HIPAA Compliance Checklist

Improve clarity and create a plan of action

HIPAA Compliance Checklist

You may have an idea of what HIPAA compliance is—and why it’s so important. But does your organization have the resources and strategies in place to ensure that it can maintain HIPAA compliance? Because HIPAA is a complicated set of regulations with far-reaching implications in the health industry, it’s important to split up your individual strategies into a HIPAA compliance checklist that will improve clarity and create a plan of action.

What is HIPAA Compliance?

In its simplest form, a HIPAA compliance checklist is an agenda of items that are integral to running a private and secure medical organization. And those two words—private and secure—are very important here, because they refer to two express rules within HIPAA:


  • Privacy Rule. The top priority of HIPAA compliance comes in privacy. Simply put, a patient has the right to keep their private health information private. Sharing that information with anyone who’s unauthorized to view it is not only a HIPAA violation, but can lead to a whole mess of problems down the line. It’s essential that anyone working in medicine or healthcare understands how important the privacy rule is.
  • Security Rule. There is no privacy without security. As such, HIPAA also makes it a priority for medical organizations to keep a tight lid on their security procedures. Protecting the systems that display private health information is at the center of this rule. Even someone who takes great care to keep medical information private can unwittingly expose that information to security breaches if the right systems aren’t in place.

But simply increasing your focus on privacy and security won’t be enough. You have to have the specific action-steps in place to help get your organization up to HIPAA compliance.

What You Need to Know Before Proceeding

No HIPAA compliance checklist is complete without first establishing the parameters for these action steps. Here’s a brief list of everything you’ll need to know before proceeding:

  • PHI refers to protected health information, and ePHI refers to electronic protected health information. As you research HIPAA compliance, you’ll likely see these two acronyms pop up repeatedly—they’re central to establishing HIPAA compliance.
  • Covered entities: What is a “covered entity”? This refers to the organization that provides healthcare or health plans. Covered entities routinely work with PHI as part of their normal business operations, which means that they’ll be expected to comply fully with HIPAA. As such, this term generally refers to the organization—such as a hospital—and not the employee of that organization, such as a nurse or doctor.
  • Business associates: Business associates of covered entities may work with PHI after signing a Business Associate Agreement. That’s why HIPAA compliance goes beyond the medical sphere into a range of businesses.

With these basics in mind, it’s time to get to the action steps.

A HIPAA Compliance Checklist

With the above in mind, it’s time to get specific about HIPAA compliance and the unique steps you can take to ensure your organization keeps a tight grasp on private health information.

Before we begin in the individual steps, let’s think about the broad strokes that a company like yours might try to kickstart the process:

  • Select a Privacy and Security Officer. The Privacy and Security Officer is a common role within medical organizations—in some cases, this role can be filled by one person. In larger organizations, it may take two or even a team. But it’s important to have someone on the staff whose job it is to understand HIPAA compliance and to help ensure your organization fits the bill.
  • Undergoing regular HIPAA training. Has your team undergone the annual HIPAA training? Has this training been logged and documented? This is something that your compliance officer will be able to help with.

These two steps alone can represent a major leap forward for any organization looking to boost its HIPAA compliance. But when it comes to getting your organization up to speed, you should next focus on Audits and Assessments. This essential step should be far-reaching and include a series of smaller steps in the form of individual audits, such as:

  • A Security Risk Assessment. Is your site at risk for security breaches? HealthIT.gov provides tools and solutions for a Security Risk assessment online.
  • A Privacy Assessment. Assessing the level of privacy maintained at your organization is vital to understanding how well you adhere to the Privacy Rule provisions of HIPAA.
  • A Security Standards Audit. Is security at your organization a matter of practice and standards, or do those standards need to be raised? Are the standards applicable to everyone within the organization?
  • An Asset and Device Audit. Business assets (such as computers) and personal devices can represent key points at which private information can be accidentally shared or accessed. It’s vital to ensure that these assets and devices are properly protected and include features that help prevent security breaches.
  • A Physical Site Audit. Not all transmission of PHI is electronic. A physical site audit is necessary to ensure that your organization also protects private health information at a physical level. That includes physical filing and mailing systems.
  • A HITECH Subtitle D Audit. HITECH stands for “Health Information Technology,” or Health IT. Subtitle D refers to the privacy concerns with Health Information Technology. Put it all together with a full and comprehensive audit.

But it doesn’t end with the audit. Once you’ve completed these assessments and audits, you should then create a new checklist for addressing each of the issues raised throughout the process.

From there, you might consider a few of these important next steps:

  • Documenting any problems with HIPAA compliance. Why document this stage? Because it shows you’re not only making an effort to adhere to HIPAA rules, but that you’re aware of some specific problems. In the next step, you’ll also document that you took specific steps to come to compliance with these issues.
  • Documenting the solutions implemented. Documenting a solution shows that not only are you HIPAA compliant, but that you’ve taken the time necessary to become aware of a potential issue and took specific action steps to prevent any issues.
  • Evaluate your business associate agreements. Because your business associates may also fall under the umbrella of HIPAA rules and guidelines, you’ll have to make sure that all appropriate documentation is signed and recorded. Make sure that you not only look at your business associates, but that you understand each individual agreement to make sure that you’re up to HIPAA standards. Also ask yourself if these agreements are up to date.
  • Implement written standards for HIPAA compliance. Does your organization make it a practice to stay within HIPAA guidelines? There may be no evidence for that if you don’t have written standards and policies in place for proper HIPAA conduct. This may be one of the first priorities of your HIPAA compliance officer, but it’s important for any organization to have.

Although HIPAA compliance rightly focuses on making privacy a priority, there’s no reason that Security Processes should get lost in the shuffle. Make sure to include the following in your HIPAA compliance checklist:

  • Risk analysis of security systems. Is ePHI confidential? Is ePHI at risk of potential breaches? What policies do you have in place for employees who don’t comply with the security standards you’ve set in place?
  • Do you have an employee in place who oversees your security? HIPAA regulators often look for this kind of oversight to check on an organization’s commitment to information security.
  • Authorization/supervision. Is there a plan in place for authorizing and supervising employees who have to handle ePHI? Are there procedures in place for those employees who don’t handle ePHI properly?
  • What training systems do you have in place to help inform your employees as to the proper security practices? Do you also document the training your employees received and have them sign it?
  • Log-in monitoring. Does your organization have the capacity to monitor unauthorized access to privileged medical information? If there were a breach such as someone using their credentials to commit a HIPAA violation, how would you know about it?
  • Creating plans. A security breach can be a major event in any organization. With the privileged medical information held by a health center or hospital, it’s vital to have a contingency plan in place. That can include:
    • Creating a data backup plan. Losing data can cause confusion and chaos, but having adequate data backup plans in place help organizations maintain the security and privacy of said data.
    • Recovery plans for lost data. Losing ePHI can be a very serious situation, which is why it’s vital to have a recovery plan in place for ensuring that this gets restored.
    • Emergency data handling plans. Hospitals should and do prepare for emergencies—but it’s vital that private health information still be protected in the event of any such emergency.

Finishing Your HIPAA Compliance Checklist: Don’t Forget These

Although this comprehensive HIPAA checklist can be both handy and intimidating, it shouldn’t be. Instead it should be a reminder of how serious HIPAA compliance is—as well as a reminder that if you take the right steps, compliance should be assured.

But there are also some vital steps that deserve to be mentioned, especially from an overall birds-eye view of your organization:

  • Make sure all electronic transmissions are standardized. This can be as simple as selecting a HIPAA compliant electronic health record system.
  • Keep diligent records. All uses of PHI, for example, should be kept under record, with the appropriate releases and signatures all signed and stored. Diligent records help you verify your HIPAA compliance when held up to scrutiny.
  • Create a Notice of Privacy Practices. The Department of Health and Human Services won’t leave you in the lurch here: they’ve provided a “model Notice of Privacy Practices.”
  • Maintain ongoing efforts to identify issues. Your Privacy/Security officer should be open to complaints about procedures and potential weak spots in the systems and policies you put in place. View HIPAA compliance not as a single achievement, but as an ongoing practice that requires constant tweaking to ensure adherence.

Medical organizations have a lot to live up to when it comes to HIPAA compliance—but with the proper steps, they should be confident that HIPAA compliance is not only achievable, but a matter of practice.

If you need professional help with HIPAA compliance, visit our main site at www.haoa.org.

Find us on Facebook and Linkedin