The Ultimate HIPAA Compliance Checklist for 2022
Understanding HIPAA and the steps necessary for compliance is no easy task. What does the process look like in action?
To help combat confusion and gauge exactly where your organization stands in its compliance readiness, we’ve created an interactive HIPAA compliance checklist.
We get right to the heart of HIPAA compliance and outline the essential action items you need to accomplish to properly protect patient data.
What is HIPAA compliance?
HIPAA compliance is the process of securing and protecting sensitive patient data, known as protected health information, or PHI.
Being compliant with HIPAA is an ongoing process that includes putting strong safeguards in place for data protection, staff training, risk assessments, reporting, and more.
HIPAA compliance requirements include five main components:
- Privacy: regulates the use and disclosure of patient information
- Security: physical, technical, and administrative security measures
- Enforcement: provides instruction for regulating liability and imposing penalties for violations
- Breach Notification: guidelines for how and when to report violations
- Omnibus: outlines how business associates should handle PHI
Below we break down the two types of businesses that must obtain HIPAA compliance.
What is a covered entity?
A covered entity is an organization legally required to comply with HIPAA rules.
Examples of a covered entity include:
- Health care providers
- Health insurance companies
What is a business associate?
A business associate provides services to a covered entity and has access to PHI.
Examples of business associates include:
- Data storage firms
- Billing companies
- Cloud service providers
- CPA firms
HIPAA compliance checklist for 2022
We’ve created this interactive checklist to help you gauge your company’s HIPAA compliance readiness.
HIPAA Compliance Checklist
Policies and Procedures
Reporting and Investigations
HIPAA compliance in 6 steps
For a more in-depth look at the steps to achieving HIPAA compliance, check out the breakdown below.
Step 1: Develop security management policies and standards
First, appoint a privacy official to spearhead the HIPAA compliance process. This person should also manage the policies and procedures specified within the Privacy Rule and Security Rule.
Documentation is another key aspect of HIPAA compliance. Your business should have records of each policy and procedure put in place to protect PHI.
Step 2: Implement the necessary safeguards to comply with the Security Rule
The HIPAA Security Rule outlines three types of safeguards — administrative, physical, and technical — to properly protect PHI.
We break down what each of those safeguards means below:
Administrative safeguards help guide employees on how to properly use and store PHI.
These safeguards are in place to:
- Train workforce members about PHI protections
- Resolve security incidents that may be a threat to PHI
- Protect PHI during emergency situations
Physical safeguards protect the physical points of access to PHI. Physical safeguards set the stage for how employees should manage their workstation and mobile devices to keep sensitive information secure.
Common physical safeguards include limits to facility access via surveillance cameras or ID badges and outlining proper and improper use of technology.
Technical safeguards protect against unauthorized access or alteration to PHI that’s stored electronically, such as in an application or system.
Examples of common technical safeguards are antivirus software and data encryption.
Step 3: Perform HIPAA risk assessments
You’ll also need to perform a HIPAA risk assessment. This is an essential requirement for HIPAA compliance and helps you identify weaknesses and vulnerabilities to prevent data breaches.
These assessments also test to make sure administrative, technical, and physical safeguards are properly implemented and cover all the necessary controls.
Step 4: Train employees on HIPAA procedures
Anyone who handles PHI is required to complete HIPAA compliance training.
This training helps employees understand exactly what constitutes compliant and non-compliant behavior when it comes to PHI.
While the Department of Health and Human Services (HHS) doesn’t specify how often training should be given, they do state that refresher training should be offered to all employees periodically. This can be done annually or more often depending on your organization’s size and resources.
It’s also important to share the consequences of violating HIPAA with your employees. Additionally, be sure to share your organization’s process for reporting violations should one occur.
Step 5: Investigate violations and learn from these instances
If a breach should occur, your organization should do its due diligence to discover exactly why it happened.
This is also an opportunity to implement tighter controls or update procedures so that type of incident won’t happen again.
Step 6: Continually monitor and update compliance policies as your organization matures
Continuously monitoring your compliance policies will help you more proactively protect data and can help you avoid costly HIPAA violations.
You can look for solutions that help you monitor ongoing HIPAA compliance by tracking whether employees and business associates have received training and monitoring your safeguards to alert you of any nonconformities.
If you’d rather track your HIPAA compliance the old-fashioned way, download our HIPAA compliance checklist PDF below.
HIPAA checklist FAQ
HIPAA compliance can be a complicated process to navigate. We’ve answered some of the most common questions related to HIPAA below.
What is the Minimum Necessary Standard?
The Minimum Necessary Standard, which falls under the Privacy Rule, requires covered entities to make reasonable efforts to limit PHI access to the minimum amount necessary to complete a task.
Here are a few ways you can adhere to this standard:
- Determining exactly what roles need access to PHI and documenting that information
- Setting up role-based permissions that limit access to certain types of PHI
- Conducting periodic audits of permissions to ensure PHI access is only granted to the necessary individuals
What are the HIPAA Data Retention Requirements?
The HIPAA Privacy Rule does not include medical record retention requirements. Instead, each state has its own set of guidelines for storing and retaining medical records that covered entities and business associates must follow.
However, there is a requirement for how long HIPAA-related documentation is stored.
Documentation related to compliance policies and procedures must be kept for a minimum of six years from the date of its creation or the date when it last was in effect, whichever is later.
Examples of HIPAA-related documentation include:
- Risk assessments
- Disaster recovery and contingency plans
- Business associate agreements
- Information security and privacy policies
- Incident and breach notification documentation
Is employee training required under HIPAA?
Yes, HIPAA training is mandatory for any covered entity and business associate that interacts with PHI.
HIPAA compliance resources
Here’s a list of resources to reference during your HIPAA compliance journey:
How Secureframe can simplify HIPAA compliance
If you noticed more unchecked boxes than check marks after completing the HIPAA compliance checklist above, don’t stress.
HIPAA compliance can be complicated, but organizations like Secureframe can help alleviate stress and streamline the process.
We can help you create HIPAA privacy and security policies, train employees on how to protect PHI, manage vendors and business associates, and monitor your PHI safeguards.
Request a demo to learn more about how you can automate your HIPAA compliance today.