The Ultimate HIPAA Compliance Checklist for 2022

The Ultimate HIPAA Compliance Checklist for 2022

  • March 08, 2022

Understanding HIPAA and the steps necessary for compliance is no easy task. What does the process look like in action? 

To help combat confusion and gauge exactly where your organization stands in its compliance readiness, we’ve created an interactive HIPAA compliance checklist. 

We get right to the heart of HIPAA compliance and outline the essential action items you need to accomplish to properly protect patient data. 

What is HIPAA compliance?

HIPAA compliance is the process of securing and protecting sensitive patient data, known as protected health information, or PHI. 

Being compliant with HIPAA is an ongoing process that includes putting strong safeguards in place for data protection, staff training, risk assessments, reporting, and more. 

HIPAA compliance requirements include five main components:

  • Privacy: regulates the use and disclosure of patient information
  • Security: physical, technical, and administrative security measures
  • Enforcement: provides instruction for regulating liability and imposing penalties for violations
  • Breach Notification: guidelines for how and when to report violations 
  • Omnibus: outlines how business associates should handle PHI

Below we break down the two types of businesses that must obtain HIPAA compliance. 

What is a covered entity?

A covered entity is an organization legally required to comply with HIPAA rules. 

Examples of a covered entity include:

  • Hospitals
  • Clinics
  • Pharmacies
  • Doctors
  • Dentists
  • Psychologists
  • Psychiatrists
  • Chiropractors
  • Health care providers
  • Health insurance companies

What is a business associate?

A business associate provides services to a covered entity and has access to PHI. 

Examples of business associates include:

  • Data storage firms
  • Billing companies
  • Cloud service providers
  • Attorneys
  • CPA firms

HIPAA compliance checklist for 2022

We’ve created this interactive checklist to help you gauge your company’s HIPAA compliance readiness.

HIPAA Compliance Checklist

Audits

Yes
No

People

Yes
No

Policies and Procedures

Yes
No

Remediations

Yes
No

Reporting and Investigations

Yes
No

HIPAA compliance in 6 steps

For a more in-depth look at the steps to achieving HIPAA compliance, check out the breakdown below.

Step 1: Develop security management policies and standards

First, appoint a privacy official to spearhead the HIPAA compliance process. This person should also manage the policies and procedures specified within the Privacy Rule and Security Rule. 

Documentation is another key aspect of HIPAA compliance. Your business should have records of each policy and procedure put in place to protect PHI.

Step 2: Implement the necessary safeguards to comply with the Security Rule 

The HIPAA Security Rule outlines three types of safeguards — administrative, physical, and technical — to properly protect PHI. 

We break down what each of those safeguards means below:

Administrative safeguards

Administrative safeguards help guide employees on how to properly use and store PHI. 

These safeguards are in place to:

  • Train workforce members about PHI protections
  • Resolve security incidents that may be a threat to PHI
  • Protect PHI during emergency situations

Physical safeguards

Physical safeguards protect the physical points of access to PHI. Physical safeguards set the stage for how employees should manage their workstation and mobile devices to keep sensitive information secure. 

Common physical safeguards include limits to facility access via surveillance cameras or ID badges and outlining proper and improper use of technology.

Technical safeguards

Technical safeguards protect against unauthorized access or alteration to PHI that’s stored electronically, such as in an application or system. 

Examples of common technical safeguards are antivirus software and data encryption. 

Image depicting the three types of HIPAA safeguards: administrative, physical, and technical, with examples of each.

Step 3: Perform HIPAA risk assessments

You’ll also need to perform a HIPAA risk assessment. This is an essential requirement for HIPAA compliance and helps you identify weaknesses and vulnerabilities to prevent data breaches. 

These assessments also test to make sure administrative, technical, and physical safeguards are properly implemented and cover all the necessary controls.

Step 4: Train employees on HIPAA procedures

Anyone who handles PHI is required to complete HIPAA compliance training

This training helps employees understand exactly what constitutes compliant and non-compliant behavior when it comes to PHI. 

While the Department of Health and Human Services (HHS) doesn’t specify how often training should be given, they do state that refresher training should be offered to all employees periodically. This can be done annually or more often depending on your organization’s size and resources.

It’s also important to share the consequences of violating HIPAA with your employees. Additionally, be sure to share your organization’s process for reporting violations should one occur. 

Step 5: Investigate violations and learn from these instances

If a breach should occur, your organization should do its due diligence to discover exactly why it happened. 

This is also an opportunity to implement tighter controls or update procedures so that type of incident won’t happen again. 

Step 6: Continually monitor and update compliance policies as your organization matures

Continuously monitoring your compliance policies will help you more proactively protect data and can help you avoid costly HIPAA violations.

You can look for solutions that help you monitor ongoing HIPAA compliance by tracking whether employees and business associates have received training and monitoring your safeguards to alert you of any nonconformities. 

If you’d rather track your HIPAA compliance the old-fashioned way, download our HIPAA compliance checklist PDF below. 

Light blue button with text reading: Download our HIPAA compliance checklist PDF.

HIPAA checklist FAQ

HIPAA compliance can be a complicated process to navigate. We’ve answered some of the most common questions related to HIPAA below.

What is the Minimum Necessary Standard?

The Minimum Necessary Standard, which falls under the Privacy Rule, requires covered entities to make reasonable efforts to limit PHI access to the minimum amount necessary to complete a task. 

Here are a few ways you can adhere to this standard:

  • Determining exactly what roles need access to PHI and documenting that information 
  • Setting up role-based permissions that limit access to certain types of PHI 
  • Conducting periodic audits of permissions to ensure PHI access is only granted to the necessary individuals

What are the HIPAA Data Retention Requirements?

The HIPAA Privacy Rule does not include medical record retention requirements. Instead, each state has its own set of guidelines for storing and retaining medical records that covered entities and business associates must follow. 

However, there is a requirement for how long HIPAA-related documentation is stored. 

Documentation related to compliance policies and procedures must be kept for a minimum of six years from the date of its creation or the date when it last was in effect, whichever is later.

Examples of HIPAA-related documentation include:

  • Risk assessments
  • Disaster recovery and contingency plans
  • Business associate agreements
  • Information security and privacy policies
  • Incident and breach notification documentation

Is employee training required under HIPAA?

Yes, HIPAA training is mandatory for any covered entity and business associate that interacts with PHI.

HIPAA compliance resources 

Here’s a list of resources to reference during your HIPAA compliance journey:

How Secureframe can simplify HIPAA compliance 

If you noticed more unchecked boxes than check marks after completing the HIPAA compliance checklist above, don’t stress. 

HIPAA compliance can be complicated, but organizations like Secureframe can help alleviate stress and streamline the process. 

We can help you create HIPAA privacy and security policies, train employees on how to protect PHI, manage vendors and business associates, and monitor your PHI safeguards. 

Request a demo to learn more about how you can automate your HIPAA compliance today. 

Become a security expert

Get the latest articles on startup security and compliance best practices delivered straight to your inbox.

Get a Secureframe demo
subscription-logo