HIPAA Compliance Checklist: Security, Privacy, and Breach Notification Rules
Table of Contents
2
An Introduction to the Security, Privacy, and Breach Notification Rules
3
Security Checklist
7
Privacy Rule Checklist
11 Breach Notification Checklist 13 Ready for HIPAA Compliance?
3
Is the Firm Qualified?
An Introduction to the Security, Privacy, and Breach Notification Rules The Health Insurance Portability and Accountability Act (HIPAA) sets a national standard for the protection of consumers’ Protected Health Information (PHI) and electronic Protected Health Information (ePHI) by mandating risk management best practices and physical, administrative, and technical safeguards. HIPAA was established to provide greater transparency for individuals whose information may be at risk, and the Department of Health and Human Services’ Office for Civil Rights (OCR) enforces compliance with the HIPAA Privacy, Security, and Breach Notification Rules. The goal of the Security Rule is to create security for ePHI by ensuring the confidentiality, integrity, and availability of ePHI, protecting against threats, protecting against unpermitted disclosures, and ensuring workforce compliance. When learning the basics of the Security Rule, it’s vital to learn about the three types of safeguards: administrative, technical, and physical. As you’ll see in this checklist, administrative safeguards cover personnel, training, access, and process while technical safeguards cover access, audits, integrity, and transmission. Physical safeguards cover facility access, workstations, and devices. The Privacy Rule regulates things like appropriate use and disclosure of PHI, patient access to PHI, and patient rights. The Privacy Rule is crucial for HIPAA because without it, healthcare organizations could disclose and distribute protected health information without the consent of the individual. If this sensitive data were to end up in the wrong hands, it could negatively impact the individual. There are five main areas of the Privacy Rule according to 45 CFR Part 160 and Subparts A and E of Part 164. A Privacy Rule assessment evaluates policy and procedure documentation relating to these areas, which include: Notice of Privacy Practices, patient rights, minimum necessary standards, administrative requirements, and uses and disclosures. The Breach Notification Rule requires covered entities and business associates to provide notification following a breach of unprotected PHI or ePHI. Covered entities have three parties that they need to notify of a breach: patients, HHS, and potentially the media. When you have a breach, you will always need to notify affected patients and HSS – no exceptions. If over 500 individuals have been affected, your covered entity will need to alert the media. Business associates always need to notify their covered entity of a breach. In order to properly comply with the Breach Notification Rule, there are several aspects of the breach your organization needs to communicate to the affected parties: what happened, what kind of PHI was disclosed in the breach, what patients should do to mitigate harm, what you’re doing to investigate and mitigate future harm, and how they can contact you. This checklist will walk you through the requirements of the HIPAA Security, Privacy, and Breach Notification Rules to give you an understanding of what could be assessed. We’ll outline the requirements of each rule, a description of the requirement, and what policies and procedures your organization needs to have to comply with the requirement. 2
An Introduction to the Security, Privacy, and Breach Notification Rules
Security Checklist Administrative Safeguard Requirements
Description
Policies and Procedures
Security Management Process
Policies and procedures to prevent, detect, contain, and correct security violations
• Information Security Policy Manual • Incident Reporting • Business Associate Agreements • Training Curriculum • Internal Auditing Policy • Compliance Manual • Employee Sanctions
Risk Analysis
Conduct a risk analysis of ePHI systems to identify threats, vulnerabilities, impact of risk, likelihood of occurrence, and existing risk mitigation controls
• Risk Analysis • Risk Management
Risk Management
Policies and procedures to reduce risks and vulnerabilities to an appropriate level by prioritizing and implementing risk management controls
• Risk Management
Assigned Security Responsibility develop and implement policies and procedures
• Information Security Policy Manual • Compliance Manual
Workforce Security – Appropriate Access
Policies and procedures to govern initial and ongoing access to PHI; reviews of access for continued appropriateness
• Information Security Policy Manual (Logical Access) • Human Resources Policies
Workforce Security – Terminating Access
Policies and procedures to terminate employee access to PHI
• Information Security Policy Manual (Logical Access) • Human Resources Policies
3
Security Checklist
Workforce Security – Security Awareness Training
Train all employees on security awareness upon hire and continually
• Information Security Policy Manual (Information Security Policy Acknowledgment and Training) • HIPAA Training
Incident Response Procedures
Designate appropriate individuals and procedures for security incidents, including response, mitigation, documentation, and corrective actions
• Information Security Policy Manual • Incident Response Procedure
Network Security – Malicious Software Protection
Policies and procedures to protect against, identify and report malicious software
• Information Security Policy Manual (Network Security)
Business Continuity
Policies, procedures and training to address interruptions to business activity
• Business Continuity Plan • Disaster and Recovery Plan
Business Associate Contracts
Agreements with business associates to ensure proper
• Business Associate Agreement • Vendor Questionnaires • Information Security Policy Manual (Vendor Management)
4
Security Checklist
Physical Safeguard Requirements
Description
Policies and Procedures
Facility Access Controls
Policies and procedures to grant, monitor, and terminate access to physical facilities
• Information Security Policy Manual (Physical Security) • Human Resources Procedures
Facility – Emergency Planning
Policies and procedures to restore data in the event of emergency
• Business Continuity Plan • Disaster and Recovery Plan
Facility Procedures – Unauthorized Access
Policies and procedures for identifying and responding to unauthorized access to physical facilities
• Information Security Policy Manual (Physical Security)
Policies and procedures to monitor and document repairs and changes to physical physicality that impact security
• Information Security Policy Manual (Inventory) • Risk Assessment
Workstation Security
Policies and procedures to control access to, changes to, and use of employee workstations
• Information Security Policy Manual (Work Station Management)
Device and Media Controls
Policies and procedures to address use of, storage, transmission, reuse, tracking, and destruction of removable media that store ePHI
• Information Security Policy Manual (Acceptable Use, Inventory) • Remote Work Policies
Facility
5
Security Checklist
Technical Safeguard Requirements
Description
Policies and Procedures
Unique Name for User Identity
Policies and procedures to assign
• Information Security (Logical Access)
to track usage Computer Session Inactivity
Policies and procedures to terminate electronic sessions based on a predetermined time of inactivity
• Information Security (Workstation Management)
Transmission of ePHI
Policies, procedures, audit controls, hardware, and software to encrypt, monitor, and record the transmission of ePHI
• Information Security (Cryptology) • Information Security (PHI Transmission)
6
Security Checklist
Privacy Rule Checklist Requirements
Description
Policies and Procedures
PHI Uses and Disclosures for Treatment, Payment, or Operations
Patient authorization for the disclosure of PHI for treatment, payment, and healthcare operations is implied
• Standard Disclosure of PHI • Notice of Privacy Practices
PHI Uses and Disclosures that Require Authorization
Patient authorization is required to disclose psychotherapy notes, PHI for marketing, the sale of PHI; elements of valid authorization
• Notice of Privacy Practices • Patient Authorization
PHI Uses and Disclosures Requiring Notice and Opportunity to Object
Certain disclosures require prior patient notice and opportunity to object: disclosures to family, facility directories, emergencies, and others
• Notice of Privacy Practices • Patient Authorizations
PHI Uses and Disclosures Without Authorization
Certain disclosures do not require prior patient notice: court orders, law enforcement investigations, public health activities, and others
• Notice of Privacy Practices
PHI Uses and Disclosures: Fund Raising
Disclosure of patient PHI for fund raising purposes requires authorization in most cases
• Notice of Privacy Practices • Patient Authorizations
PHI Uses and Disclosures: Research
Disclosure of patient PHI for research purposes requires authorization in most cases
• Notice of Privacy Practices • Patient Authorizations
PHI Uses and Disclosures: Personal Representatives and Family
Disclosure of patient PHI to patient family members/representatives is generally permitted, with exceptions
• Notice of Privacy Practices • Patient Authorizations
PHI Uses and Disclosures: After Death
Patient privacy rights to PHI disclosure continue 50 years after death
• Notice of Privacy Practices • Patient Authorizations
7
Privacy Rule Checklist
PHI Uses and Disclosures:
Prior to PHI disclosure, entities must verify the identify and authority of the requesting party
• Patient Authorizations • Standard Disclosure of PHI
PHI Uses and Disclosures: De-Identification
Privacy Rule restrictions related to PHI disclosures do not apply to
•
PHI Uses and Disclosures: Safeguards for PHI Communication
Entities should ensure that channels of communication are appropriate for transmission of PHI
• Standard Disclosure of PHI
PHI Uses and Disclosures: Minimum Necessary Standard
PHI disclosures and requests should be limited to the minimum PHI necessary for the treatment, payment, or operational requirement
• Standard Disclosures of PHI • Minimum Necessary Policy
Minimum Necessary Standard: Workforce Access
Minimum Necessary Standard: Routine Disclosures
Employee access should be restricted to the minimum necessary, defined by entity policies
of minimum necessary for routine disclosures of PHI
• Minimum Necessary Policy
• Standard Disclosures of PHI • Minimum Necessary Policy
Minimum Necessary Standard: Non-Routine Disclosures
Entities should establish criteria for individual disclosures and review of such disclosures
• Minimum Necessary Policy • Individual Disclosures of PHI
Patient Rights: Disclosure Restrictions
Patients may request certain restrictions on PHI disclosure and use; entity agreement to restrictions is not comprehensive
• Notice of Privacy Practices • Patient Authorizations • Disclosure Restriction Form
Patient Rights: Alternative Communication
Patients may request alternative locations and means of communication
• Notice of Privacy Practices • Patient Authorizations • Standard Disclosures of PHI
8
Privacy Rule Checklist
Patient Rights: Access to PHI
Patients may inspect and request copies of PHI
• Notice of Privacy Practices • Standard Disclosures of PHI • Access to PHI Form
Patient Rights: PHI Amendments
Patients may request amendments of health records
• Notice of Privacy Practices • Amendment of Patient Information • PHI Amendment Request Form
Patient Rights: Accounting of Disclosures
Patients may request an account of disclosures of PHI made by the entity
• Notice of Privacy Practices • Standard Disclosure of PHI • Accounting of Disclosures Log
Notice of Privacy Practices: Availability
Covered entities must provide the Notice to patients, in physical locations and on websites
• Notice of Privacy Practices
Notice of Privacy Practices: Acknowledgment
Covered entities must make good
• Notice of Privacy Practices Acknowledgement
acknowledgement of the Notice Business Associates
Covered entities may disclose PHI to business associates if the business associate provides safeguards PHI (contracts, monitoring, enforcement)
• Business Associate Agreements • Business Associate Oversight
Covered entities must designate a
•
implement policies and procedures Covered entities must designate a contact person to receive complaints and provide information regarding the Notice of Privacy Practices
9
Privacy Rule Checklist
•
Employee Training
Covered entities must provide adequate training to employees on Privacy Rule policies and procedures
• Privacy Rule Policies and Procedures Training
Complaints
Covered entities must provide opportunities for and responses to complaints; complaints and resolution must be documented
• Privacy Rule Complaints • Complaint Form
Mitigation of Improper Disclosures
Entities must take steps to mitigate
• Standard Disclosures of PHI • PHI Disclosure Mitigation
disclosure Sanctions
Covered entities must sanction employees for violations of Privacy Rule policies and procedures
• Employee Sanctions
Record Retention
Documents must be retained according to the period of retention required by law
• Record Retention Policy • Record Destruction Log
Non-retaliation
Entities must refrain from retaliating patients who exercise HIPAA rights
• Patient Rights
Non-waiver
Entities may not condition treatment of patients upon the patient’s waiver of HIPAA rights
• Patient Rights
Corrective Actions
Entities must correct violations within 30 days of occurrence
• Corrective Actions
10
Privacy Rule Checklist
Requirements
Description
Policies and Procedures
Identifying Breach
Covered entities and business associates must identify whether an unauthorized PHI disclosure has occurred; certain exceptions apply
•
Patient Notice
Covered entities and business associates must notify patients of an unauthorized PHI disclosure in the required timeframe, with the required content, and by the required method(s)
•
Covered entities and business associates must notify HHS of unauthorized PHI disclosures within the required timeframe (greater or less than 500 patients impacted)
•
Covered entities and business associates must notify the media of unauthorized PHI disclosures within the required timeframe if more than
•
Covered entities must notify business associates of unauthorized PHI disclosures within the required timeframe
•
HHS Notice
Media Notice
Business Associate Notice
11
Breach Notification Checklist
Patient Notice
HHS Notice
Media Notice
Business Associate Notice
Law Enforcement Delays
Covered entities and business associates required parties of unauthorized PHI disclosure if law enforcement states
•
criminal investigation or damage national security; timeframe of delay based on written and oral requests by law enforcement Investigation
Covered entities and business associates must investigate unauthorized disclosures
•
Mitigation
Covered entities and business associates must limit the damaging
•
Contact Person
Covered entities and business associates must designate an individual for patients, media, business associates, and HHS to contact regarding unauthorized disclosures
•
12
Breach Notification Checklist
Ready for HIPAA Compliance? Are you a covered entity or business associate who uses PHI to provide services to the public? HIPAA compliance affirms the security of your services and gives your organization the ability to provide clients and regulators with evidence from an auditor who has actually seen your internal controls in place and operating. Protecting an asset as valuable as PHI can be a challenging responsibility, but when you partner with KirkpatrickPrice, it doesn’t have to be. We offer assessments on compliance with the HIPAA Security Rule and Privacy Rule, as well as risk analyses, gap analyses, policy development, business associate compliance management, and consulting services. Your organization will also benefit from working with KirkpatrickPrice’s Information Security Specialists, who are senior-level experts, holding certifications like HCISPP, CISSP, and CISA. Our audit delivery tool, the Online Audit Manager, streamlines the audit process, helps reduce the complexity of compliance efforts, and gives our clients the ability to combine multiple audit frameworks into one audit. We’ve spent over a decade honing this process so that clients can complete one audit process while receiving multiple reports. Connect with us today to understand the time it takes to complete a HIPAA audit, the cost of receiving a HIPAA report, and take part in a free demo of the Online Audit Manager.
13
Ready for HIPAA Compliance?