The Ultimate HIPAA Compliance Checklist
By Gil Vidals, , HIPAA Blog, HIPAA Hosting, Resources, Security

It was the trip of a lifetime – a far-off destination, filled with rich history – but then came the flood of questions:

“How will we get there? Are there dangers to avoid? What do we bring? This isn’t like running to the corner store – just jump in the car and go. And wait – isn’t it hurricane season?” 

Well, you couldn’t control the weather, but it did help to have a checklist.  

Not unlike your healthcare career. Saving lives and promoting human flourishing always sounded wonderful – a lifelong dream – but the actual journey brought questions. And of course, a few storms.

One bit of nasty weather was learning about those devastating data breaches. Patients being harmed. Even some deaths had occurred. You heard that some healthcare practices were completely shipwrecked.

You came to understand why the AMA stressed that cybersecurity and privacy protections are a huge part of patient care – a key patient safety concern.

Welcome to HIPAA compliance!

But of course, you had questions. “Will following HIPAA requirements really protect us? What changes will we need to make? Will the process be expensive? What does “becoming compliant” even mean?”

Once again, a compliance checklist can be a great place to start. The good news: HIPAA Vault is here to help!  

We offer the following guidance as you’re considering HIPAA’s requirements. If we keep the journey analogy in mind, item #1 on your list is basic: know your destination! So let’s define our terms.

What is HIPAA Compliance? 

You probably have heard that HIPAA is the Health Insurance Portability and Accountability Act of 1996. Over time, Congress has passed five titles (essentially objectives) as parts of the bill. 

These titles impact everything from healthcare record access and portability to tax-related health provisions for medical savings accounts and Group Health Insurance requirements. 

Of the five titles of HIPAA, it’s Title 2 – Preventing Health Care Fraud and Abuse, Administrative Simplification, and Medical Liability Reform – that impacts data security and patient privacy the most.

Note: In 2013, HHS issued an Omnibus Rule to implement updates to HIPAA – known as the HITECH Act. Among other things, the act addressed protected health information (PHI) in EHRs, patients’ rights to receive copies of and amend their PHI, and extended the HIPAA Security Rule to Business Associates with regard to administrative, physical, and technical safeguards. 

(We’ll cover what a Business Associate is later). 

Lest you – whether as a provider or developer – are tempted to think these regulations are nebulous or overly restrictive, know that Title 2’s primary goal of data privacy is not only the law – but an intrinsic part of patient safety according to the American Medical Association (as mentioned above).

This is because tangible harms – mainly from unauthorized disclosures or breaches of medical data – can injure a patient on at least four levels

1. intrinsic harm, because their personal information is now known by others

2. economic harm, because individuals could lose their job, health insurance, or housing if the wrong type of information becomes public knowledge

3. social or psychological harm, if a patient is infected, for example, with HIV or another type of sexually transmitted infection and social isolation results

4. identity theft, due to a misuse/breach of their data by unscrupulous actors  

This is why patients are legally entitled to privacy protections – as well as access to their own health records in order to be more proactive regarding their treatments. 

Know too that patients harmed in these ways will understandably seek restitution; class-action lawsuits against healthcare providers and even IT companies who promised to protect sensitive data are increasing.  

As such, stringent methods and tools to prevent PHI from unauthorized disclosures are imperative. 

Now, let’s pause to take a closer look at item #2 on our list: what constitutes Protected Health Information (PHI)?

What is PHI?

Essentially, PHI is any health information that can be tied to an individual. Under HIPAA, this includes one or more of the following 18 identifiers, as  the HIPAA Journal notes:

  • Names (Full or last name, and initial)
  • Dates (other than year) directly related to an individual
  • Phone Numbers
  • Fax numbers
  • Email addresses
  • Social Security numbers
  • Medical record numbers
  • Health insurance beneficiary numbers
  • Account numbers
  • Certificate/license numbers
  • Vehicle identifiers (including serial numbers and license plate numbers)
  • Device identifiers and serial numbers;
  • Web Uniform Resource Locators (URLs)
  • Internet Protocol (IP) address numbers
  • Biometric identifiers, including finger, retinal, and voiceprints
  • Full-face photographic images and any comparable images
  • Any other unique identifying number, characteristic, or code except the unique code assigned by the investigator to code the data
  • All geographical identifiers smaller than a state, except for the initial three digits of a zip code if, according to the current publicly available data from the U.S. Bureau of the Census: the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people, and the initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000

Am I subject to HIPAA rules? 

Now that you know what HIPAA involves, you might still question if it applies to you. The reality is that many kinds of organizations may come in contact with patient information, including hosting companies and app developers. HIPAA regulations specify two categories of entities that handle PHI, and are therefore subject to their rules: covered entities and business associates.

  • The covered entity includes a healthcare provider, health plan, or clearinghouse. 
  • The business associate is a subcontractor that “creates, receives, maintains, or transmits protected health information on behalf of the covered entity,” or for another business associate.

If you’re one of these entities, the HIPAA Privacy Rule applies to you. You are required to understand and comply with its regulations. 

If you’re a healthcare software developer whose app will handle PHI, you’re a business associate. In fact, any of the following can be business associates:

  • Medical billing services
  • Marketing companies
  • IT service providers
  • Telehealth companies
  • Cloud storage providers
  • EHR providers
  • Accountants
  • Attorneys
  • Shredding services

HIPAA regulations specify that a signed, written agreement must be in place before proceeding to handle or share PHI. This contract, known as a Business Associate Agreement (BAA), outlines the responsibilities that the relevant parties have in safeguarding the PHI or EHR data. 

Note: A HIPAA cloud service provider (CSP) like HIPAA Vault fits into the category of a business associate. We provide a BAA to anyone who contracts with us to use our solutions – our pledge to protect your data and maintain privacy.

So, do I need to be certified?  

Here we must pause again to say a word about the difference between HIPAA compliance and certification. 

  • HIPAA compliance refers to adhering to the rules and requirements set forth by the Department of Health and Human Services (DHHS) policies and guidelines.
  • HIPAA Certification is the process to obtain or be awarded a document or designation to attest that a person has completed an educational course.

Note that these statuses cannot be used interchangeably; they each have their own separate purposes. Anyone can take a course or receive training to validate knowledge in the core areas of HIPAA regulations and receive a certification. This can be very helpful, for your entire team. In this sense, employees and businesses can become “certified,” but individual employees cannot be labeled “compliant.” 

It should be noted here, however, that the Department of Health and Human Services (HHS) – the government entity which manages and is responsible for enforcing the HIPAA Rule – does not endorse any one, specific certification organization. 

The important point is, “compliance” isn’t a once-and-done thing. It must be continually maintained by an organization. It cannot be achieved by merely taking and passing an exam. 

In the world of data protections, maintaining HIPAA compliance is like taking a snapshot in time. The compliance that is maintained one day may be lost the next, depending on adherence to HIPAA protocols and procedures. This calls for vigilance in the face of continual attempts by malicious actors to gain unlawful access to protected health information.

HIPAA-compliant companies (covered entities, as well as their business associates) will therefore strive to meet HIPAA regulations – all the elements on a compliance checklist – and verify this with a periodic evaluation of their security policies and procedures, both technical and non-technical.  

You’ll soon discover if you haven’t already, that HIPAA regulations are multi-faceted. One facet that shines especially bright is that of trustworthy people promoting a culture of security, with each doing the right thing in their own sphere. 

Now, having laid the groundwork for our journey, let’s look in closer detail at our compliance checklist.  

HIPAA Compliance Checklist 

Important Note: While you will need to implement all applicable safeguards discussed in the following, we recommend reviewing the entire checklist first to see where you are going. Prioritizing the implementation of the Compliance Officer (step 2) should be a priority. That way, they can help guide and document the entire process – an important part of HIPAA regulations.  

Step 1: Familiarize yourself with the HIPAA Security Rule. 

Strong cyber security is the heartbeat of the HIPAA Security Rule. The 3 facets of cyber security – people, processes, and technology – are therefore addressed in the Rule’s 3 safeguards: the Administrative, Technical, and Physical.

Let’s review these safeguards now.

I. Administrative Safeguards are designed to help ensure regulations are followed.

Administrators oversee a Security Review Process that will include risk management measures for protecting data integrity, confidentiality, and availability. 

  • assigning a Privacy Officer to oversee and ensure the development and implementation of security policies and procedures. 
  • establishing workforce policies for granting and revoking access to PHI, as well as password management, 2FA, and employee training on malicious software and phishing. Note: Tamper-detection techniques can be employed to send alerts when code is being modified or changed, and log all changes. Also, be aware of any dashboard access to PHI that might possibly be available to every user.
  • ensuring that a written contract (or BAA) is in force to clarify data protection responsibilities.
  • utilizing the Principle of Least Privilege for access, for both individuals and associated covered entities. 
  • ensuring strong password policies for your WordPress site, to prevent hacks through brute-force attacks. A password manager tool can help! 
  • formulating your response and reporting procedures for security incidents. Who will identify and address incidents? 
  • formulating a plan to recover ePHI in the event of a disaster (fire, flood, equipment failure, or loss of power). Confirm that regular backups are being performed.   

II. Technical safeguards will help protect your data and environment. 

HIPAA does not endorse specific technology companies – technology is always changing – but rather outlines security measures in broad strokes. Four basic implementations of technical safeguards must be implemented:

1. Access Controls

Access controls are about granting rights and privileges to your system; they clarify who will be authorized to access applications, programs, and files that contain PHI. 

Here, the least privilege principle should be applied, which is to grant access privileges only to those who are authorized to complete a given task. Access controls consist of:

A unique user identification to each user, to allow your organization to track each user’s activity in relation to health data – including when they log on and off the system or modify PHI. 

Users will therefore have their own login credentials, and must not share them with other users. Strong passwords and Multifactor Authentication should be employed.  

An Automatic Logoff, to “terminate an electronic session after a predetermined time of inactivity.” (The use of a screensaver that locks your desktop after a period of time – a built-in feature of Windows and Apple – will help to prevent unauthorized access.

Emergency Access Procedures, specifying who has permission to access data in a controlled response during an emergency. There should be a way to access necessary ePHI during an emergency.

2. Audit Controls

HIPAA requires that a technical solution be implemented to monitor and log any changes to your system, and provide real-time feedback. This includes:

all system login attempts (date, time, & username) – both successful and unsuccessful

who accessed ePHI on your server(s) and devices used

who created, read, edited, or deleted application files with ePHI

3. Integrity Controls

Patient health and safety depend upon the integrity of data. These protections help prevent the accidental or intentional alteration or deletion of protected health information.

4. Transmission Security

These controls are meant to protect data against unauthorized access as it is transmitted through your communications network, including your healthcare website. The industry standard for this is encryption. 

III. Physical safeguards will provide tangible protections to you and your facility and patient data.

These include:

  • locked doors with access codes 
  • restricted area warning signs
  • cameras
  • alarms
  • security services
  • personnel and property controls, etc.
  • workstation security that restricts access to only authorized users
  • device and media controls, with methods to document and properly dispose of hardware and software so that patient data is not exposed.

Step 2: Assign a Compliance Officer

We mentioned this already, but it bears repeating: you’ll need a point person to ensure your organization is satisfying all HIPAA regulations. In fact, this isn’t just a smart idea – it’s actually part of the required administrative safeguards mentioned above. Without a C.O., maintaining compliance will be a lot more challenging. 

Identifying the right person for this is critical – whether it’s an existing employee who will train for the role, or a new hire who comes with expertise. An eye for detail and good writing skills are invaluable.

What functions will the Compliance Officer handle? Here is a summary:

  • Create HIPAA-compliant procedures and monitor compliance with the program
  • Oversee the HIPAA training of your employees and document it
  • Investigate and report any data breach incidents as required
  • Ensure the protection of your patients’ rights in accordance with federal/state laws
  • Keep up-to-date with pertinent state and federal laws
  • Ensure that a regular risk analysis is performed

Note: The Office of Civil Rights (OCR) conducts period audits to ensure compliance. If your organization happens to be audited, you will have just 10 days to respond or you may face significant penalties – potentially in the millions of dollars. 

Step 3. Form a blueprint for your data       

Once again, imagine you’re taking a trip into unknown territory. You wouldn’t leave without first mapping the terrain you’ll need to cover – where you’re going, how you’ll travel, even the rest stops you’ll take. 

The same applies to your sensitive data: you’ll want to know exactly where and how it will travel, who will handle it, and where it will rest.

Diagram your sources of data. Have you included all the ePHI that you receive, create, or transmit – including from your website and from external sources such as vendors? Have you identified all possible business associates, and secured BAAs with them? 

Ensure your team understands the context in which the data is created and used, and how it is subject to regulation.

Step 4. Take stock of your risks – perform the HIPAA Audits

In addition to mapping out your data’s journey (step 3), you’ll also want to look for potential danger spots. Think of needing to drive through an icy mountain pass or hazardous sections of the road.

You can’t sit back and click on “cruise control” – you must be vigilant. If this step is left unaddressed, these risks will actually leave the door open for patient harm to occur and for malicious actors to exploit your PHI and business. 

Essentially, you will be looking to answer: What are the human, natural, and environmental threats to information systems that contain electronically protected health information (e-PHI)? 

Addressing risk is part of the 6 audits your organization must perform:

  • A Security Risk Assessment
  • A Privacy standards audit
  • A HITECH subtitle D privacy audit
  • A Security Standards Audit
  • An Asset and Device Audit
  • A Physical site audit

For each, you will seek to answer how you’ve,

  • identified and documented potential threats and vulnerabilities
  • assessed current security measures
  • determined the likelihood and potential impact of threat occurrence
  • determined the level of risk
  • identified security measures and finalized documentation

We believe that regular gap remediation for risk assessment – with documented plans to address all deficiencies – is critical for assessing areas of risk. The assessment should include review of staff, practices, and technology:

Step 5. Document all assessments, procedures, and training 

Should your company ever be audited, it will be key to have all your HIPAA documentation, procedures, training sessions, and risk assessments. Again, the Compliance Officer should ensure that this documentation is in place and that procedures include:   

  • how to use and disclose PHI to prevent HIPAA violations
  • how to obtain authorizations 
  • a Notice of Privacy Practices that details how you use/disclose PHI
  • how to handle patient access requests (to their PHI)
  • emergency access to PHI 
  • breach notification steps

Documentation in the event of an emergency situation, as well as breach notifications should be kept current. You won’t want to be scrambling to create documentation in the event of a surprise audit.  

For example, in the event of a data breach, an auditor will want to know: what is your plan, and how will you appropriate “first aid” in order to mitigate damages? If a breach of protected health information does occur, are you prepared to meet the reporting guidelines laid out by HHS?

Staff training – with refresher training conducted annually – will be necessary to help your team clearly understand HIPAA requirements about patient privacy, as well as their own responsibilities to work securely. Have you included training on social engineering/phishing scenarios so your employees will recognize fraudulent attempts to steal their credentials?

It’s true, as someone has said about security: “Your security solution is only as good as the people you have maintaining it.”

We hope the above checklist brings some clarity to your journey. We understand that it can be daunting to implement, and it may be helpful to make use of HIPAA-compliant software that will help your implementation.  

Part 2: Protecting PHI in the cloud

Tracing the path of your sensitive data, as we mentioned above, is key. Since paper health records from yesteryear have mostly gone digital – kept in the cloud – chances are you’ll be needing a HIPAA-compliant host to protect your PHI and keep it highly available for patient care.  

Ensuring that your data stays secure and compliant along its journey, however, is a complex undertaking. In the face of malicious attackers who are always ready to ransom or steal, cutting-edge security technology that includes 24/7 protection is a must.  

Cloud storage that fails to maintain the “3 pillars of data security” – confidentiality, integrity, and availability – can mean the collapse of your practice. Ultimately, it’s patients who will suffer from a lack of care. 

The following is a checklist you can use to verify that your HIPAA-compliant host is meeting HIPAA requirements: 

With that said, we believe there are at least ten essentials that you should require of a HIPAA hosting provider (and we’ll explain each):

  • A proven, HIPAA-compliant infrastructure
  • A signed Business Associate Agreement (BAA)
  • Appropriate physical and technical safeguards
  • Encryption, both in transit and in storage
  • Systems are monitored 24/7 to ensure consistent reliability and uptime
  • Regular vulnerability scans of servers and mitigation of the vulnerabilities discovered 
  • Server hardening (securing with updates and patches) 
  • Off-site backups of your data
  • Log retention of 6 years – a HIPAA mandate
  • Strong relationships, dedicated support, and cost-effective

Let’s look at what each of these essentials provides you:

1. A proven HIPAA-compliant infrastructure

A HIPAA-compliant infrastructure will possess all the controls you need in your environment to preserve the confidentiality, integrity, and availability of protected health data – both in transit and at rest. This means that the data that passes through your website portals, your network, and your database servers will have an excellent chance of being kept safe from malicious attacks. 

An experienced host with proven managed security expertise will achieve this by providing everything from access controls (unique permissions, strong password requirements, multi-factor authentication) to specially configured firewalls, transport layer security, operating system security, malware prevention, segregated web and database servers, and more. 

HIPAA Vault’s customers can also have peace of mind that our world-class data centers meet or exceed industry-standard certifications, including SSAE 16, NIST 800-53, and Service Organization Controls (SOC) audits 1, 2, and 3.

  • SOC 1 is used for the auditing of Internal Controls over Financial Reporting (ICFR) focusing on security and availability.
  • SOC 2 is used to audit the service organization in terms of relevancy for Security, Availability, Processing Integrity, Confidentiality, and Privacy (called the Trust Services Principles), to ensure systems have protection against unauthorized physical/logical access.
  • SOC 3 is used for the same auditing purposes as SOC 2 and includes auditing in accordance with the Canadian Institute of Chartered Accountants (CICA) Trust Services Principles, Criteria, and Illustrations – to provide a summary Trust Services Report.

These audits, along with HIPAA and HITECH Omnibus standards, are used for assurance and validation that all service controls have been implemented and are functioning properly. 

2. A Signed Business Associates Agreement (BAA)  

One thing that a traditional web hosting company will NOT provide you with is a signed, legal agreement (BAA) promising to protect your medical data. The reason for this is that they don’t have the infrastructure or expertise to do so. Yet this is exactly what is required of a HIPAA host. A BAA means they understand and accept liability to protect your data and keep it highly available and flowing freely to and from the protected data center. Make sure you ask for this. 

3. Cutting-edge physical and technical safeguards 

In accordance with the HIPAA Security Rule, your hosting company should maintain advanced physical and technical safeguards to help ensure the confidentiality, integrity, and security of PHI. Ask them if they have policies and procedures in place for this.

There should be safeguards to protect IT equipment [workstations, mobile phones, etc.] as well as data centers from unauthorized physical access, tampering, and theft. This would include personnel and property controls, locked doors, restricted area warning signs, cameras and alarms, and 24/7 security services. 

A HIPAA-compliant infrastructure must be also governed by technical controls which will authenticate user access to your hosting environment. They should have a system for developing unique user IDs and passwords, as well as procedures for login, logout, encryption/decryption, and emergencies.

Once a determination is made regarding the appropriate access and permissions for your team, admins will set these unique user IDs.

4. Encryption, both in transit and in storage 

Sensitive medical data needs strong, end-to-end privacy protections to preserve it should it ever fall into the wrong hands. Encryption is the “standard of care” for protecting health data; it does this by replacing your data with ciphertext, making it unreadable until decrypted.

HIPAA-compliant hosting ensures the encryption of data “in transit” – meaning, from the patient to the web server, and outside the hoster’s physical boundaries to the wide-area network (WAN) between data centers – and also “at rest” on their servers.

The National Institute of Standards and Technology (NIST) recommends the Advanced Encryption Standard (AES) 128, 192, or 256-bit encryption, OpenPGP, and S/MIME.

5. Systems are monitored 24/7 to ensure consistent reliability and uptime 

Another way that a HIPAA-compliant host will maintain the high availability and integrity of data is by monitoring the health of each server. Monitoring includes assessing the status of the hardware, operating system (OS), and the applications running on top of the OS.

Systems administrators and network engineers rely on monitoring to alert them when predefined conditions arise, such as high CPU loads and disk usage. This allows them to take action proactively and keep your system available and running smoothly.

6. Regular vulnerability scans of servers and mitigation of the vulnerabilities discovered

The HIPAA Compliant host should scan your HIPAA-related servers regularly, and enable alerts, 24/7/365. The purpose of the scan is to discover any vulnerabilities in the hosting environment (a report should be available to you whenever you ask for it). In addition to providing the report, the hosting company should be involved in helping remediate any vulnerabilities that are related to the infrastructure. 

7. Server hardening (securing with updates and patches)

Server hardening is the process of applying appropriate security measures to your servers. The HIPAA Compliant web host should harden your servers as part of their deployment process; ask them for a copy of their server hardening steps. Depending on the system involved (such as Windows or Linux) these steps may include:

  • servers housed in a secure data facility
  • removing any unnecessary programs from servers
  • establishing unique permissions and strong password policies
  • automating security patches and real-time updates
  • advanced security tools, including anti-DDoS management, custom IP Reputation, host-based and network Intrusion Detection (HIDS/NIDS), managed firewalls, and enterprise-grade monitoring 
  • creating a security banner that is displayed to the user when they log in, warning them that your server is only for authorized users. (Ask the host to show you a copy of the banner as well)

Note: When a particular server is no longer required, care should be taken to wipe its hard drives with several passes. This will help to ensure that the data cannot be read by someone else if the drives are used again. 

8. Off-site backups of your data 

Ask your HIPAA web host if they provide automatic, offsite backups and how far the backups are physically from where your servers are hosted. The backups should be geographically in a separate location – at least 50 miles away or further.

This helps prevent a natural disaster (earthquake, fire, storm) from destroying both your servers and the backups. In this way, you preserve critical data integrity and availability.

9. Log retention of 6 years (a HIPAA mandate) 

A HIPAA Compliant host will keep track of who accesses protected health information (PHI), why they are accessing it, and what they are actually accessing. This is in accordance with HIPAA regulations, and the host ideally should offer a streamlined approach to gathering these logs and searching through them.

These logs will include both failed and successful login attempts to systems, networks, and all areas where PHI data is kept, as well as logouts. 

According to regulations, these logs must be kept for a minimum of six years. It’s vital that you are able to review and have access to these logs at any time and ensure they are available for audit purposes. 

Note: Your own organization is also required under HIPAA to keep logs of Risk Assessments and Analyses, Authorizations for the Disclosure of PHI, Disaster Recovery and Contingency Plans, Information Security and Privacy Policies, Employee Sanction Policies, Incident and Breach Notification Documentation, and more. Be sure to review and comply with HIPAA regulations on log keeping. 

10. Strong relationships, dedicated support staff, and cost-effective solutions 

Last but not least, in addition to a robust, secure managed platform that includes all of the above, we think strong relationships are key (and we bet you do too).

As critical as your environment is for being proactive and preventative in your care, you need dedicated support technicians who will personally answer the phone and resolve your issues promptly. They should essentially act as an extension of your own company. 

For example, HIPAA Vault maintains a “tier-less” technical support staff that’s able to handle everything from general support questions and maintenance to more complex issues such as advanced firewall configurations and system monitoring – with over 90% resolution the first time you call.

No phone trees or being kept on hold for long periods of time. And our managed services allow you to streamline your IT costs, effectively saving you money.

HIPAA compliance is an ongoing journey

We’ve given you a lot to digest. We hope it’s clear that while HIPAA compliance is a journey, it isn’t like a vacation destination where you arrive and say “We’ve made it! We can relax now!” Vigilance is always required.

While we do believe that the checklists above can help prepare you for this journey, you still may need guidance. It’s great to know that you’ve got a trusted traveling companion in HIPAA Vault! Talk to us about how we can help steer you, including the use of a specialized software program that can help you meet all the above requirements.

If you have any questions about HIPAA compliance or would like to talk to us about our HIPAA hosting solutions, give us a call! 760–394-6920