A Comprehensive HIPAA Compliance Checklist


The US Department of Health and Human Services (HHS) reports that there were more than 600 data breaches in healthcare in 2021. More than 40,000 records were either compromised or stolen.

Federal law requires that healthcare providers protect the personal information of their patients. What are your HIPAA compliance methods?

To make sure you are on the right path, check out this HIPAA Compliance Checklist.

What is HIPAA?

HIPAA stands for Health Insurance Portability and Accountability Act. These federal laws regulate how healthcare data is stored.

HIPAA provides guidance on how to use and disclose protected medical information (PHI). This Act updates and protects the data from theft or fraud.

What does ‘Protected Health Information’ mean?

Protected Health Information (PHI), is information that identifies a client or patient. Names and addresses are examples of protected health information.

PHI is used to protect patient numbers and social security numbers. It can also contain credit card information and facial photos.

HIPAA regulations cover electronic PHI sent, viewed or accessed. Electronically protected health information, or ePHI, refers to this electronic information.

Who is HIPAA applicable to?

HIPAA applies to two types of organizations. These organizations are known as a business associate, or a covered entity. Below are the types of organizations:

  • Business Associates

HIPAA business associates do not see patients. Instead, HIPAA business associates create, send, and receive patient ePHI.

From accountants to professional shredding businesses, business associates can include anyone. Business associates can also be defined as medical billing companies.

  • Covered Entities

Organizations that collect, send, or create ePHI records are considered covered entities. Businesses that interact directly with patients are considered covered entities. These entities cover medical professionals such as doctors and therapists.

HIPAA is applicable to all businesses that send patients’ personal data. This information may be used to refer patients to other healthcare providers. This information is also sent to insurance companies regularly for payment.

  • HIPAA Subdivisions

These laws were drafted by HHS to protect patient data. The following sections are included in HIPAA:

  • Privacy Rules for HIPAA

Privacy Rules outline patients’ rights to see their ePHI. The Privacy Rule also includes the rights of healthcare providers to view a patient’s electronic health information and their right to refuse access. The Privacy Rule also describes the release forms that organizations must use in order to comply with it.

  • Security Rule for HIPAA

The Security Rule outlines the guidelines for transmitting and managing patient ePHI. This HIPAA Security rule covers all technical, administrative, and physical protections for patient ePHI.

  • Breach Notification Rule of HIPAA

The Breach Notification Rules outlines the national standard for notification when data breaches expose patient records. HIPAA mandates that organizations report all data breaches regardless of size. The type of event will determine the reporting requirements.

  • Checklist for HIPAA Compliance

Are you at risk of HIPAA violations? You need to act immediately if you aren’t sure.

This HIPAA checklist will help you protect your clients’ ePHI. It can be used in all aspects of your business, including the administrative, technical, and physical. As your compliance program develops, you can add protection.

  1. Protect your physical health

Protecting physical information can include safeguarding equipment or actual office locations that store and process ePHI. These safeguards can protect sensitive records against physical intrusion as well as natural hazards.

You should make sure that your IT equipment in the office has access restrictions that limit ePHI access to only authorized users. You should regularly update your malware protection, both on this equipment and on servers.

Only create, store, and revise ePHI for equipment that meets your security standards should be done by your team. You should have computer monitors placed throughout your office to prevent unauthorized people from reading them.

Your team should instruct them to log off, lock and secure their computers before leaving the office. When the computer is not being used, they should lock it.

Make sure that any ePHI stored on mobile devices used by your team (smartphones or tablets) is not saved. Encourage them to not store ePHI on removable media like USB drives or discs.

  1. Create administrative protections

Administrative protections cover the behavior of employees who have access to, process, and distribute ePHI. It is impossible to watch every move of your team. You can put in administrative safeguards to help you monitor your team’s handling of ePHI by carefully programming your information systems.

One example of such safeguards is keeping a log of user actions that are privileged and saved. Ask your administrator to look over these logs and inform you if any changes have been made by any user. These records should be kept for at least six months.

To report security-related events, you can also create a log. These events can include system failures or connection problems, as well as access rights changes. These logs should be kept for at least six months.

  1. Use technical protections

Technical protections are a way to protect and control information access. These protections may include protocols for web hosting or data encryption.

Different servers may be used to perform certain tasks, such as web hosting or data storage. You should choose an enterprise web hosting service that gives you all the tools you require. These tools can be used to protect patient privacy and allow for separate access to information.

Your patient billing information and personal data should be kept secure on encrypted database tables. All images and documents uploaded by patients should be encrypted.

Each server should be configured with different encryption keys. Decoded streams should be used for telemedicine sessions. Regular security assessments should be scheduled to prevent cyber threats or other thefts of private information.