ProtonBlog(new window)

HIPAA compliance checklist guide for 2022

Share this page

This post was updated on June 22, 2022

As discussed in our article on HIPAA Compliance, the Health Insurance Portability and Accountability Act (HIPAA) is a collection of closely aligned regulations that protect the medical data of patients in the United States.

In that article, we also discuss who must be HIPAA compliant — covered entities and business associates — which basically means anyone with any access to patients’ protected health information (PHI). Failures in HIPAA compliance are known as HIPAA violations(new window), and can result in stiff fines.

This article explains the most important measures and best practices that covered entities and business associates must address in order to be HIPAA compliant. 

Looking to make your business HIPAA compliant? Start with your email. Learn more(new window)

How to be HIPAA compliant

The HSS Office of Inspector General (OIG) offers a Compliance Resource Portal(new window) that establishes the “seven fundamental elements of an effective compliance program.” These elements are:

  1. Standards, Policies, and Procedures
  2. Compliance Program Administration 
  3. Screening and Evaluation of Employees, Physicians, Vendors, and other Agents
  4. Communication, Education, and Training on Compliance Issues 
  5. Monitoring, Auditing, and Internal Reporting Systems 
  6. Discipline for Non‐Compliance
  7. Investigations and Remedial Measures

A HIPAA compliance checklist

In practical terms, the key measures that must be implemented by all covered entities and business associates that wish to be (and remain) HIPAA compliant can be summarized as:

1. Develop robust standards, policies, and procedures

Covered entities and business associates must develop administrative systems and practices that ensure they meet the HIPAA compliance Rules (discussed here). Staff must be fully and routinely trained in all such standards, policies, and procedures, and are required to attest that they have received this training.

2. Implement strong physical and technical safeguards

In order to be HIPAA compliant, entities must ensure that all data relating to PHI is secure. This includes implementing:

  • Technical safeguards — such as restricting access to EPHI to authorized personnel only, requiring authorized personnel to verify their identity using unique identification methods (such as physical login tokens), monitoring hardware and software access logs for irregular activity, using strong encryption, implementing auto-logout, clearly specifying emergency access procedures, and using a HIPAA-compliant email(new window) service.
  • Physical safeguards — restrictions on who can physically access buildings, offices, and facilities, restrictions on who has access to workstations and electronic media, and procedures for disposing of or otherwise moving workstations and electronic media (such as old hard drives).

3. Perform an annual HIPAA risk assessment

According to the HIPAA Security Rule(new window), “risk analysis should be an ongoing process, in which a covered entity regularly reviews its records to track access to e-PHI and detect security incidents, periodically evaluates the effectiveness of security measures put in place, and regularly reevaluates potential risks to e-PHI.”

In order to comply with this requirement, HIPAA compliant entities are strongly advised to perform an annual audit to identify problems or gaps in their implementation of the security standards specified in the Security and Privacy Rules. These audits should therefore cover all administrative, physical security, and technical security measures deployed by the company in order to achieve HIPAA compliance.

4. Report data breaches

HIPAA-compliant entities must develop procedures outlining the measures to be taken in the event of a data breach. These include procedures for notifying customers, the HSS OCR, and any other entities required in accordance with the Breach Notification Rule.

5. Investigate violations and implement remedial measures

If a HIPAA violation occurs for any reason (including any violation identified during the annual self-audit) then it must be fully investigated, and a remedial plan developed and then implemented to correct the problem and bring the covered entity or business associate back in line with HIPAA regulations.

6. Document everything

Covered entities and business associates should document everything related to HIPAA compliance. This includes:

  • All measures taken to become HIPAA compliant.
  • All contact with other covered entities and business associates that they share PHI with.
  • All HIPAA violations that occur, plus all measures taken to remedy and report such incidents.

Failure to keep extensive documentation of all matters relating to HIPAA compliance is likely to result in a company failing the HSS OCR audit(new window) requirements.

What is an OCR HIPAA audit?

HIPAA is overseen by the Department of Health and Human Services (HSS) and is enforced by its Office for Civil Rights(new window) (OCR). 

In response to an alarming growth in data breaches being reported to the HSS, in 2014 the OCR announced the first phase of a new Privacy, Security, and Breach Notification Audit Program(new window).

A second phase was conducted in 2016, and in 2017 the OCR announced phase 3: on-site audits. This is a major expansion of the audit program and means that the OCR can now show up unannounced to view evidence that an individual or organization is HIPAA compliant.

The main purpose of maintaining a HIPAA compliance checklist could therefore be seen as providing proof of HIPAA compliance in the event of OCR audit. It is in everyone’s interest that covered entities and business associates work hard to maintain HIPAA compliance, however, regardless of whether an OCR audit is performed or not.

Audit Protocol

In order to help entities create checklists that meet HIPAA standards, the OCR has published an Audit Protocol(new window) which explains all areas that may be assessed during an OCR audit. 

The audit protocol lists the different audit types (privacy, security, or breach), and identifies “key activities” that entities must comply with to be deemed HIPAA compliant. The “established performance criteria” needed to meet these standards are explained in detail.

HIPAA checklist FAQ

What is required for HIPAA compliance?

HIPAA compliant entities must appoint a HIPAA Privacy Officer and a HIPAA Security Officer to oversee HIPAA compliance. These can be existing staff members or outside contactors. 

Their responsibility is to run risk assessments on the privacy and security systems and standards used by your company to protect PHI. The key areas that must be examined are:

  • The working practices of all staff members
  • Physical security measures in place to prevent unauthorized access to PHI
  • Electronic security measures in place to prevent unauthorized access to PHI
  • How your company will respond if a HIPAA violation or data breach occurs

Once risks have been identified, effective measures should be put into place to address them. The HIPAA Audit Protocol makes it clear that the OCR values evidence that self-audits are updated on a regular basis to account for changes within the entity, and for changes in the wider privacy and security landscape.

How do you do a HIPAA compliance checklist?

Your HIPAA Privacy and Security Officers should document all the key areas they have examined for potential risks. If existing safeguards are deemed sufficient to address these risks then this should be documented, or if additional safeguards are required then this, along with evidence of implementing the safeguards, should also be documented. 

Detailed plans should be made and documented about what to do in the event of a HIPAA violation or data breach, with clear lines of responsibility established for actions that will be taken.

How do I know my documentation is sufficient to pass a HIPAA audit?

The Audit Protocol, which is published on the HSS website, should help identify all areas that your HIPAA compliance checklist should cover. If you are not confident in your entity’s ability to produce sufficient documentation, then there are many companies that offer professional help with HIPAA compliance.

What are desk audits and physical audits?

Desk audits are remote audits, where covered entities and business associates are asked to submit their documentation via the OCR’s secure web portal. Physical audits involve the OCR turning up at your workplace to inspect your HIPAA compliance provisions. They are often made in response to a lack of cooperation when an entity is asked to submit a desk audit, but also include the impromptu phase 3 on-site audits discussed above.

What happens if you fail a HIPAA audit?

If minor issues are found during a desk audit then you will be notified by the HSS. If minor issues are found during a physical audit then you may need to produce evidence of addressing them. 

If major issues are found during any HSS audit then you may be subject to the penalties.

Do HIPAA audits only assess how EPHI is stored and transmitted?

No. Although HSA audits were introduced primarily to address an alarming rise in electronic data breaches, they assess all aspects of HIPAA compliance. This includes administrative practices, physical security measures, and planning for the possibility of data breaches, in addition to technical measures used to keep EPHI data safe.

***

Feel free to share your feedback and questions with us via our official social media channels on Twitter(new window) and Reddit(new window).

Protect your privacy with Proton
Create a free account

Share this page

Douglas Crawford(new window)

Starting with ProPrivacy and now Proton, Douglas has worked for many years as a technology writer. During this time, he has established himself as a thought leader specializing in online privacy. He has been quoted by the BBC News, national newspapers such as The Independent, The Telegraph, and The Daily Mail, and by international technology publications such as Ars Technica, CNET, and LinuxInsider. Douglas was invited by the EFF to help host a livestream session in support of net neutrality. At Proton, Douglas continues to explore his passion for privacy and all things VPN.

Related articles

Can you password-protect a folder in Google Drive?
Protecting a folder with a password is a simple yet effective way of securing files. You may wonder whether you can password-protect a folder in Google Drive. We explain what access controls Google Drive offers and what you can do to improve your sec
Proton Pass now supports passkeys on all devices and plans
We’re excited to announce that Proton Pass supports passkeys for everyone, allowing you to manage and use passkeys across all devices seamlessly. Passkeys are an easy and secure alternative to traditional passwords that can help prevent phishing atta
what is a passkey?
Passkeys are a new way to secure your online accounts using cryptographic keys instead of passwords. They offer a high level of convenience and security, and are a real game-changer in the way we access and secure sites. What is a passkey, though, an
Apple’s marketing team has built a powerful association between the iPhone and privacy. The company’s ad campaigns claim that “what happens on your iPhone, stays on your iPhone.” And, “Privacy. That’s iPhone.” But Apple’s lawyers are telling a diffe
A cyberattack on national public employment service France Travail has exposed the personal data of as many as 43 million people.  The latest breach is the second major cybersecurity attack to happen in France in the past month, raising concerns abo
If I share a folder in Google Drive, can anybody see my other folders
Google Drive makes it easy to share files and folders, but you may have wondered at some point whether the people you’ve shared a folder with can see your other folders. We answer this question below and also share some tips for truly secure link sha
In 2014, Proton Mail was introduced as a web app, revolutionizing how we think about email privacy. Today, we’re excited to broaden the horizons of secure communication by launching the Proton Mail desktop app. Anyone can now use the new Proton Mail