HIPAA Compliance Checklist: Everything You Need to Know In 2023!
Our lives are becoming more digitalized by the minute and the healthcare industry is no exception. But when we go to hospital or visit the doctor, we have to trust that both medical and IT staff are trained to handle our private health-related information with sufficient care – in other words, to protect it against theft, tampering or other breaches. But how can we be sure our private data is kept both confidential and secure?
This is where HIPAA compliance comes into play and why fulfilling it is now more important than ever for healthcare providers – though achieving HIPAA compliance is not an easy task. The requirements of the act are kept intentionally vague and are fairly open to interpretation. With some guidance and the right tools, however, the task of becoming compliant with HIPAA won’t be quite as intimidating.
Read on to learn more about HIPAA compliance requirements and how identity access management can present a useful tool in achieving them.
What Is HIPAA Compliance?
While we have all the power to decide whether a photo we took deserves to be shared on social media or whether we want to press “send” on an email, there is highly critical, personal data we cannot govern ourselves because we don’t have total authority over it – and that is private health information. Since such data is increasingly being processed and stored electronically, sharing it has become all the more easy as well. So how can we shield our private data from prying eyes and stop it from falling into the wrong hands?
The Healthcare Insurance Portability and Accountability Act (HIPAA) of 1996 is an attempt to ensure that private data in the US is kept both confidential and safe. It is a framework established to enforce rules and regulations that govern the way in which confidential patient data must be handled and protected by healthcare providers and their business associates.
HIPAA compliance requirements cover topics ranging from patient privacy and security controls for protecting private information to rules for dealing with violations and breaches. Failure to comply with HIPAA can result in grave fines and a breach may even lead to criminal charges, civil action lawsuits – and, perhaps worst of all, a permanent entry in the HIPAA Wall of Shame.
You can find more information about the privacy and data protection challenges facing hospitals and how identity and access management can help you address them in our overview on IAM for healthcare providers.
What Information Is Protected Under HIPAA?
Under HIPAA, private patient data is referred to as Protected Health Information, or PHI. PHI is defined as any data concerning a person’s health, healthcare or payment for their healthcare that can be used to individually identify this person and that is created, collected, stored or transmitted by a healthcare provider, a health plan, healthcare clearinghouse, their business associates or any subcontractors.
PHI can be in any form, written down on paper or transmitted/stored electronically in a computer or on the internet – in which case it is sometimes referred to as ePHI – or even communicated orally. Regardless of whether it is referred to as PHI or ePHI, the “P” always stands for “Protected”! So keep in mind that this is the essence of HIPAA – protection of private health and healthcare related information.
Examples of PHI include:
Test results and scans
Dates (D.O.B., death records)
Phone numbers & records, email addresses
Social Security numbers
Doctors’ notes and orders
Biometric identifiers (finger prints, voice recordings)
Other identifying characteristics or codes
Who Must Comply With HIPAA?
In order to protect patient data, HIPAA is designed to cover all entities with access to such critical information. Under the act, there are three main categories of organizations or people who are required to safeguard PHI and thus adhere to HIPAA compliance requirements:
|Covered Entities||Healthcare providers, health plans and clearinghouses who store, process or transmit patient data.||Clinics, doctors, nurses, nursing homes, pharmacies, health insurance companies, HMOs, government programs that pay for healthcare (e.g. Medicaid).|
|Business Associates||Businesses or persons who work for or with covered entities but do not themselves provide healthcare, yet do have access to PHI.||Accounting firms, lawyers, IT suppliers, data analysts,|
|Subcontractors||Businesses or individuals recruited by business associates who also have access to PHI.||Shredding companies, hosted services providers (e.g. Amazon web services)|
What Is the HITECH Act?
When HIPAA was enacted in 1996, hospitals and other covered entities used physical paper records to keep track of patient data. By 2008, the development of new, fast technologies and the internet had virtually exploded. Still, the use of electronic health records (EHRs) among covered entities was not yet very common. Only around 10% of hospitals had migrated their paper records to computers at the time.
In an attempt to accelerate the use of health information technology and electronic health records, the supplement Health Information Technology for Economic and Clinical Health (HITECH) Act was enacted in 2009. Hopes were that it would lead to higher efficiency and make it easier for covered entities to share health-related patient data. And it worked!
In doing so, of course, HITECH also widened the scope of privacy and security protection requirements, including increased liability of covered entities and business associates for failure to meet HIPAA compliance provisions, as well as stricter enforcement and higher penalties for violations.
HIPAA Compliance Requirements: The Four Rules of HIPAA
The Healthcare Insurance Portability and Accountability Act is divided into four main categories, or rules, that make up the foundation of HIPAA compliance requirements. Basically, every covered entity as well as every business associate and subcontractor must establish and maintain technical, physical and administrative measures to guarantee the safety of PHI – and of course ensure that these measures are followed by all staff members within the organization.
HIPAA Privacy Rule
Under certain circumstances, covered entities can deny patients access to PHI or deny the requested amendments. The HIPAA Privacy Rule requires covered entities to document regulatory standards accordingly in their HIPAA policy and ensure that all staff are trained on a yearly basis with regard to these policies and regulations.
HIPAA Security Rule
The HIPAA Security Rule dictates standards for ensuring that electronic PHI, or ePHI, is protected against tampering and from being accessed by unauthorized persons. The HIPAA Security Rule defines three key areas that require the implementation of safeguards to ensure the safety of ePHI:
The HHS defines administrative safeguards as “administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronically protected health information and to manage the conduct of the covered entity’s workforce in relation to the protection of that information.” Examples of such administrative safeguards include:
Policies and procedures designed to limit access to ePHI, including systems for the detection, correction and prevention of security breaches
Incident policies for the event of a breach or violation
Contingency plans to ensure ePHI is protected in the event of an emergency or natural disaster
Regular audits and evaluations of these policies and their implementation
Employee training & documentation of training
Restricting third-party access to a necessary minimum
Technical safeguards are intended to protect the data storage and transmission systems used to handle ePHI. Examples of technical safeguards include:
Access control in form of unique user IDs & PIN codes
Monitoring & antivirus software
Audit reports & tracking logs
Encryption & decryption tools
Automatic logoffs of PCs and devices
Suspicious activity detection and alarm systems
Regular data backups
Physical safeguards must protect access to the physical equipment used to store and handle ePHI (e.g. computers, data storage systems, routers). This means the actual physical offices and buildings where computers and other equipment are stored must also be protected against theft and unauthorized physical access, for instance through:
Policies for the use & positioning of workstations
HIPAA Breach Notification Rule
If, despite all these precautions, a breach does occur and PHI is stolen, unlawfully accessed or shared, lost or compromised in any other way, the HIPAA Breach Notification Rule mandates that the affected covered entity must inform the Secretary of Health and Human Services as well as patients within 60 days after the breach occurred. If the PHI of more than 500 patients is affected by the breach, the covered entity must inform local news media outlets and law enforcement agencies.
HIPAA Omnibus Rule
HIPAA was followed by two other acts designed to extend its reach: The Genetic Information Nondiscrimination Act (GINA) of 2008 and the Health Information Technology for Economic and Clinical Health Act (HITECH) of 2009. The HIPAA Omnibus Rule of 2013 integrated both GINA and HITECH with HIPAA.
The Omnibus Rule extends liability for failure to meet HIPAA compliance provisions to include business associates on top of covered entities. The rule governs, among other things, special contracts (called Business Associate Agreements) between covered entities and business associates defining what PHI may be processed, how it may be processed and by whom.
HIPAA Compliance: Seven Fundamentals
The HHS Office of Inspector General (OIG) has established the “seven fundamental elements of an effective compliance program”, which are:
Implementation of policies, procedures and standards
Appointing a compliance officer
Screening and evaluation of employees, doctors, vendors and other agents
Staff training and education on compliance matters
Internal monitoring, auditing and reporting
Establishing and enforcing disciplinary guidelines for non‐compliance
Investigations into possible detected breaches and taking remedial actions
HIPAA Compliance & Cloud Services
The migration from paper records to electronic records was one big change covered entities underwent between the enactment of HITECH in 2009 and today. Currently, we are experiencing the next wave of change, and that is the migration to the cloud (which was further accelerated by the worldwide Covid-19 crisis).
Under HIPAA, a cloud service provider such as Microsoft becomes a business associate the moment a covered entity engages its services. The same applies if a business associate recruits a cloud service provider to create, transmit or collect PHI. In that case, the cloud provider becomes a subcontractor and is therefore also subject to HIPAA compliance requirements.
Is Microsoft Office 365 HIPAA Compliant?
To answer this question, Microsoft states on its website addressing HIPAA and HITECH: “Microsoft enables customers in their compliance with HIPAA and the HITECH Act and adheres to the Security Rule requirements of HIPAA in its capacity as a business associate.” So Microsoft claims that yes, its services are in compliance with HIPAA provisions. But let’s take a closer look.
Like any business associate, Microsoft must and will enter into a Business Associate Agreement (BAA) with the covered entity engaging its services. The BAA confirms in writing that business associates have implemented appropriate physical, technical and administrative safeguards to protect PHI and thus adhere to HIPAA compliance regulations. Once the BAA has been signed by both parties, the covered entity can begin using Microsoft 365 to create, process and store ePHI.
So, does entering into a BAA with Microsoft mean that Microsoft Office 365 is HIPAA compliant? Well, sort of. As stated, Microsoft confirms that it has taken appropriate measures in its “capacity as a business associate”. But this does not necessarily mean that an organization using Microsoft 365 meets the compliance requirements. In practice, using cloud services like Microsoft Office 365 is a bit of a gray area.
Entering into a business associate agreement with Microsoft is necessary for HIPAA compliance, but even with the agreement in place, your organization might still be using Office 365 in ways that violate HIPAA requirements. So, apart from entering into a BAA, you also need to ensure that you are using these cloud services correctly, by maintaining audit logs and separate backups, enforcing limited access, using multi-factor authentication, and so on.
Preventing HIPAA Violations: How to Secure PHI
To prevent a breach, it is first crucial to understand that there is a difference between a breach and a violation. A HIPAA violation, such as a lack of safety measures, can potentially lead to a breach, but the breach itself refers to unlawful access to PHI. Specifically, HIPAA defines a breach as “the acquisition, access, use, or disclosure of protected health information in a manner not permitted which compromises the security or privacy of the protected health information.”
Let’s say you leave your laptop open displaying medical records and then leave your desk to go on lunch break. This is the violation. The breach happens as soon as someone who has no business accessing this information walks up to your laptop, views these records, or maybe even prints and shares them. So your violation led to the breach. Understanding what exactly qualifies as a violation is essential to the next step, which is figuring out the necessary steps to prevent HIPAA violations in your organization.
What Are Common HIPAA Violations?
As our example with the unattended laptop shows, not all security incidents or data breaches result from outside attacks. While malware, ransomware and zero day vulnerabilities do pose a growing threat to healthcare organizations, it is equally important to prevent accidental data leaks, which can result due to carelessness, a lack of employee awareness or limited internal security. Common HIPAA violations include:
Unauthorized access (snooping around)
Malware or ransomware attacks
Equipment loss or theft (laptop, phone)
Discussing PHI in public or sharing it online
Accidentally sending PHI to the wrong recipient(s)
Failure to implement adequate security controls and access controls
Failure to perform a risk analysis
Failure to encrypt PHI
Note: No measure or combination of measures will result in 100% protection against a breach. Hackers are currently specifically targeting healthcare organizations, as ePH is one of the most valuable goods currently available. The aim is to reduce the likelihood of a breach to an acceptable level.
What Are the Consequences of a HIPAA Violation?
A violation of HIPAA compliance regulations can be very costly, with possible penalties of up to 1.5 million dollars per violation. Anyone associated with the loss of PHI may become subject to these penalties.
Penalties for violations are classified into four tiers, which address different levels of severity and differentiate between intentional and unintentional breaches.
Covered entity was unaware of HIPAA violation and could not have prevented it. Reasonable care had been taken to adhere to compliance requirements.
Fine: $100 to $50,000 per violation. Max. $25,000 p.a.
Covered entity knew or should have known about the violation, but could not have prevented it by taking reasonable care.
Fine: $1,000 to $50,000 per violation. Max. $100,000 p.a.
Violation due to willful neglect of HIPAA rules; violation corrected or attempt to correct it made within 30 days of discovery.
Fine: $10,000 to $50,000 per violation. Max. $250,000 p.a.
Violation due to willful neglect of HIPAA rules; No attempts to correct the violation were made.
Fine: $50,000 per violation. Max. $1.5 million p.a.
HIPAA Wall of Shame
Another consequence of violations is that the US Department of Health & Human Services (HHS) puts all breaches affecting more than 500 individuals within one jurisdiction up on its Breach Report Portal, also referred to as the “Wall of Shame”.
The list includes cases of breaches dating back to 2009 (when HIPAA was first enacted) as well as cases which are currently under investigation. Entries in HIPAA’s Wall of Shame are permanent and can therefore do great, irreparable damage to a company’s reputation if it lands on the list.
How to Prevent Insider Threats
If we take a closer look at the HIPAA Wall of Shame, we can see that most compliance violations fall under the category “Hacking/IT Incident” or “Unauthorized Access/Disclosure”. Unauthorized access means someone who did not have permission to do so viewed or otherwise accessed and/or shared (electronic) protected health information.
An example on the list is an incident that occurred at a hospital in Chicago in late 2020. The hospital reported that a workforce member had “impermissibly accessed the electronic protected health information (ePHI) of 682 individuals.” The ePHI in question included names, dates of birth, addresses, medications prescribed, and additional clinical and treatment information.
The hospital notified HHS, affected individuals, the media, and state and federal regulatory agencies. Following the breach, the hospital sanctioned the workforce member and retrained its staff to prevent future incidents of this nature.
While the motivation of the employee who accessed these records is not known, it is a classic example of unauthorized access and therefore of a HIPAA compliance violation. It is also the perfect example of an insider threat: cases in which employees themselves cause data breaches and bring harm to their employer, either accidentally or intentionally.
Many organizations are now asking themselves how to stop insider threats like these. Perhaps the staff member was simply unaware they were breaking any rules by accessing these files. In this case, their employer did not provide adequate training and education on the matter of compliance. The more important question is why this person had such broad access to PHI in the first place.
Restricting access on a need-to-know-basis, also known as the Least Privilege Principle, reduces both the likelihood and scope of incidents like these. Additionally, it is a safety measure that can help protect you even if an employee is acting with malicious intent.
How to Prevent HIPAA Violations: Compliance Checklist
To summarize, here is a quick rundown of the steps you must take to address and maintain HIPAA compliance requirements:
Familiarize yourself with the HIPAA Privacy Rule – know whether your company falls within the spectrum of covered entities or business associates affected by HIPAA
Learn what PHI is and what types of data must be protected under HIPAA
Put strong physical and technical safeguards into action to protect PHI and ePHI as stipulated by the HIPAA Security Rule
Perform a risk assessment and risk analysis: know what types of incidents count as potential HIPAA violations and identify what points in your organization pose potential security threats.
Train and educate your staff. Make sure everyone knows how to handle PHI, who is allowed access to what data and what constitutes a violation of HIPAA compliance provisions.
Perform regular internal audits to assess the gaps in compliance with HIPAA’s Privacy and Security rules.
Document any actions you take on your quest to become compliant with HIPAA.
Keep an eye on imminent HIPAA changes – changes are expected this very year
Ensure HIPAA Compliance With tenfold
Access management, which means knowing and controlling who has access to patient data, is key to achieving HIPAA compliance on a technical level. Yet many covered entities still struggle to understand the far-reaching consequences poor access control can have – or they simply do not have the resources and time to implement a good access management strategy.
HIPAA itself enforces the “minimum necessary standard” rule, which restricts how much PHI may be used or disclosed by covered entities. This means any PHI that is not strictly necessary to “get the job done” shall not be used by a covered entity or disclosed to a business associate or subcontractor.
This is exactly where identity access management software can support healthcare organizations. An IAM solution like tenfold is the fastest and easiest way for businesses to ensure that access to PHI is restricted to only those who absolutely need it. tenfold automatically enforces the Least Privilege Principle, which is exactly what HIPAA wants you to do to safeguard critical patient data.
Efficient User Management & Full Audit Trails
With tenfold, you can control who is given access to patient information, both on a your local network or in a cloud environment such as Microsoft 365. The person responsible for the data, whether on-prem or in the cloud, is known as a data owner. This data owner has the authority to decide who may have access to PHI and who may not. Anyone who wishes to access the data within an organization must first request permission to do so from the data owner.
To keep track of who has access and ensure users do not accumulate more privileges than they need (which is what we know as a privilege creep), tenfold subjects data owners to regular user access reviews. Here, they must review access rights to resources under their control and either reconfirm or withdraw them.
tenfold also logs changes made to user privileges and can deliver reports on these changes, with detailed histories of who approved access, who received access and when access was granted. And the best part is, it’s all automated, which means the likelihood of human errors with regard to access control is significantly reduced. tenfold will help your organization put the HIPAA compliance requirements into practice!
What makes tenfold the leading IAM solution for mid-market organizations?