HIPAA Compliance

Checklist for
Tech Vendors
EBOOK GUIDE
HIPAA Compliance Checklist for Tech Vendors

03 What Is HIPAA? 07 The Security Rule Compliance Checklist

How HIPAA Compliance Affects

04 10 The Privacy Rule Compliance Checklist
Your Business

05 Examples of a Business Associate 11 HIPAA & HITECH

06 Where to Start 12 Next Steps

HIPAA Compliance Checklist for Tech Vendors

Introduction: What Is HIPAA?

HIPAA is an acronym that stands for Health Insurance Portability
and Accountability Act. This act governs United States healthcare
and health insurance providers, as well as other “covered entities”
as it relates to all “protected health information” (PHI).

This piece of federal legislation sets the minimum standard of

health data privacy compliance across all states and regulates
how health insurers and healthcare providers in the U.S. collect,
protect, and share patient information.

03
HIPAA Compliance Checklist for Tech Vendors

How HIPAA Compliance Affects ?

Your Business
HIPAA compliance is your cost of entry to the healthcare market.
So, how do you get
HIPAA requires “business associates” to meet the requirements of
the Security Rule and Privacy Rule of HIPAA. started toward
HIPAA compliance?
Third-party vendors, such as SaaS vendors and tech providers,
must meet the requirements outlined in the two rules in HIPAA:
The Security Rule and The Privacy Rule.

04
HIPAA Compliance Checklist for Tech Vendors

Examples of a Business Associate

Business Associates are a third-party to a covered entity that provides some service, but is not a part of the core
workforce of the covered entity. This can include vendors, software providers, or other services that a covered
entity might need to obtain.

EXAMPLE 1 EXAMPLE 2 EXAMPLE 3

A third-party technology or SaaS A third-party accounting firm that A consultant requiring access to
vendor whose software is used by provides its services to a healthcare PHI during their engagement for
healthcare providers to process ePHI. provider and accesses PHI (claims) to any purpose.
perform their role.

05
HIPAA Compliance Checklist for Tech Vendors

Where to Start
You’ll need to first select an information security framework and
perform a gap analysis to discover the additions / changes needed
to meet the HIPAA-specific requirements.

This helps you understand the tasks ahead of you, what projects
you can start on immediately, and what areas might require
outside assistance.

The following checklists provide a high-level view of what you’ll

need to create to meet the requirements, including those
outlined by The Security Rule and The Privacy Rule. Note that
these are representative, rather than comprehensive -- the
specifics around each should be reviewed carefully.

06
HIPAA Compliance Checklist for Tech Vendors

The Security Rule

Compliance Checklist
The Security Rule
“requires appropriate administrative, physical and
technical safeguards to ensure the confidentiality,
integrity, and security of electronic protected health
information.”

U.S. DEPARTMENT OF HEALTH & HUMAN SERVICES

PHYSICAL SAFEGUARDS

Have Physical Security Policies and Procedures

Have Data Destruction Policy and Procedures

Implement Role-Based Access Control on ePHI Systems

07
HIPAA Compliance Checklist for Tech Vendors

The Security Rule

Compliance Checklist (Continued)

TECHNICAL SAFEGUARDS

Have Encryption Policies and Procedures

Have Control Monitoring, Internal Audit Policies and Procedures

Maintain Access Control Lists for ePHI systems

Keep List of Annual New Hires

Have Authentication Policies and Procedures

08
HIPAA Compliance Checklist for Tech Vendors

The Security Rule

Compliance Checklist (Continued)

ADMINISTRATIVE SAFEGUARDS

Perform Risk Assessment: Organization Have an Endpoint Hardening Policy

Perform Risk Assessment: ePHI Systems Have a Human Resources Policy

Risk Assessments Guide Control Activities Have a Disciplinary Actions Policy

Have a Risk Management Policy Have an Incident Response and Management Policy

Have an Organization Chart Have a Business Continuity & Disaster Recovery Plan

Have an Access Management Policy Set up Business Continuity & Disaster Recovery Testing Schedule

Have a Data Protection Policy Have Backup & Recovery Policy and Procedures

Have an Acceptable Use Policy

09
HIPAA Compliance Checklist for Tech Vendors

The Privacy Rule

Compliance Checklist
The Privacy Rule Have a Privacy Policy and Notice of Privacy Practices
“requires appropriate safeguards to protect
Train Employees on Privacy Policy and Practices
the privacy of personal health information,
and sets limits and conditions on the uses Policies and Procedures over Administrative,
and disclosures that may be made of such Technical & Physical Safeguards
information without patient authorization.”
Have Complaints Handling Procedures
US DEPT OF HEALTH & HUMAN SERVICES

Maintain and Review Annual Complaint Log

Have Violations Policies and Procedures

Have Disciplinary Policies and Procedures

Have Disclosure Policies & Procedures

Have Anti-intimidation / Anti-retaliation Policies &

Procedures
10
HIPAA Compliance Checklist for Tech Vendors

HIPAA & HITECH

“The Health Information Technology for Economic and
Clinical Health (HITECH) Act...addresses the privacy
and security concerns associated with the electronic
transmission of health information, in part, through
several provisions that strengthen the civil and criminal
enforcement of the HIPAA rules.”

US DEPARTMENT OF HEALTH & HUMAN SERVICES

HITECH CHECKLIST

Establish Breach Notification Process

Define Breach Notification Trigger

Entity-Level Risk Assessment for Business Associate(s)

11
HIPAA Compliance Checklist for Tech Vendors

Next Steps
Achieving HIPAA compliance is no small feat, and it can feel daunting when you realize what’s involved.

UNDERSTAND SCOPE SELECT THE RIGHT PARTNER

A successful program relies first and foremost on fully A security and privacy management platform (such as
understanding the scope of the effort -- from drafting Securicy) will have the HIPAA-specific modules that will
necessary policies to implementing, managing, and reporting automatically generate custom policies, procedures, designate
on your compliance efforts. key officers, and track your progress toward compliance.

12
 Chat with an Expert
About Carbide
Need help getting your organization
HIPAA compliant?
Carbide, formerly known as Securicy, makes enterprise-class
security and privacy accessible to fast-growing companies. Unlike
Talk to our security experts about the HIPAA
“checkbox-style” compliance solutions, our information security
Compliance Fast Track in the Carbide platform.
and privacy management platform is based on universal best
practices to enable customers to create, promote, and prove their
commitment to security no matter which security framework or
privacy regulation they wish to comply with.
Get the tools you need to generate policies, while
By making it easy to embed security and privacy into the DNA efficiently achieving, maintaining, and reporting on
of your organization, Carbide can help sharpen your competitive your compliance status.
edge and accelerate your company’s growth trajectory. To learn
more about how we can help no matter where you are in your
security journey, visit www.carbidesecure.com. BOOK A DEMO

CarbideSecure.com
13