What is Protected Health Information (PHI)?
Protected Health Information, or PHI, is the formal term for “individually identifiable health information.” Covered entities manage PHI in accordance with their duties and are under scrutiny to protect patient identities and privacy by abiding by all HIPAA compliance standards pertaining to lawful use of PHI.
What are HIPAA Authorizations?
In the event that a covered entity needs to share PHI with another individual or agency, but that individual or agency is not otherwise permitted access to a patient’s PHI under HIPAA Privacy law, covered entities may seek a patient authorization.
HIPAA authorizations must be signed by the patient and lay out clearly who the authorization is for, the purpose of the authorization, and when the authorization expires. The covered entity should also define any contingencies or parameters laid out by the patient to meet the authorization’s purpose.
An example of a HIPAA authorization could be a mental health patient that agrees to share his/her therapy notes in a full psychological evaluation. This is a common scenario for veterans providing medical evidence during a PTSD disability claim. Even though filing a disability claim involves due process and legal discovery, investigators may not access those medical records without a signed patient authorization.
HIPAA Protected Health Information Uses and Disclosures
What is a Notice of Privacy Practices (NPP)?
All covered entities must disclose a notice of privacy practices, or NPP, that outlines the patient’s rights according to HIPAA privacy law and PHI. The NPP should also explain how a patient may file a complaint against a covered entity that they feel violated their rights under HIPAA privacy law.
NPPs are items commonly found in registration paperwork when a patient sees a medical professional for the first time. The documentation explains how a covered entity may use the patient’s PHI within the bounds of HIPAA compliance.
Your HIPAA Security Checklist:
A HIPAA security checklist can help you identify where your business operations fail to meet HIPAA privacy requirements. You can use the checklist below to perform an internal audit. Or you can use the checklist as a way to gauge how seriously your organization takes HIPAA compliance.
Patient Access and Consent
- Have you established a process to help patients access their PHI? In this day and age, many covered entities make sure that patients can access their PHI safely online, even if another covered entity maintains the PHI database. Regardless, your organization should have clear policies and procedures to help patients view their PHI.
- Do you have a process for accepting and fulfilling PHI copy requests from patients? When a patient requests copies of their PHI, HIPAA compliance dictates that you give the patient a copy in the requested format (hard copy or digital) within 30 days of their request.
- If your firm decides to charge patients a fee for copies of their PHI, do you make those fees accessible? HIPAA compliance requires covered entities to fulfill PHI copy requests to patients at a reasonable cost. Prohibitive costs do not properly reflect the amount of labor and expenses required to fulfill PHI requests. Agencies that charge too much may be doing so intentionally to keep from having to be HIPAA compliant.
- Are your authorizations specific, to include uses, recipients, disclosures, and expiration dates? Vague HIPAA authorizations do not protect your organization or the patient. All critical details of the authorization should be clearly spelled out according to the patient’s expectations.
- Do your authorizations use “plain English,” as opposed to medical jargon and elusive clinical terms that the patient will not understand? If it appears that the patient had no clue of what they were signing because of convoluted words and phrases, your authorization could be in violation of HIPAA privacy law. It’s critical that your authorizations use language that is understandable to the average patient.
- Do you secure the patient’s signature and date on every authorization? HIPAA authorizations are invalid unless they have the patient’s signature, as well as the date on which it was signed.
- Do you store your HIPAA authorizations in a secure location and properly dispose of them once they are no longer needed? Losing a HIPAA authorization could open your organization up to legal action from the patient. It’s critical that you properly store and share authorizations in accordance with HIPAA privacy law.
Notice of Privacy Practices (NPP)
- Do you have an NPP included in your new patient paperwork? To be HIPAA compliant, you should onboard every new patient or client with an NPP so that those individuals understand their PHI rights from the start of your services.
- Do you have your patients or clients confirm that you informed them of their rights according to HIPAA privacy law? Having your patients or clients confirm in writing and with a signature that they have read and understood your NPP protects you as a covered entity.
- Do you prominently display your NPP on the premises and/or clearly on your website? Demonstrating that you publicize your NPP for all to see further protects you against patients claiming that you did not inform them of their rights under HIPAA privacy law.
- Do you have policies and procedures in place to manage patients with concerns that you’re not complying with your NPP? It is possible that some patients may accuse you of not advising them of their rights per HIPAA privacy law. More importantly, a patient or client may fall through the cracks. Either way, you should have a clear process on how to manage those complaints and rectify them immediately.
- Do your day-to-day operations align with your NPP and HIPAA Privacy Law? You should perform routine audits of your business operations to ensure that you’re not merely paying lip service to HIPAA privacy law.
Employees and Business Associates
- Do all of your staff members understand HIPAA privacy law, as well as workplace policies and procedures relevant to PHI? Much of your HIPAA compliance pertains to consistent adherence by your staff. As a covered entity, it is your responsibility to ensure that every employee understands HIPAA privacy law and how they must manage PHI in their current role.
- Have you trained your employees and collected proof (such as signed documentation) that they received the proper HIPAA compliance training? Similar to how you have patients sign and confirm that they had read and understood your NPP, you should include attestation documentation at the conclusion of HIPAA compliance training for your staff.
- Do you have a process in place for employees to report HIPAA non-compliance without fear of reprisal? Ideally, you should create a way for employees to report non-compliance anonymously. This approach ensures that managers and lower-level employees alike are held accountable in accordance with HIPAA privacy law.
- Do you collect confidentiality agreements from your employees and independent contractors? Employees and independent contractors of covered entities are known as non-business associates. Since it is likely that these people will come into contact with or manage PHI as part of their job description, it’s important that you collect confidentiality agreements from each of them.
- Do you choose your business associates carefully, to include carrying out due diligence on that organization’s privacy policies and procedures? You could be held liable if one of your vendors mismanages PHI that your business maintains. Part of being HIPAA-compliant is ensuring that you only work with vendors that also understand HIPAA privacy law.
- Do you maintain a list of all your business associates and third-party vendors? If your organization manages PHI, it’s very likely that most or all of your business associates and third-party vendors may come into contact with that PHI. It’s critical that you maintain an up-to-date record of all external parties with whom you do business.
- Have you established the proper contracts (business associate agreements) with your business associates and third-party vendors that contain HIPAA-compliant directives on all matters pertaining to PHI? You should disclose to your business associates that managing PHI is part of your business operations. This informs your vendors that they must maintain HIPAA compliance, especially if their services also involve the use of PHI.
- Do you reexamine your business associate agreements every year, to include updating your list of business associates? The nature of your relationship with third-party vendors and business associates can change year-over-year as you and the other party scale your respective operations. As such, you may need to update portions of your business associate agreements to remain HIPAA-compliant.
- Do you have an up-to-date network diagram? Network diagrams show you all possible attack vectors from which hackers and malware might enter and try to steal or destroy PHI.
- Do you have basic cybersecurity protocols in place? Due to the sensitivity of PHI, it is critical that you maintain all the necessary firewalls, malware protection, and monitoring to keep your and your patient’s information secure.
- Do you have a plan to respond to an incident or breach? The initial moments after a security breach are often the most critical. Having a plan in place to quarantine the incident, diagnose the root cause, patch the intrusion, and report any damage will protect PHI under your organization’s care. Also, it will help your cybersecurity team update its tools, policies, and procedures to deal with similar intrusions more efficiently.
- Has your staff received training on phishing attacks and how to prevent them? Sometimes the biggest threat to your organization is an employee clicking on an unknown link and releasing malware onto the company network. Making sure that your employees know how to safely deal with phishing attacks can drastically reduce your cyber risk.
Key Takeaways: HIPAA Security Rule Compliance Checklist
Using the checklist above, you can take initial steps to become HIPAA-compliant in accordance with privacy laws pertaining to PHI. Failing to comply with HIPAA Privacy Law can result in financial penalties and patient lawsuits.
RSI Security is an agency dedicated to assisting covered entities in their quest to acquire and maintain HIPAA security compliance. Our team of cybersecurity specialists can help you create a personalized HIPAA security rule compliance checklist and establish the necessary safeguards to protect your PHI against negligence or abuse.
Download Our Complete Guide to Navigating Healthcare Compliance Whitepaper
Not sure if your HIPAA or healthcare compliance efforts are up to snuff? Unsure about where to even start? Download RSI Security’s comprehensive guide to navigating the HIPAA and healthcare compliance labyrinth. Upon filling out this brief form you will receive the whitepaper via email.