The words “HIPAA compliance” have a legendary ability to simultaneously arouse both extreme fear and extreme boredom in physicians and other healthcare providers. Everybody knows the legislation is critically important, but identifying your exact duties under it can be a confusing and soporific task.
Let’s try to fix that. In this part of our blog series on HIPAA, we’re going to show you the easiest HIPAA compliance checklist that you’ll ever see. What’s our secret? Just telling you what the Department of Health and Human Services (HHS) already does: HIPAA is its own checklist.
The Best HIPAA Checklist Is…HIPAA Itself?
Yes, basically. First let’s make sure we’re on the same page about what HIPAA is exactly. HIPAA is federal legislation, as is the HITECH act that updated parts of it. Title II of that legislation relates to the privacy and security of protected health information, and this is the meat of what most physicians need to care about when “HIPAA compliance” comes up.
Title II of HIPAA also requires HHS to create federal regulations that implement the ideas in the rest of the act. These regulations spell out exactly what healthcare providers must do, and they are now complete and published in the Code of Federal Regulations (CFR), Title 45, Parts 160, 162, and 164.
Luckily, HHS also grouped these regulations into six sections, called “rules,” and these are really the ultimate HIPAA compliance checklist. If you can understand and comply with each of these six rules, you’ll have a good claim to HIPAA compliance. So let’s do it; let’s count down the checklist that HHS gives us:
The Six Rules of the HIPAA Compliance Checklist:
*drum roll please* …
#1: Standardize Your Coding and Electronic Transmissions
This one is easy. HIPAA seeks to make sure that everybody is communicating about healthcare issues in one unified way, and regulations in its “Transactions and Code Sets” rule accomplish this.
One part of this rule specifies what code sets are allowable for describing medical data, including ICD-CM for conditions, NDC for drug names, and CPT/HCPCS for procedures. Another part then defines and mandates the specific electronic transmission formats that can be used to convey the encoded data.
☑ HIPAA Checklist: How to Comply with Rule 1
- Use a compliant electronic health record (EHR).
Simply pick a modern EHR to use in your practice. They will typically use the correct encoding and transmission formats automatically, and you can confirm this with the vendor before you buy anything.
That’s it. Done. Check.
#2: Get Unique Identifiers for You and Your Organization
In the “Identifier Standards” rule, HIPAA mandates that every individual or organization that renders healthcare have a unique 10-digit National Provider Identifier (NPI). Type 1 NPIs are for individuals, and type 2 NPIs are for organizations. NPIs are used in encoding and transmitting healthcare data, and they help enforce clarity. Two doctors may have the same name and practice in the same city, but their differing NPIs will ensure that they are not mistaken for one another.
☑ HIPAA Checklist: How to Comply with Rule 2
- Make sure that all HIPAA-covered entities in your practice have an NPI.
That’s it. Done. Check.
#3: Protect Your Patients’ Privacy
The HIPAA Privacy Rule, in conjunction with the HIPAA Security Rule, constitutes the most important part of HIPAA for most providers. Fundamentally, the Privacy Rule is all about individuals’ health information, termed “protected health information (PHI).” The rule spells out how healthcare entities may use PHI, and it also delineates patients’ rights to be informed of and control those uses.
HHS has written an important summary of the Privacy Rule, and it’s worth a read. High-level points from the summary to internalize:
- The Privacy Rule protects all “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information “PHI.”
- A central aspect of the Privacy Rule is the principle of “minimum necessary” use and disclosure. A [healthcare] entity must make reasonable efforts to use, disclose, and request only the minimum amount of PHI needed to accomplish [an intended purpose].
- Except in certain circumstances, individuals have the right to review and obtain a copy of their PHI and any of its uses and disclosures. They may also demand corrections to it.
- Each [healthcare] entity, with certain exceptions, must provide a notice of its privacy practices.
☑ HIPAA Checklist: How to Comply with Rule 3
- Designate a “privacy official” in your organization who will be tasked with developing and implementing your privacy policies and procedures and ensure that this person is available to receive requests and complaints related to the Privacy Rule.
- Understand the definition of PHI and identify information in your practice that is PHI.
- Keep a record of all uses and disclosures of PHI in your practice.
- Understand the things your practice must do under the Privacy Rule, especially including those things that relate to your patients’ control over their own PHI.
- Understand the things your practice may do under the Privacy Rule, especially including those uses and disclosures of PHI that are allowable without explicit, written patient consent. Always use the concept of “minimum necessary” to guide your uses and disclosures.
- Identify your “business associates,” as defined by HIPAA. If another company interacts with PHI from your practice, they are likely a business associate, and you need to have a formal “business associate contract” with them that extends the duties of HIPAA to their operations.
- Create a Notice of Privacy Practices. This must contain specific items, and it’s best to start with a template that HHS provides. Know when, where, and to whom this notice must be made available.
- Implement administrative, technical, and physical safeguards to prevent impermissible intentional or unintentional use or disclosure of PHI. These should also act to limit incidental uses or disclosures.
- Ensure ongoing training of your practice’s workforce on your privacy policies and procedures.
- Have your privacy official create and maintain a written document of the policies and procedures that you have developed to accomplish the above items.
Well, this section was a bit longer than the first two, but that’s because the Privacy Rule is so crucial to HIPAA. It is, unfortunately, also critical that you review the Privacy Rule yourself. The checklist above is a good start on minimum necessary activities, but there is no perfect, comprehensive checklist that will work for every type of practice. HIPAA is about ensuring best practices in every type of healthcare provider, and there is no substitute for figuring out what that means for you and your exact practice.
HHS states that the Privacy Rule is comprised of 45 CFR Part 160 and Subparts A and E of 45 CFR Part 164, and you can refer to these directly or, at least, to the HHS Privacy Rule summary to make sure that you are creating and following all of the privacy policies and procedures that your specific practice needs.
#4: Secure Your Electronic Medical Information
The HIPAA Security Rule is a nitty-gritty rundown of “the technical and non-technical safeguards that organizations […] must put in place to secure individuals’ electronic PHI.” That quote comes directly from a Security Rule summary that HHS has written, in which they explain that the Security Rule takes the somewhat amorphous concepts of the Privacy Rule and lays out a more exact framework to implement them.
Unlike the Privacy Rule, which applies to all PHI, the Security Rule applies only to PHI that your practice “receives, maintains or transmits in electronic form.” To comply with the Security Rule, your organization must adopt an ongoing process of risk analysis that has the following general form:
- Assess risks to electronic PHI in your organization, the current state of your security measures, and any gaps between the two
- Implement “administrative, technical, and physical safeguards” to address the gaps
- Document all of steps 1 and 2 and keep the records
- Repeat steps 1 to 3 on a periodic basis
That’s it, really. And continuing their pattern of being hugely helpful, HHS has created a seven-part educational paper series that will walk you through this. For the checklist in this section, we’ll lean on these papers heavily…since HHS literally provides checklists in them.
☑ HIPAA Checklist: How to Comply with Rule 4
- Perform a risk analysis for electronic PHI in your organization
- Implement safeguards to address security gaps identified by the risk analysis:
- Make sure everything is documented appropriately
- Repeat steps 1 to 3 on a periodic basis
Each HHS document linked above has a reproduction of Appendix A of the actual Security Rule, which is effectively a checklist of necessary items to consider for the administrative, physical, and technical safeguards that you need. Some of the documents extend this list with other items, such as the document linked in step 3 above.
As with the Privacy Rule, it’s important that you read the Security Rule yourself at least one time. HHS wrote the rules generally so that they could function for organizations of any size, from one person to thousands, and because of this, only you can decide exactly how your organization can best comply. Per HHS, “The Security Rule is located at 45 CFR Part 160 and Subparts A and C of Part 164.” And again, they’ve also written a summary of it.
#5: Understand the Penalties for Violations
The HIPAA Enforcement Rule (codified at 45 CFR Part 160, Subparts C, D, and E) establishes procedures for the investigation of possible HIPAA violations and sets civil fines for infractions. Fines can be up to $50,000 per violation per day, so it can add up quickly and is not a joke. Violations can also carry criminal penalties, including fines and jail time, but these are not covered by HHS regulation.
☑ HIPAA Checklist: How to Comply with Rule 5
- You don’t have to do anything ahead of time
If HHS investigates your practice, then this rule becomes relevant to you, but there’s nothing here that you need to do proactively.
#6: Learn How to Handle Information Breaches
The HIPAA Breach Notification Rule (codified at 45 CFR §§ 164.400-414) requires healthcare organizations to provide notification after breaches of PHI. A “breach” is, basically, an impermissible use or disclosure of PHI, as detailed in the HIPAA Privacy Rule. Depending on the type of breach, notification might need to be made to the affected individuals, the media, or the HHS Secretary. HHS has further guidance available on the topic.
☑ HIPAA Checklist: How to Comply with Rule 6
- You don’t have to do anything ahead of time
Once again, you only need to worry about this rule if you identify a PHI breach, which you should be monitoring for as part of your compliance with the HIPAA Privacy Rule and Security Rule.
HIPAA compliance is all about adopting good processes in your organization, and HHS has laid out a path to compliance that is nearly a checklist. All you have to do is follow it.
This article is part of a series of posts relating to HIPAA law and regulation. The information provided is meant as general guidance only and is not intended to be legal advice.