Know about HIPAA compliance checklist

The National Institute of Standards and Technology (NIST) is a federal agency whose primary purpose is to work with different industries to develop and apply technology. NIST published "An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule", which outlines standards for risk assessment.These same standards have been adopted by the U.S. Department of Health and Human Services (HHS). The security requirements for Protected Health Information (PHI) are regulated under the Health Insurance Portability and Accountability Act (HIPAA) and subjected to the standards developed by NIST. Since HIPAA compliance is an ongoing process, not a single event, a HIPAA compliance checklist is necessary to ensure a company is adhering to federal regulations as developed by NIST and HHS.

Under the HIPAA Security Rule, a covered entity is responsible for the confidentiality, reliability, and availability of PHI. In addition a covered entity is responsible for the detection and prevention of anticipated threats, intentional or unintentional. Any threat can subject PHI to loss, damage or corruption and could compromise the privacy of individuals. The Privacy Rule ensures PHI is protected from unauthorized uses and disclosures while the Enforcement Rule focuses on investigation and penalties for any breach. The Breach Notification Rule outlines the process a company must employ for notification of a breach.

The Security Rule focuses on safeguards to ensure an individual’s confidentiality by securing their PHI. There are three types of safeguards: technical, physical and administrative. Technical safeguards include: controlling access, integrity and authentication, audits and securing the transmission of data. Physical safeguards revolve around facility control, workstation use and security and control of hardware. Administrative safeguards include: security management and responsibility, workforce security and management of access. Additional aspects of administrative safeguards include security awareness training, clearly defining incident procedures, contingency plans, and business associate agreements.

The Privacy Rule is important because it guarantees that unauthorized uses or disclosures of PHI will not be allowed. If there is a violation of the Privacy Rule, breach notifications are sent to the individuals affected by the unauthorized use or disclosure. This rule also dictates who can access PHI, when it can be accessed and for what reason the information can be accessed. According to the Privacy Rule, the secretary of HHS must have access to PHI, and a covered entity must provide an accounting of disclosures to prove compliance with the Security Rule.

The Enforcement Rule is simply the process outlined for the investigation of a breach and the penalties and procedures that are incurred due to a breach. The Breach Notification Rule works in conjunction with the Enforcement Rule. Any covered entity that detects a breach of PHI is required to send notification to an affected individual or individuals. In addition to contacting individuals, organizations must also notify HHS of any violations. It is also important for companies to notify the media and public when a breach has an effect on a much larger scale. HHS requires public notification when more than 500 people are affected by a breach.

A HIPAA compliance checklist should help a covered entity assess their administrative processes and should include: security management, security responsibility, work force security, management of information access, security awareness and training, incident procedures, business associate contracts and contingency plans. Physical processes are also important and include the management of facility access and devices. Also, technical processes such as access to data, audit controls, software integrity, authentication procedures, and transmission of data should be covered on a compliance checklist. HHS requires a compliance checklist must cover specific standards for compliance, which has been developed by NIST and these standards.

The author has written many articles on HIPAA software related products. His specialization on Mainly HIPAA topics.