Professional Documents
Culture Documents
Checklist 2022
W: www.vistainfosec.com | E: info@vistainfosec.com
03 04
HIPAA Compliance Checklist
Every Covered Entity and Business Associate having
access to PHI data must ensure implementing the rel-
evant Technical, Administrative, and Physical safe-
guards as a part of ensuring maximum safety of PHI
data. So, here is a HIPAA compliance checklist which is
a compilation of a list of Security, Privacy, Breach Noti-
fication, and Omnibus Rule requirements that organi-
zations must implement to ensure compliance.
HIPAA Security Rule
HIPAA Security Rule highlights the need for organiza-
tions to implement safeguards to protect PHI data. The
rule applies to all those organizations that have access
to confidential PHI data. It requires organizations to im-
plement technical safeguards, physical safeguards, and
administrative safeguards as given below to ensure
maximum level security.
Technical Safeguard
Access Controls - Organizations must have in
place identity and access management measures
in place. Further, users must be provided unique
user names and passwords to those
accessing PHI datas. There must also be a
process in place that governs access to data.
Device and
Media Controls-
Have an inventory of all the data that is stored in the
server and devices within the organization. Further,
monitor its access, use, and movement over the net-
work. The organization must also have a retrievable
copy of ePHI before moving any equipment is moved.
07 08
Administrative Safeguard
Risk Assessment & Analysis - The organization gency plan must further be tested periodically to
must have a process in place to frequently con- assess its effectiveness of the plan. There must
duct a risk assessment and analysis to determine also be a backup process in place that facilitates
any risk exposure. This is to reduce the level of the restoration of the lost ePHI data.
risk and ensure maximum security. Necessary
policies must be established to enforce the pro- Third-party Contracts & Agreement - Appropri-
cess of risk assessment and analysis to ensure ate Third-party Contracts and Business Associate
compliance. Agreements must be in place to ensure every
party or individual having access to ePHI and PHI
Staff Training - Educate employees on the sensi- data comply with HIPAA rules.
tivity and the potential risk exposure to the ePHI
data. Employees should also be educated about Documentation of Security Incidents - There
the access protocols, identifying and reporting must be a process in place that ensures report-
malware, hacks, phishing, etc, governance, and ing of the incident. Further, there should be an
cyber security best practices. All the training con- established documenting process in place for
ducted should be documented for future refer- such incidents and an appropriate reporting pro-
ence and audit. cess.
Omnibus Rule
HIPAA Omnibus Rule sets out additional rules and
requirements for businesses subjected to HIPAA
Compliance. So, here is a list of additional require-
ments to consider when complying with HIPAA reg-
ulations.
15 16
Business Associate Agreements (BAAs) : Ensure Updated HIPAA staff training : Staff must be
that your organization has in place an updated trained to meet the Omnibus Rules and require-
Business Associate Agreement that is in align- ments to ensure compliance with HIPAA.
ment with all the HIPAA Rules Rule. Business As-
sociates are equally responsible to comply with
all the rules of HIPAA. So, a signed BAA will
ensure that the business associates are aware of
those rules and agree to comply with them.
Final Thought
Privacy Policy : Organizations must also have in HIPAA Compliance is an ongoing process that orga-
place a privacy policy that reflects individuals’ nizations must review frequently. For those new to
rights and ways to respond to requests. It should this and looking to achieve HIPAA Compliance, we
also reflect details such as limitations of disclo- strongly recommend considering the above-listed
sures to Medicare and insurers, disclosure of PHI checklist. While those who are compliant and look-
and school immunizations, sale of PHI, and its ing to stay compliant must frequently review their
use for marketing, fundraising, and research. Pri- processes and update the existing policies, and pro-
vacy policies must also be updated to comply cedures in alignment with the changing environ-
with all the rules of HIPAA. ment to meet the HIPAA requirements. Further as a
final word of recommendation we suggest organiza-
Notices of Privacy Practices : Notice of Privacy tions consult compliance experts on ways of achiev-
Practice must be updated to cover information ing and maintaining HIPAA Compliance.
required in the Omnibus Rule. This includes in-
formation that requires authorization, the right
to opt-out of correspondence for fundraising
purposes, and must include or consider even the
new breach notification requirements.
17 18
Do write to us your feedback, comments and queries or, if you have any
requirements: info@vistainfosec.com
17 18