brought to you by

HIPAA
Compliance
Checklist
If you’re handling protected health information (PHI) then you need to be HIPAA compliant.
What’s next? What steps do you need to take in order to become HIPAA compliant?
This checklist will help get you started.

The Four HIPAA Rules

Covered Entities and their Business Associates need to protect the privacy and security of protected health
information (PHI). It can get complicated when you try to create a to-do list.

HIPAA HIPAA HIPAA HIPAA Breach

Security Rule Privacy Rule Enforcement Rule Notification Rule

TrueVault provides a simple REST API that can be used to store and retrieve any amount of data, at any time, from anywhere on the web.
It gives developers the freedom to create applications that require regulatory compliance without worrying about regulatory compliance.
Learn more at truevault.com
 The HIPAA Security Rule requires appropriate Administrative, Physical,
HIPAA Security Rule and Technical Safeguards to ensure the confidentiality, integrity, and
security of protected health information (PHI).

Technical Safeguards Checklist

The Technical Safeguards focus on the technology that protects PHI and controls access to it. The
standards of the Security Rule do not require you to use specific technologies.

Access The 5 standards include 9 things that need to be implemented.

Control
Access Control - Unique User Identification (required): Assign
Technical 1
a unique name and/or number for identifying and tracking user
Safeguards identity.
Audit
2 Access Control - Emergency Access Procedure (required):
Controls
Establish (and implement as needed) procedures for obtaining
necessary ePHI during an emergency.

Access Control - Automatic Logoff (addressable): Implement

3
Integrity electronic procedures that terminate an electronic session
after a predetermined time of inactivity.

Access Control - Encryption and Decryption (addressable):

4
Implement a mechanism to encrypt and decrypt ePHI.

Authentication Audit Controls (required): Implement hardware, software,

5
and/or procedural mechanisms that record and examine
activity in information systems that contain or use ePHI.

Integrity - Mechanism to Authenticate ePHI (addressable):

6
Implement electronic mechanisms to corroborate that ePHI
Transmission
has not been altered or destroyed in an unauthorized manner.
Security
Authentication (required): Implement procedures to verify that
7
a person or entity seeking access to ePHI is the one claimed.

8 Transmission Security - Integrity Controls (addressable):

Implement security measures to ensure that electronically
transmitted ePHI is not improperly modified without detection
until disposed of.

Transmission Security - Encryption (addressable): Implement

9
a mechanism to encrypt ePHI whenever deemed appropriate.
 Physical Safeguards Checklist
Physical Safeguards are a set of rules and guidelines that focus on the physical access to PHI.

Facility Access The 4 standards include 10 things that need to be implemented.

Controls
Facility Access Controls - Contingency Operations (addressable):
Physical 1
Establish (and implement as needed) procedures that allow facility
Safeguards access in support of restoration of lost data under the disaster
recovery plan and emergency mode operations plan in the event
Workstation
of an emergency.
Use
Facility Access Controls - Facility Security Plan (addressable):
2
Implement policies and procedures to safeguard the facility
and the equipment therein from unauthorized physical access,
Workstation tampering, and theft.
Security
3 Facility Access Controls - Access Control and Validation
Procedures (addressable): Implement procedures to control
and validate a person’s access to facilities based on their role
or function, including visitor control, and control of access to
Device and software programs for testing and revision.
Media Controls
Facility Access Controls - Maintenance Records (addressable):
4
Implement policies and procedures to document repairs and
modifications to the physical components of a facility which are
related to security (e.g. hardware, walls, doors, and locks).

Workstation Use (required): Implement policies and procedures

5
that specify the proper functions to be performed, the manner
in which those functions are to be performed, and the physical
attributes of the surroundings of a specific workstation or class
of workstation that can access ePHI.

Workstation Security (required): Implement physical safeguards

6
for all workstations that access ePHI, to restrict access to
authorized users.

Device and Media Controls - Disposal (required): Implement

7
policies and procedures to address the final disposition of ePHI,
and/or the hardware or electronic media on which it is stored.

Device and Media Controls - Media Re-Use (required): Implement

8
procedures for removal of ePHI from electronic media before the
media are made available for re-use.

Device and Media Controls - Accountability (addressable):

9
Maintain a record of the movements of hardware and electronic
media and any person responsible therefore.

Device and Media Controls - Data Backup and Storage

10
(addressable): Create a retrievable, exact copy of ePHI, when
needed, before movement of equipment.
 Administrative Safeguards Checklist
The Administrative Safeguards are a collection of policies and procedures that govern the conduct of the
workforce, and the security measures put in place to protect PHI.

Security The 9 standards include 18 things that need to be implemented.

Management
1 Security Management Process - Risk Analysis (required): Perform
Process and document a risk analysis to see where PHI is being used and
Administrative stored in order to determine all the ways that HIPAA could be
violated.
Safeguards
Security Management Process - Risk Management (required):
Assigned 2
Implement sufficient measures to reduce these risks to an
Security appropriate level.
Responsibility
Security Management Process - Sanction Policy (required):
3
Implement sanction policies for employees who fail to comply.

4 Security Management Process - Information Systems Activity

Reviews (required): Regularly review system activity, logs, audit
Workforce
trails, etc.
Security
5 Assigned Security Responsibility - Officers (required): Designate
HIPAA Security and Privacy Officers.

Workforce Security - Employee Oversight (addressable):

6
Information Implement procedures to authorize and supervise employees
who work with PHI, and for granting and removing PHI access to
Access
employees. Ensure that an employee’s access to PHI ends with
Management termination of employment.

7 Information Access Management - Multiple Organizations

(required): Ensure that PHI is not accessed by parent or partner
organizations or subcontractors that are not authorized for
Security access.
Awareness and
Training 8
Information Access Management - ePHI Access (addressable):
Implement procedures for granting access to ePHI that document
access to ePHI or to services and systems that grant access to
ePHI.

Security 9
Security Awareness and Training - Security Reminders
(addressable): Periodically send updates and reminders about
Incident
security and privacy policies to employees.
Procedures
Security Awareness and Training - Protection Against Malware
10
(addressable): Have procedures for guarding against, detecting,
and reporting malicious software.

Contingency 11
Security Awareness and Training - Login Monitoring (addressable):
Institute monitoring of logins to systems and reporting of
Plan
discrepancies.

Security Awareness and Training - Password Management

12
(addressable): Ensure that there are procedures for creating,
changing, and protecting passwords.

Evaluation 13
Security Incident Procedures - Response and Reporting (required):
Identify, document, and respond to security incidents.

14 Contingency Plan - Contingency Plans (required): Ensure

that there are accessible backups of ePHI and that there are
procedures for restore any lost data.
Business Associate
Contingency Plan - Contingency Plans Updates and Analysis
Contracts and Other 15
(addressable): Have procedures for periodic testing and revision
Arrangements of contingency plans. Assess the relative criticality of specific
applications and data in support of other contingency plan
components.

Contingency Plan - Emergency Mode (required): Establish (and

16
implement as needed) procedures to enable continuation of
critical business processes for protection of the security of ePHI
while operating in emergency mode.

Evaluations (required): Perform periodic evaluations to see if any

17
changes in your business or the law require changes to your
HIPAA compliance procedures.

Business Associate Agreements (required): Have special

18
contracts with business partners who will have access to your
PHI in order to ensure that they will be compliant. Choose
partners that have similar agreements with any of their partners
to which they are also extending access.
 The HIPAA Privacy Rule establishes national standards to protect

HIPAA Privacy Rule individuals’ medical records and other personal health information and
applies to health plans, healthcare clearinghouses, and those health care
providers that conduct certain health care transactions electronically.

The Privacy Rule requires Business Associates to do the following:

1 Do not allow any impermissible uses or disclosures of PHI.

2 Provide breach notification to the Covered Entity.
3 Provide either the individual or the Covered Entity access to PHI.
4 Disclose PHI to the Secretary of HHS, if compelled to do so.
5 Provide an accounting of disclosures.
6 Comply with the requirements of the HIPAA Security Rule.

The HIPAA Enforcement Rule spells out investigations,

HIPAA Enforcement Rule penalties, and procedures for hearings.

The Breach Notification Rule requires most

HIPAA Breach Notification Rule healthcare providers to notify patients when
there is a breach of unsecured PHI.

Summary

When you boil it down, HIPAA is really asking you to do 4 things:

1 2 3 4

Put safeguards in place
to protect patient health
information.
Reasonably limit uses and
sharing to the minimum
necessary to accomplish your
intended purpose.
Have agreements in place
with any service providers that
perform covered functions or
activities for you.
Have procedures in place to
limit who can access patient
health information, and
implement a training program
for you and your employees
about how to protect your
patient health information.

Sources
https://www.truevault.com/blog/how-do-i-become-hipaa-compliant.html