HIPAA Compliance

Checklist 2022

W: www.vistainfosec.com | E: info@vistainfosec.com

US Tel: +1-415-513-5261 | UK Tel: +442081333131 | SG Tel: +65-3129-0397

IN Tel: +91 73045 57744 | Dubai Tel: +971507323723
An ISO27001 Certified Company, CERT-IN Empanelled, PCI QSA, PCI QPA and PCI SSFA
USA. SINGAPORE. INDIA. UK. MIDDLE EAST. CANADA.
 Introduction
The Health Insurance Portability and Accountability Act
(HIPAA) is a data privacy and security regulation for the
healthcare industry. It is a comprehensive regulation that
ensures your organization complies with the require-
ments of HIPAA.

Organizations looking to achieve HIPAA Compliance

must meet the requirements outlined by the regulation.
Further, failure to comply with HIPAA regulations may
result in substantial fines, especially in case of an incident
data breach. In fact Data Breach can also result in criminal
charges and civil action lawsuits and for which organiza-
tions will also have to follow certain data breach reporting
standards and protocols.

So, for organizations subject to HIPAA, it is highly recom-

mended that they read through this informative article
on HIPAA Compliance Checklist 2022. The blog will help
organizations implement all the necessary measures rele-
vant to HIPAA requirements and ensure the privacy and
security of Protected Health Information (PHI). Read on to
learn and understand the requirements of HIPAA
and consider referring to the HIPAA Compliance
checklist prior to undergoing an audit.

03 04
HIPAA Compliance Checklist
Every Covered Entity and Business Associate having
access to PHI data must ensure implementing the rel-
evant Technical, Administrative, and Physical safe-
guards as a part of ensuring maximum safety of PHI
data. So, here is a HIPAA compliance checklist which is
a compilation of a list of Security, Privacy, Breach Noti-
fication, and Omnibus Rule requirements that organi-
zations must implement to ensure compliance.
HIPAA Security Rule
HIPAA Security Rule highlights the need for organiza-
tions to implement safeguards to protect PHI data. The
rule applies to all those organizations that have access
to confidential PHI data. It requires organizations to im-
plement technical safeguards, physical safeguards, and
administrative safeguards as given below to ensure
maximum level security.

Technical Safeguard
Access Controls - Organizations must have in
place identity and access management measures
in place. Further, users must be provided unique
user names and passwords to those
accessing PHI datas. There must also be a
process in place that governs access to data.

Authentication - Organization must identify and

authenticate ePHI and protect it from unautho-
rized changes, and accidental destruction. There
must be an appropriate Authentication policy
and process in place for enforcement.
05 06
Encryption - Encrypt the ePHI data when trans-
mitting over external networks.
Logging & Monitoring - Establish policy and pro-
cedures concerning the logging and monitoring.
Organizations must have a process that periodi-
cally reviews to audit activity logs and controls.
Technical safeguards are required to be in place
to track and monitor access attempts and detect
and alert failed attempts. There must also be
measures in place for automatic log-off of devices
not in use and account block in case of multiple
failed login.
07
Physical Safeguard
Facility Access Controls - Have
in place physical safeguards that
access to facilities with PHI data. There must also be
measures to monitor these facilities from time to time.
Workstation Use - There must be a policy and
process in place that manages workstations that
are left unattended. For instance, automatic lock-
ing of screens when not in use after 30 sec is an
essential measure that must be implemented to
secure the devices. There must also be a policy in
place that restricts the use of work station.
Inventory - Have an inventory of all the data that
is stored in the server and devices within the or-
ganization. Further, monitor its access, use, and
movement over the network. The organization
must also have a retrievable copy of ePHI before
moving any equipment is moved.
Device and
Media Controls-
Have an inventory of all the data that is stored in the
server and devices within the organization. Further,
monitor its access, use, and movement over the net-
work. The organization must also have a retrievable
copy of ePHI before moving any equipment is moved.
08
Administrative Safeguard
Risk Assessment & Analysis - The organization
must have a process in place to frequently con-
duct a risk assessment and analysis to determine
any risk exposure. This is to reduce the level of
risk and ensure maximum security. Necessary
policies must be established to enforce the pro-
cess of risk assessment and analysis to ensure
compliance.
Staff Training - Educate employees on the sensi-
tivity and the potential risk exposure to the ePHI
data. Employees should also be educated about
the access protocols, identifying and reporting
malware, hacks, phishing, etc, governance, and
cyber security best practices. All the training con-
ducted should be documented for future refer-
ence and audit.
gency plan must further be tested periodically to
assess its effectiveness of the plan. There must
also be a backup process in place that facilitates
the restoration of the lost ePHI data.
Third-party Contracts & Agreement - Appropri-
ate Third-party Contracts and Business Associate
Agreements must be in place to ensure every
party or individual having access to ePHI and PHI
data comply with HIPAA rules.
Documentation of Security Incidents - There
must be a process in place that ensures report-
ing of the incident. Further, there should be an
established documenting process in place for
such incidents and an appropriate reporting pro-
cess.

Security Responsibilities - The organization

must appoint security personnel who would
overlook the implementation and enforcement
of all security rules. The personnel will be respon-
sible and will be a one-point contact for any con-
cerns regarding meeting the requirements of
HIPAA Rules.
Contingency Plans - There must be a contingen-
cy plan in place in case of an incident to ensure
continuity of business. This is to ensure protect-
ing the integrity of ePHI especially when an orga-
nization is addressing the incident. The contin-
09 10
HIPAA Privacy Rule
The HIPAA Privacy Rule highlights the need to ensure
the privacy and security of PHI data. This means organi-
zations are expected to implement appropriate securi-
ty measures in terms of access controls and the pro- Respond Request - The organization must estab-
cess to limit the use and disclosure of PHI data. So, here lish processes that ensure timely response to the
is a list of measures one must consider . request of patients concerning their PHI data.
HIPAA states that an organization must respond
Privacy Policy & Procedure -Having policies and
to the request within 30 days of patient access re-
procedures in place ensures the enforcement of
quests.
rules. So, organizations must have in place poli-
cies and procedures that ensure the privacy and Consent - Have a process in place for getting con-
security of PHI and the ePHI Data that they deal sent from the patient to use redacted ePHI for re-
with. search, fundraising, or marketing. Also, the pa-
tient should be informed that they have an
Notice of Privacy Practices - Notice of privacy opt-out option for the same.
practice must include details on how you use
and disclose the PHI data of individuals or pa- Appointment of Personnel - The organization
tients and details of the data sharing policies. It must appoint a privacy official responsible for de-
should also include the practices enforced for se- veloping, implementing, enforcing, and adminis-
curing the data. trating privacy practices. There must also be an
individual appointed as a point of contact who
Training Staff - All the staff are required to be would be responsible for receiving complaints
trained to ensure they meet all the privacy rules. and informing patients about the privacy practic-
So organizations must have in place policies and es and their rights.
processes for conducting training for the staff.
The training should also include providing them
with information and building awareness on
what kind of data is being used and should be
protected and what data can and cannot be
shared as a part of the privacy policy.
11 12
Limit Disclosure & Use - Organization must es-
tablish policy and process that limits the use and
disclosure of PHI data. The PHI data must only be
used when it is necessary and appropriate con-
sent is required for processing the data for any
other reasons than what was stated to the pa-
tient.
Documentation &
Individual Rights - There must be a process in
place that informs the patients of their rights con- Record Maintenance -
cerning their ePHI data. Further, there is also a
HIPAA requires the organization to
need to establish a process that ensures these
maintain all the PHI documentation, including
rights and requests pertaining to these rights are
amendments or requests, documentation con-
met. The rights include Right of Notice, Right of
cerning the Privacy Rule including privacy poli-
Access, Request of Accounting of Disclosures,
cies and procedures, records of complaints, and
Right of Amend, Right to Request Restriction, Al-
privacy practices notices, for at least six years
ternate Communications, Special Requests, and
since the last effective date.
Right to File Complaints.
13 14
Breach Notification Rule
HIPAA Breach Notification Rule is about having a pro- Have in place Policy and process for promptly
cess in place to notify patients when there is a breach notifying HHS
of their PHI. The rule also requires a process that en-
sures prompt notification to the Department of Health Establish a process to notify the media about
and Human Services (HHS) of such a breach of PHI and the data breach in case it has affected more
further issues a notice to the media in case the breach than 500 patients.
has affected more than five hundred patients. So, here
is a list of measures one must consider-

Establish an Incident Management Plan

Have in place Policies and Procedures concern-

ing Data Breach Response

Have in place Policies and processes

for notifying Individuals or
patients affected.

Omnibus Rule
HIPAA Omnibus Rule sets out additional rules and
requirements for businesses subjected to HIPAA
Compliance. So, here is a list of additional require-
ments to consider when complying with HIPAA reg-
ulations.

15 16
Business Associate Agreements (BAAs) : Ensure
that your organization has in place an updated
Business Associate Agreement that is in align-
ment with all the HIPAA Rules Rule. Business As-
sociates are equally responsible to comply with
all the rules of HIPAA. So, a signed BAA will
ensure that the business associates are aware of
those rules and agree to comply with them.
Privacy Policy : Organizations must also have in
place a privacy policy that reflects individuals’
rights and ways to respond to requests. It should
also reflect details such as limitations of disclo-
sures to Medicare and insurers, disclosure of PHI
and school immunizations, sale of PHI, and its
use for marketing, fundraising, and research. Pri-
vacy policies must also be updated to comply
with all the rules of HIPAA.
Notices of Privacy Practices : Notice of Privacy
Practice must be updated to cover information
required in the Omnibus Rule. This includes in-
formation that requires authorization, the right
to opt-out of correspondence for fundraising
purposes, and must include or consider even the
new breach notification requirements.
17
Updated HIPAA staff training : Staff must be
trained to meet the Omnibus Rules and require-
ments to ensure compliance with HIPAA.
Final Thought
HIPAA Compliance is an ongoing process that orga-
nizations must review frequently. For those new to
this and looking to achieve HIPAA Compliance, we
strongly recommend considering the above-listed
checklist. While those who are compliant and look-
ing to stay compliant must frequently review their
processes and update the existing policies, and pro-
cedures in alignment with the changing environ-
ment to meet the HIPAA requirements. Further as a
final word of recommendation we suggest organiza-
tions consult compliance experts on ways of achiev-
ing and maintaining HIPAA Compliance.
18
Do write to us your feedback, comments and queries or, if you have any
requirements: info@vistainfosec.com

You can reach us on -

US Tel: +1-415-513-5261 | UK Tel: +442081333131 | SG Tel: +65-3129-0397
IN Tel: +91 73045 57744 | Dubai Tel: +971507323723

17 18