際際滷

際際滷Share a Scribd company logo

HIPAA Compliance Checklist 2022

VISTA InfoSec
VISTA InfoSec

The Health Insurance Portability and Accountability Act, also widely known as HIPAA is an essential data protection standard that is crucial to the healthcare industry. It is important that organizations understand the HIPAA requirements to comply with the regulation. So, the HIPAA Compliance checklist is a compiled list of HIPAA Requirements that organizations are expected to implement to ensure compliance with the regulation.

1 of 10
Download to read offline
HIPAA Compliance Checklist 2022 USA. SINGAPORE. INDIA. UK. MIDDLE EAST. CANADA. An ISO27001 Certified Company, CERT-IN Empanelled, PCI QSA, PCI QPA and PCI SSFA W: www.vistainfosec.com | E: info@vistainfosec.com US Tel: +1-415-513-5261 | UK Tel: +442081333131 | SG Tel: +65-3129-0397 IN Tel: +91 73045 57744 | Dubai Tel: +971507323723
03 The Health Insurance Portability and Accountability Act (HIPAA) is a data privacy and security regulation for the healthcare industry. It is a comprehensive regulation that ensures your organization complies with the require- ments of HIPAA. Organizations looking to achieve HIPAA Compliance must meet the requirements outlined by the regulation. Further, failure to comply with HIPAA regulations may result in substantial fines, especially in case of an incident data breach. In fact Data Breach can also result in criminal charges and civil action lawsuits and for which organiza- tions will also have to follow certain data breach reporting standards and protocols. So, for organizations subject to HIPAA, it is highly recom- mended that they read through this informative article on HIPAA Compliance Checklist 2022. The blog will help organizations implement all the necessary measures rele- vant to HIPAA requirements and ensure the privacy and security of Protected Health Information (PHI). Read on to learn and understand the requirements of HIPAA and consider referring to the HIPAA Compliance checklist prior to undergoing an audit. Introduction 04
Every Covered Entity and Business Associate having access to PHI data must ensure implementing the rel- evant Technical, Administrative, and Physical safe- guards as a part of ensuring maximum safety of PHI data. So, here is a HIPAA compliance checklist which is a compilation of a list of Security, Privacy, Breach Noti- fication, and Omnibus Rule requirements that organi- zations must implement to ensure compliance. HIPAA Compliance Checklist 06 HIPAA Security Rule highlights the need for organiza- tions to implement safeguards to protect PHI data. The rule applies to all those organizations that have access to confidential PHI data. It requires organizations to im- plement technical safeguards, physical safeguards, and administrative safeguards as given below to ensure maximum level security. HIPAA Security Rule Technical Safeguard Access Controls - Organizations must have in place identity and access management measures in place. Further, users must be provided unique user names and passwords to those accessing PHI datas. There must also be a process in place that governs access to data. Authentication - Organization must identify and authenticate ePHI and protect it from unautho- rized changes, and accidental destruction. There must be an appropriate Authentication policy and process in place for enforcement. 05
Facility Access Controls - Have in place physical safeguards that access to facilities with PHI data. There must also be measures to monitor these facilities from time to time. Physical Safeguard Encryption - Encrypt the ePHI data when trans- mitting over external networks. Logging & Monitoring - Establish policy and pro- cedures concerning the logging and monitoring. Organizations must have a process that periodi- cally reviews to audit activity logs and controls. Technical safeguards are required to be in place to track and monitor access attempts and detect and alert failed attempts. There must also be measures in place for automatic log-off of devices not in use and account block in case of multiple failed login. Workstation Use - There must be a policy and process in place that manages workstations that are left unattended. For instance, automatic lock- ing of screens when not in use after 30 sec is an essential measure that must be implemented to secure the devices. There must also be a policy in place that restricts the use of work station. Inventory - Have an inventory of all the data that is stored in the server and devices within the or- ganization. Further, monitor its access, use, and movement over the network. The organization must also have a retrievable copy of ePHI before moving any equipment is moved. Have an inventory of all the data that is stored in the server and devices within the organization. Further, monitor its access, use, and movement over the net- work. The organization must also have a retrievable copy of ePHI before moving any equipment is moved. Device and Media Controls- 08 07
09 Risk Assessment & Analysis - The organization must have a process in place to frequently con- duct a risk assessment and analysis to determine any risk exposure. This is to reduce the level of risk and ensure maximum security. Necessary policies must be established to enforce the pro- cess of risk assessment and analysis to ensure compliance. Administrative Safeguard Staff Training - Educate employees on the sensi- tivity and the potential risk exposure to the ePHI data. Employees should also be educated about the access protocols, identifying and reporting malware, hacks, phishing, etc, governance, and cyber security best practices. All the training con- ducted should be documented for future refer- ence and audit. Security Responsibilities - The organization must appoint security personnel who would overlook the implementation and enforcement of all security rules. The personnel will be respon- sible and will be a one-point contact for any con- cerns regarding meeting the requirements of HIPAA Rules. Third-party Contracts & Agreement - Appropri- ate Third-party Contracts and Business Associate Agreements must be in place to ensure every party or individual having access to ePHI and PHI data comply with HIPAA rules. Documentation of Security Incidents - There must be a process in place that ensures report- ing of the incident. Further, there should be an established documenting process in place for such incidents and an appropriate reporting pro- cess. Contingency Plans - There must be a contingen- cy plan in place in case of an incident to ensure continuity of business. This is to ensure protect- ing the integrity of ePHI especially when an orga- nization is addressing the incident. The contin- gency plan must further be tested periodically to assess its effectiveness of the plan. There must also be a backup process in place that facilitates the restoration of the lost ePHI data. 10
The HIPAA Privacy Rule highlights the need to ensure the privacy and security of PHI data. This means organi- zations are expected to implement appropriate securi- ty measures in terms of access controls and the pro- cess to limit the use and disclosure of PHI data. So, here is a list of measures one must consider . HIPAA Privacy Rule Privacy Policy & Procedure -Having policies and procedures in place ensures the enforcement of rules. So, organizations must have in place poli- cies and procedures that ensure the privacy and security of PHI and the ePHI Data that they deal with. Notice of Privacy Practices - Notice of privacy practice must include details on how you use and disclose the PHI data of individuals or pa- tients and details of the data sharing policies. It should also include the practices enforced for se- curing the data. Training Staff - All the staff are required to be trained to ensure they meet all the privacy rules. So organizations must have in place policies and processes for conducting training for the staff. The training should also include providing them with information and building awareness on what kind of data is being used and should be protected and what data can and cannot be shared as a part of the privacy policy. 11 12 Respond Request - The organization must estab- lish processes that ensure timely response to the request of patients concerning their PHI data. HIPAA states that an organization must respond to the request within 30 days of patient access re- quests. Consent - Have a process in place for getting con- sent from the patient to use redacted ePHI for re- search, fundraising, or marketing. Also, the pa- tient should be informed that they have an opt-out option for the same. Appointment of Personnel - The organization must appoint a privacy official responsible for de- veloping, implementing, enforcing, and adminis- trating privacy practices. There must also be an individual appointed as a point of contact who would be responsible for receiving complaints and informing patients about the privacy practic- es and their rights.
Documentation & Record Maintenance - 13 14 Limit Disclosure & Use - Organization must es- tablish policy and process that limits the use and disclosure of PHI data. The PHI data must only be used when it is necessary and appropriate con- sent is required for processing the data for any other reasons than what was stated to the pa- tient. HIPAA requires the organization to maintain all the PHI documentation, including amendments or requests, documentation con- cerning the Privacy Rule including privacy poli- cies and procedures, records of complaints, and privacy practices notices, for at least six years since the last effective date. Individual Rights - There must be a process in place that informs the patients of their rights con- cerning their ePHI data. Further, there is also a need to establish a process that ensures these rights and requests pertaining to these rights are met. The rights include Right of Notice, Right of Access, Request of Accounting of Disclosures, Right of Amend, Right to Request Restriction, Al- ternate Communications, Special Requests, and Right to File Complaints.
15 16 HIPAA Breach Notification Rule is about having a pro- cess in place to notify patients when there is a breach of their PHI. The rule also requires a process that en- sures prompt notification to the Department of Health and Human Services (HHS) of such a breach of PHI and further issues a notice to the media in case the breach has affected more than five hundred patients. So, here is a list of measures one must consider- Breach Notification Rule HIPAA Omnibus Rule sets out additional rules and requirements for businesses subjected to HIPAA Compliance. So, here is a list of additional require- ments to consider when complying with HIPAA reg- ulations. Omnibus Rule Establish an Incident Management Plan Have in place Policy and process for promptly notifying HHS Establish a process to notify the media about the data breach in case it has affected more than 500 patients. Have in place Policies and Procedures concern- ing Data Breach Response Have in place Policies and processes for notifying Individuals or patients affected.
Business Associate Agreements (BAAs) : Ensure that your organization has in place an updated Business Associate Agreement that is in align- ment with all the HIPAA Rules Rule. Business As- sociates are equally responsible to comply with all the rules of HIPAA. So, a signed BAA will ensure that the business associates are aware of those rules and agree to comply with them. Updated HIPAA staff training : Staff must be trained to meet the Omnibus Rules and require- ments to ensure compliance with HIPAA. Privacy Policy : Organizations must also have in place a privacy policy that reflects individuals rights and ways to respond to requests. It should also reflect details such as limitations of disclo- sures to Medicare and insurers, disclosure of PHI and school immunizations, sale of PHI, and its use for marketing, fundraising, and research. Pri- vacy policies must also be updated to comply with all the rules of HIPAA. Notices of Privacy Practices : Notice of Privacy Practice must be updated to cover information required in the Omnibus Rule. This includes in- formation that requires authorization, the right to opt-out of correspondence for fundraising purposes, and must include or consider even the new breach notification requirements. 17 18 HIPAA Compliance is an ongoing process that orga- nizations must review frequently. For those new to this and looking to achieve HIPAA Compliance, we strongly recommend considering the above-listed checklist. While those who are compliant and look- ing to stay compliant must frequently review their processes and update the existing policies, and pro- cedures in alignment with the changing environ- ment to meet the HIPAA requirements. Further as a final word of recommendation we suggest organiza- tions consult compliance experts on ways of achiev- ing and maintaining HIPAA Compliance. Final Thought
17 18 Do write to us your feedback, comments and queries or, if you have any requirements: info@vistainfosec.com You can reach us on - US Tel: +1-415-513-5261 | UK Tel: +442081333131 | SG Tel: +65-3129-0397 IN Tel: +91 73045 57744 | Dubai Tel: +971507323723

More Related Content

HIPAA Compliance Checklist 2022

  • 1. HIPAA Compliance Checklist 2022 USA. SINGAPORE. INDIA. UK. MIDDLE EAST. CANADA. An ISO27001 Certified Company, CERT-IN Empanelled, PCI QSA, PCI QPA and PCI SSFA W: www.vistainfosec.com | E: info@vistainfosec.com US Tel: +1-415-513-5261 | UK Tel: +442081333131 | SG Tel: +65-3129-0397 IN Tel: +91 73045 57744 | Dubai Tel: +971507323723
  • 2. 03 The Health Insurance Portability and Accountability Act (HIPAA) is a data privacy and security regulation for the healthcare industry. It is a comprehensive regulation that ensures your organization complies with the require- ments of HIPAA. Organizations looking to achieve HIPAA Compliance must meet the requirements outlined by the regulation. Further, failure to comply with HIPAA regulations may result in substantial fines, especially in case of an incident data breach. In fact Data Breach can also result in criminal charges and civil action lawsuits and for which organiza- tions will also have to follow certain data breach reporting standards and protocols. So, for organizations subject to HIPAA, it is highly recom- mended that they read through this informative article on HIPAA Compliance Checklist 2022. The blog will help organizations implement all the necessary measures rele- vant to HIPAA requirements and ensure the privacy and security of Protected Health Information (PHI). Read on to learn and understand the requirements of HIPAA and consider referring to the HIPAA Compliance checklist prior to undergoing an audit. Introduction 04
  • 3. Every Covered Entity and Business Associate having access to PHI data must ensure implementing the rel- evant Technical, Administrative, and Physical safe- guards as a part of ensuring maximum safety of PHI data. So, here is a HIPAA compliance checklist which is a compilation of a list of Security, Privacy, Breach Noti- fication, and Omnibus Rule requirements that organi- zations must implement to ensure compliance. HIPAA Compliance Checklist 06 HIPAA Security Rule highlights the need for organiza- tions to implement safeguards to protect PHI data. The rule applies to all those organizations that have access to confidential PHI data. It requires organizations to im- plement technical safeguards, physical safeguards, and administrative safeguards as given below to ensure maximum level security. HIPAA Security Rule Technical Safeguard Access Controls - Organizations must have in place identity and access management measures in place. Further, users must be provided unique user names and passwords to those accessing PHI datas. There must also be a process in place that governs access to data. Authentication - Organization must identify and authenticate ePHI and protect it from unautho- rized changes, and accidental destruction. There must be an appropriate Authentication policy and process in place for enforcement. 05
  • 4. Facility Access Controls - Have in place physical safeguards that access to facilities with PHI data. There must also be measures to monitor these facilities from time to time. Physical Safeguard Encryption - Encrypt the ePHI data when trans- mitting over external networks. Logging & Monitoring - Establish policy and pro- cedures concerning the logging and monitoring. Organizations must have a process that periodi- cally reviews to audit activity logs and controls. Technical safeguards are required to be in place to track and monitor access attempts and detect and alert failed attempts. There must also be measures in place for automatic log-off of devices not in use and account block in case of multiple failed login. Workstation Use - There must be a policy and process in place that manages workstations that are left unattended. For instance, automatic lock- ing of screens when not in use after 30 sec is an essential measure that must be implemented to secure the devices. There must also be a policy in place that restricts the use of work station. Inventory - Have an inventory of all the data that is stored in the server and devices within the or- ganization. Further, monitor its access, use, and movement over the network. The organization must also have a retrievable copy of ePHI before moving any equipment is moved. Have an inventory of all the data that is stored in the server and devices within the organization. Further, monitor its access, use, and movement over the net- work. The organization must also have a retrievable copy of ePHI before moving any equipment is moved. Device and Media Controls- 08 07
  • 5. 09 Risk Assessment & Analysis - The organization must have a process in place to frequently con- duct a risk assessment and analysis to determine any risk exposure. This is to reduce the level of risk and ensure maximum security. Necessary policies must be established to enforce the pro- cess of risk assessment and analysis to ensure compliance. Administrative Safeguard Staff Training - Educate employees on the sensi- tivity and the potential risk exposure to the ePHI data. Employees should also be educated about the access protocols, identifying and reporting malware, hacks, phishing, etc, governance, and cyber security best practices. All the training con- ducted should be documented for future refer- ence and audit. Security Responsibilities - The organization must appoint security personnel who would overlook the implementation and enforcement of all security rules. The personnel will be respon- sible and will be a one-point contact for any con- cerns regarding meeting the requirements of HIPAA Rules. Third-party Contracts & Agreement - Appropri- ate Third-party Contracts and Business Associate Agreements must be in place to ensure every party or individual having access to ePHI and PHI data comply with HIPAA rules. Documentation of Security Incidents - There must be a process in place that ensures report- ing of the incident. Further, there should be an established documenting process in place for such incidents and an appropriate reporting pro- cess. Contingency Plans - There must be a contingen- cy plan in place in case of an incident to ensure continuity of business. This is to ensure protect- ing the integrity of ePHI especially when an orga- nization is addressing the incident. The contin- gency plan must further be tested periodically to assess its effectiveness of the plan. There must also be a backup process in place that facilitates the restoration of the lost ePHI data. 10
  • 6. The HIPAA Privacy Rule highlights the need to ensure the privacy and security of PHI data. This means organi- zations are expected to implement appropriate securi- ty measures in terms of access controls and the pro- cess to limit the use and disclosure of PHI data. So, here is a list of measures one must consider . HIPAA Privacy Rule Privacy Policy & Procedure -Having policies and procedures in place ensures the enforcement of rules. So, organizations must have in place poli- cies and procedures that ensure the privacy and security of PHI and the ePHI Data that they deal with. Notice of Privacy Practices - Notice of privacy practice must include details on how you use and disclose the PHI data of individuals or pa- tients and details of the data sharing policies. It should also include the practices enforced for se- curing the data. Training Staff - All the staff are required to be trained to ensure they meet all the privacy rules. So organizations must have in place policies and processes for conducting training for the staff. The training should also include providing them with information and building awareness on what kind of data is being used and should be protected and what data can and cannot be shared as a part of the privacy policy. 11 12 Respond Request - The organization must estab- lish processes that ensure timely response to the request of patients concerning their PHI data. HIPAA states that an organization must respond to the request within 30 days of patient access re- quests. Consent - Have a process in place for getting con- sent from the patient to use redacted ePHI for re- search, fundraising, or marketing. Also, the pa- tient should be informed that they have an opt-out option for the same. Appointment of Personnel - The organization must appoint a privacy official responsible for de- veloping, implementing, enforcing, and adminis- trating privacy practices. There must also be an individual appointed as a point of contact who would be responsible for receiving complaints and informing patients about the privacy practic- es and their rights.
  • 7. Documentation & Record Maintenance - 13 14 Limit Disclosure & Use - Organization must es- tablish policy and process that limits the use and disclosure of PHI data. The PHI data must only be used when it is necessary and appropriate con- sent is required for processing the data for any other reasons than what was stated to the pa- tient. HIPAA requires the organization to maintain all the PHI documentation, including amendments or requests, documentation con- cerning the Privacy Rule including privacy poli- cies and procedures, records of complaints, and privacy practices notices, for at least six years since the last effective date. Individual Rights - There must be a process in place that informs the patients of their rights con- cerning their ePHI data. Further, there is also a need to establish a process that ensures these rights and requests pertaining to these rights are met. The rights include Right of Notice, Right of Access, Request of Accounting of Disclosures, Right of Amend, Right to Request Restriction, Al- ternate Communications, Special Requests, and Right to File Complaints.
  • 8. 15 16 HIPAA Breach Notification Rule is about having a pro- cess in place to notify patients when there is a breach of their PHI. The rule also requires a process that en- sures prompt notification to the Department of Health and Human Services (HHS) of such a breach of PHI and further issues a notice to the media in case the breach has affected more than five hundred patients. So, here is a list of measures one must consider- Breach Notification Rule HIPAA Omnibus Rule sets out additional rules and requirements for businesses subjected to HIPAA Compliance. So, here is a list of additional require- ments to consider when complying with HIPAA reg- ulations. Omnibus Rule Establish an Incident Management Plan Have in place Policy and process for promptly notifying HHS Establish a process to notify the media about the data breach in case it has affected more than 500 patients. Have in place Policies and Procedures concern- ing Data Breach Response Have in place Policies and processes for notifying Individuals or patients affected.
  • 9. Business Associate Agreements (BAAs) : Ensure that your organization has in place an updated Business Associate Agreement that is in align- ment with all the HIPAA Rules Rule. Business As- sociates are equally responsible to comply with all the rules of HIPAA. So, a signed BAA will ensure that the business associates are aware of those rules and agree to comply with them. Updated HIPAA staff training : Staff must be trained to meet the Omnibus Rules and require- ments to ensure compliance with HIPAA. Privacy Policy : Organizations must also have in place a privacy policy that reflects individuals rights and ways to respond to requests. It should also reflect details such as limitations of disclo- sures to Medicare and insurers, disclosure of PHI and school immunizations, sale of PHI, and its use for marketing, fundraising, and research. Pri- vacy policies must also be updated to comply with all the rules of HIPAA. Notices of Privacy Practices : Notice of Privacy Practice must be updated to cover information required in the Omnibus Rule. This includes in- formation that requires authorization, the right to opt-out of correspondence for fundraising purposes, and must include or consider even the new breach notification requirements. 17 18 HIPAA Compliance is an ongoing process that orga- nizations must review frequently. For those new to this and looking to achieve HIPAA Compliance, we strongly recommend considering the above-listed checklist. While those who are compliant and look- ing to stay compliant must frequently review their processes and update the existing policies, and pro- cedures in alignment with the changing environ- ment to meet the HIPAA requirements. Further as a final word of recommendation we suggest organiza- tions consult compliance experts on ways of achiev- ing and maintaining HIPAA Compliance. Final Thought
  • 10. 17 18 Do write to us your feedback, comments and queries or, if you have any requirements: info@vistainfosec.com You can reach us on - US Tel: +1-415-513-5261 | UK Tel: +442081333131 | SG Tel: +65-3129-0397 IN Tel: +91 73045 57744 | Dubai Tel: +971507323723