HIPAA compliance checklist: essential steps for protecting patient data

With the arrival of new digital technologies, healthcare has become more efficient, streamlined, and personalized. But with new technologies come new threats, and greater risks to sensitive information. HIPAA is the US federal government’s attempt to regulate this ever-evolving landscape. 

HIPAA compliance is essential for healthcare providers. One mistake can cost a business thousands, if not millions of dollars. Just this year, Heritage Valley Health System was fined $950,000 for a global malware attack that occurred through a business associate. 

The good news is that HIPAA compliance is achievable. With a systematic approach, any health organization can implement an appropriate, robust framework that safeguards protected health information (PHI) from internal and external threats. Now, let’s explore everything you need to know about becoming HIPAA compliant. 

What is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA), passed in 1996, sets a national standard for patient privacy and data security in the US healthcare industry. 

The primary goal of the regulation is to ensure the confidentiality of personally identifiable information (PII) and protected health information (PHI). This means that a patient’s data must be safeguarded from unauthorized access, both internal and external.

Beyond that, HIPAA also provides patients with more rights over their health data. For instance, they can request access to their medical records at any time, and request corrections or alterations if the information is inaccurate or incomplete. 

Who does HIPAA apply to?

HIPAA applies to medical practitioners, healthcare plans, and healthcare clearinghouses that regularly handle and transmit patient health information. Under the legislation, these groups are known as 'covered entities' (CEs).

The HIPAA also applies to third-party service providers that manage PHI in association with a covered entity. For instance, lawyers, IT service providers, tech companies, billing companies, and consultants who work in association with a CE will fall under this definition. These groups are referred to as 'business associates' (BAs). 

What counts as Protected Health Information (PHI)?

PHI refers to any individually identifiable health information that is collected, stored, or transmitted by a covered entity. 

With this definition in mind, PHI includes a broad range of information, including medical records, medical images, communications between patients and medical professionals, and billing information.

Understanding the essential HIPAA rules

There are three foundational sections of HIPAA: the Privacy Rule, the Security Rule, and the Breach Notification Rule.

1. The HIPAA Privacy Rule

The HIPAA Privacy Rule requires covered entities and business associates to protect individually identifiable PHI. For example, the rule ensures that only authorized personnel, such as doctors or practitioners, can access and share patients' protected health information.

In addition, the Privacy Rule gives patients the right to:

• Access a copy of their medical records.
• Request corrections or alterations to those records if the information is incorrect. 
• Restrict a health plan’s access to information about treatments paid for with cash.

The rule also prevents healthcare professionals from disclosing genetic information to influence or sway a patient's health or life insurance coverage. Similarly, it stops health plans from revealing information about child abuse or neglect to law enforcement.  

Lastly, the rule requires healthcare providers to notify patients of their rights and obtain clear consent before they share or disclose PHI. 

2. The HIPAA Security Rule

The HIPAA Security Rule is all about protecting electronic protected health information (ePHI). It requires healthcare providers to:

• Develop, maintain, and regularly review physical and technical policies. 
• Ensure all ePHI created, stored, or transmitted is confidential.
• Protect against unauthorized access or disclosure. 
• Identify potential risks and implement appropriate solutions. 
• Train employees to ensure effective compliance. 

Complying with this rule means implementing robust security protocols that protect all sensitive patient information from external and internal threats. 

3. The HIPAA Breach Notification Rule

Lastly, there's the Breach Notification Rule. This branch of the legislation requires healthcare providers to notify all impacted patients if they suffer a PHI data breach.

In this context, a breach is defined as any unpermitted access, use, or disclosure of PHI. In this case, the provider must notify their patients (and in some cases, the media) within 60 days for any breach larger than 500 patients. 

If the breach impacts fewer than 500 patients, the provider can simply submit the notification to the United States Department of Health and Human Services (HHS) annually. 

The Breach Notification Rule has a caveat. If the healthcare provider can prove there is a low probability the PHI was compromised in a breach, they will not need to notify the patients. However, the burden of proof is on the provider, so this isn’t a strategy to rely on. 

HIPAA fines and penalties

The consequences of a HIPAA violation vary depending on the nature of the violation and the intention behind it.

In some cases, the Office for Civil Rights (OCR) may prefer to resolve HIPAA violations without imposing a penalty. However, for serious or repeated violations, they will typically follow this penalty structure. Note that this structure was adjusted for inflation in the 2024 HIPAA guidelines.

• Tier 1: The covered entity was unaware of the violation and couldn’t have taken reasonable steps to avoid it. They took reasonable care and abided by the rules. Minimum fine of $137 per violation up to $68,928. 

• Tier 2: The covered entity should have been aware of the violation but couldn’t have avoided it even with reasonable care. No willful neglect of the rules. Minimum fine of $1,379 per violation up to $68,928.  

• Tier 3: The violation was the direct result of willful neglect of the HIPAA rules. However, the covered entity has attempted to correct the violation. Minimum fine of $13,785 per violation up to $68,928. 

• Tier 4: The violation was the direct result of willful neglect of the HIPAA rules and the covered entity hasn’t attempted to correct the violation within 30 days, Minimum fine of $68,928 per violation up to an annual maximum of $2,067,813.

As you can see, violating the HIPAA legislation brings consequences for your organization. Let’s review how to avoid such a result.

How do we achieve HIPAA compliance?

Does HIPAA apply to your organization? If so, you’ll need to implement several organizational best practices company-wide to comply. Here’s a comprehensive compliance checklist showing the steps you’ll need to take:

1. Conduct a risk assessment

The Security Rule requires all covered entities to carry out periodic HIPAA risk assessments. This risk analysis will help you understand your threat landscape, identify individual risks, and prioritize them based on your organization's risk tolerance. 

Here are the steps to take to ensure that your risk assessment is comprehensive.

• Identify all PHI within your organization to determine the scope of your assessment. 
• Monitor the effectiveness of your existing security measures by regularly reviewing security logs and conducting vulnerability assessments. This could include things like reviewing access controls, encryption standards, and employee training programs. 
• Discover and document potential weaknesses that could result in a breach. 
• Determine your risk categories based on your risk appetite.
• Prioritize risks based on how likely they are to occur and the impact if they do occur. 

You can then use your knowledge from this assessment to implement a strategy to avoid, reduce, transfer, or accept those risks. 

2. Implement robust security measures

With an understanding of your risk landscape, you can now implement security measures to protect your data. Under HIPAA, you’ll need to put three types of safeguards in place to protect PHI. 

• Physical safeguards: These safeguards prevent physical access to PHI. For instance, lock cabinets, install CCTV, and require ID badges to access confidential areas. 

• Technical safeguards: This encompasses cybersecurity safeguards to protect ePHI, such as firewalls, data encryption, antivirus software, and access control. 

• Administrative safeguards: These safeguards involve compliance training for staff so they know how to store, use, and access PHI effectively. They also include components for privacy policies and how to respond if a data breach does occur.

3. Develop written policies and procedures

Before you train your staff, it’s a good idea to create overarching policies for protecting PHI. You should outline clear procedures for patient access requests, data storage, data access, data encryption, and data transmission.

Similarly, you should also create a clear incident response plan and a breach notification procedure to comply with the HIPAA Breach Notification Rule. 

4. Appoint a HIPAA officer

As part of the HIPAA legislation, you’ll also need to appoint an officer for HIPAA enforcement. This specialist will ensure your staff follow all policies and procedures. They will also handle many crucial tasks, like:

• Maintaining documentation
• Ensuring data governance and data minimization. 
• Completing regular risk assessments
• Handling security and privacy training and educational material.
• Reporting breaches if needed.

For a large organization with a lot of sensitive data, you can decide to split these responsibilities between a dedicated security compliance offer and a privacy compliance officer.

5. Train your team

Any member of staff that handles PHI needs to be properly trained. They should be familiar with your policies and understand their role in complying with the legislation. It’s also crucial to ensure every team member understands their individual day-to-day responsibilities for maintaining HIPAA compliance standards.

6. Maintain documentation for audits

To prove your compliance effort is satisfactory, you’ll need to conduct routine audits to assess the effectiveness of your HIPAA privacy and security measures. To make this process as simple as possible, maintain accurate documentation of:

• Your policies and procedures
• employee training
• business associate agreements
• risk assessments
• internal audit results
• incident response plans.

The more data you have to back up your compliance program, the better. Don’t leave anything to chance. 

7. Review and improve

Remember that HIPAA compliance is always evolving. Conduct routine risk assessments to evaluate the threat landscape, and perform internal audits to make sure your policies and procedures are still being followed to the letter.

HIPAA compliance isn’t a one-and-done solution. It’s an ongoing commitment to building a culture of data privacy and security. 

How to avoid common HIPAA violations

Here are the most common reasons for HIPAA noncompliance and the steps you can take to mitigate the risks. 

• Not making risk analysis an ongoing task: Many organizations assume their risk assessment from last year is still applicable. But threats evolve fast. Premera Blue Cross was fined $6.85 million for systemic noncompliance after they failed to conduct a risk analysis to identify all risks to their ePHI. It’s essential to keep up-to-date. It only takes one emerging threat to cause a breach.

• Refusing patient access to electronic health records: The HIPAA Privacy Rule offers patients the power to access their medical records. If an organization refuses or fails to provide those records within 30 days, this is a breach. Great Expressions Dental Center was recently fined $80,000 for this reason. Fortunately, if you understand the rules, this is an easy mistake to avoid. 

• Employees snooping on patient records: Unsurprisingly, one of the most common violations is employee negligence. The University of California Los Angeles Health System, for instance, was fined $865,000 after an employee accessed the medical records of patients 323 times after learning they would be dismissed. The keys to avoiding this costly violation are effective training and proper access controls.

• Improper disposal of PHI: Many businesses overlook the importance of disposing of PHI correctly, especially for ePHI. Simply moving a folder to a recycling bin isn’t enough. Organizations must dispose of all records that reach the end of their life in a secure way to prevent impermissible disclosures. 

HIPAA compliance in telemedicine

Using telemedicine to provide healthcare services remotely introduces several new challenges for health providers. 

The difficulties of remote access, challenges of privacy during video calls, and the need for robust recordkeeping mean health organizations need to implement several best practices to comply. Here are some to consider:

• Use HIPAA-compliant communication platforms: Ensure the security of communication tools used to transmit PHI, such as video conferences, messages, and other communications.

• Encryption standards: Implement effective encryption standards to safeguard ePHIs from unauthorized disclosure. 

• User identification: Incorporate robust user identification to allow entities to monitor user activity within digital systems. 

• Physical security: Ensure physical security measures are in place to protect the organization's facility from access by unauthorized personnel. 

The RecordPoint approach

At RecordPoint, we understand that your company’s growth depends on your compliance with regulation. Our cloud-native solution will help you govern and manage all of your PII in one place, providing a basis for you to achieve HIPAA compliance with confidence. 

Our data inventory and categorization tools will help you discover, classify, catalog, and tag your sensitive data, so you can ensure it is safe and secure. And, if your data is at risk, our platform will help you identify the root cause and respond quickly. 

We understand the challenges you face. Our cloud-native platform will help you achieve and maintain data privacy compliance year-round so you can focus on the tasks that keep your business growing. 

Schedule a free demo today to learn how RecordPoint can enable you to streamline your HIPAA compliance. 

Frequently asked questions

What is the difference between HIPAA and GDPR?

HIPAA focuses exclusively on protecting healthcare data in the US. In contrast, the General Data Protection Regulation (GDPR) covers data protection across the European Union (EU). The GDPR is also much broader in scope, with stricter compliance requirements. It is widely regarded as the most comprehensive data protection law in the world. 

How often should I conduct HIPAA audits? 

According to the HIPAA rules, you must conduct an internal HIPAA audit at least once a year. That said, larger organizations often need to conduct audits twice a year or quarterly, depending on the amount of PHI they possess. 

As a rule of thumb, if your organization handles a high volume of PHI or processes sensitive data regularly, consider conducting audits quarterly. For moderate amounts of PHI, biannual audits may suffice, while organizations with minimal PHI can adhere to the annual requirement. Regular audits help ensure compliance and can prevent costly violations.

Can I use cloud services for HIPAA-compliant storage?

Yes, you can use cloud services for HIPAA-compliant storage. That said, choose a provider that understands the HIPAA regulations and knows their responsibilities to help you remain compliant.