The Top 15 HIPAA Security Rule and Privacy Rule Checklist for Covered Entities and Business Associates

Both Covered Entities (CE) and Business Associates (BA) have much to do when it comes to HIPAA compliance, ranging from essential policies and procedures to critical employee awareness training, and much more. But HIPAA can be confusing, challenging, and incredibly taxing, so take note of the following 15 essential “to do” items regarding compliance with the HIPAA Security Rule and Privacy Rule, compliments of Flat Iron Technologies, LLC.

1. Put in place policies and procedures. One of the biggest challenges facing both Covered Entities and Business Associates is the lack of well-formalized and comprehensive HIPAA policies and procedures. Time and time again, auditors find old, disjointed, “shelfware” HIPAA policies and procedures, those that have never been used, updated, or provided to employees and other workforce members. With growing HHS OCR audits for Covered Entities and Business Associates, the time for getting serious about HIPAA is now, which means sourcing high-quality, industry leading HIPAA policies and procedures covering all critical areas of the HIPAA Security Rule, Privacy Rule, and Breach Notification process, along with other important areas.

2. Adhere to policies. Policies are just that – documentation describing best practices for which an organization should be practicing – hence, the need for undertaking the actual procedures. But having policies in place and not following and adhering to them makes such documentation practically worthless. We can’t tell you how many times as HIPAA security experts we’ve had companies state the following: “I’m not too sure where that policy document is, but let me see if I can find it”.

3. Implement Security Awareness Training. Under the HIPAA Security Rule mandates, all employees and workforce members must undertake annual security awareness and training initiatives covering essential topics and subject matter critical to one’s daily responsibilities. Look at this mandate as a two (2) part process – one that teaches core, fundamental security awareness skills, while also ensuring employees stay current with their own respective skillsets. From administrative assistants to database engineers, everyone within an organization needs to undertake annual security awareness training, it’s just that simple. With numerous cost-effective, and easy-to-use solutions available online, such as training manuals and PowerPoint presentations (PPT), there’s really no excuse.

4. Assessing Risk is Vital. Another mandate found within the HIPAA Security Rule is that of risk analysis – assessing one’s risk on an annual basis – for both Covered Entities and Business Associates. This is not a policy or a procedure – rather – a comprehensive initiative for which all healthcare providers must undertake, and every year. When you really stop and think about it, regardless if it’s a regulatory compliance mandate or not, isn’t just a good idea to assess ones strengths, weaknesses, market concerns – and other important business elements – on a regular basis? Sure it is, therefore HIPAA is just reinforcing a best practice.

5. Assess Privacy Rule Requirements. The Final Omnibus Ruling of January, 2013 gave HIPAA an incredible amount of regulatory compliance “bite”, one that’s still being felt by both Covered Entities and Business Associates throughout North America. What’s important to note about the ruling is that BA’s have increases roles and responsibilities for HIPAA compliance, and that’s means re-addressing and re-looking at many of the formerly out-of-scope HIPAA Privacy Rules.

6. HIPAA Compliance is a Moving Target. Becoming compliant with the Health Insurance Portability and Accountability Act (HIPAA) is much more than just putting in place all mandated policies, procedures, and processes. Sure, that’s a great start – and one to be commended on – but HIPAA compliance requires constant oversight for helping ensure the safety and security of Protected Health Information (PHI). Bottom line – never take your eye off the moving target of HIPAA compliance.

7. Monitor Third Party Service Providers. Call them what you want – downstream third party service providers, business associates, subservice organizations – they’re all the same in the eyes of HIPAA in that they’re providing critical outsourcing services. Therefore if they’re storing, processing, and/or transmitting Protected Health Information (PHI) in any way, such organizations need to be HIPAA compliant. A good best practice is to develop a comprehensive third party service provider monitoring package, one that ensures a constant due-diligence program is in place for ensuring the safety and security of PHI. Everyone is outsourcing in today’s world – HIPAA is no different – so put in place a monitoring program that works for you.

8. Use Encryption. Though the HIPAA Security Rule discusses various aspects of encryption as being “addressable”, no one really takes that seriously anymore. After all, how else can one ensure the safety and security of Protected Health Information (PHI) being stored in databases or transmitted over the Internet? Encryption is a must for safeguarding PHI, so use it. Encryption may have been a technology luxury years ago when the original HIPAA Security Rule provisions were authored, but not anymore.

9. Enforce Strong Access Rights, Including Remote Access. The very best way for ensuring the safety and security of Protected Health Information (PHI) is to only allow access to such information to those who are authorized. This means putting in place highly formalized access control policies, procedures, and processes, which is a strict mandate under the HIPAA Security Rule. Falling under access control also is that of remote access, which means – once again – allowing only access to authorized individuals, and with the necessary security protocols for ensuring the connection is safe and secure. Using approved tunneling and encryption methods, along with two-factor authentication, is essential for remote access best practices.

10. Monitor HIPAA Systems 24x7. Ensuring the safety and security of Protected Health Information (PHI) also means monitoring critical network systems for overall health and performance. From baseline monitoring (i.e., CPU utilization, disk capacity, etc.) to file integrity monitoring – and more – keeping watch of systems storing, processing, and transmitting PHI is critical. There are numerous tools available on the market – many which are very good and actually cost-effective – so there’s no excuse for avoiding these HIPAA requirements.

11. Incident Response is Essential. Knowing how to respond to an incident regarding any perceived or actual breach to the security of Protected Health Information (PHI) is critical, which means putting in place a comprehensive incident response program that works when needed. A well-thought out incident response plan is one that includes the following phases:

  • Preparation
  • Detection
  • Initial Response and Containment
  • Security Analysis | Recovery and Repair
  • Communication
  • Post Incident Activities and Awareness
  • Training and Testing

12. Contingency Planning is a Must. Again, though this is another strict mandate for HIPAA compliance – as illustrated within the Security Rule provisions – comprehensive planning and implementation should always be underway for ensuring such a plan is in place. Simply stated, it means having a documented, tested and “real world” Business Continuity and Disaster Recovery Plan (BCDRP) in place, no exceptions.

13. Backup PHI Data. It’s critical to have in place comprehensive data backup, recovery, and restore procedures for ensuring the confidentiality, integrity, and availability (CIA) of Protected Health Information (PHI). Imagine not having an exact retrievable copy of backup data – not a thought to entertain – so put in place data backup best practices. Word to the wise – putting in a replication platform, where data is saved and then replicated to another location – such as a cloud storage provider – is a good place to start. Alternatively, backing up media and then transferring tapes to an offsite storage provider, is also a good idea. Can you say yes to the following – “If I lose my data, I can restore all of it, quickly and completely”? If so, then you should be fine.

14. Making Security a Priority. HIPAA compliance is much more than just policies and procedures, it’s about putting in place best practices for ensuring the safety and security of all organizational resources, including Protected Health Information (PHI). In today’s world of hackers and online thieves, it’s time that Covered Entities (CE) and Business Associates (BA) begin making security a priority. Don’t do it just for regulatory compliance, do it because you care about the confidentiality, integrity, and availability (CIA) of your entire network. Compliance should be almost an afterthought, something that can be easily accomplished because of the strides made in making information security an important mandate.

15. Contractual Documentation is Essential. From having critical Business Associate Agreements (BAA) in place to numerous other legal material, essential contractual documentation is a must for HIPAA compliance and a must for covering your organization from any potential legal issues. While we’re not attorneys at Flat Iron Technologies, LLC, we highly recommend that all legal documentation pertaining to HIPAA is thoroughly reviewed by qualified council.