The ultimate HIPAA compliance guide and checklist
Organizations working in and with the healthcare industry must confront a certain amount of complexity to stay on top of the technology and practices necessary to achieve HIPAA compliance. Vanta helps you establish policies, procedures, and ongoing practices that will position you for a successful HIPAA compliance review and audit — and to showcase your comprehensive commitment to healthcare data security.
Our guide will walk you through the key points of HIPAA and critical additions since its introduction, discuss what it means to comply with HIPAA (and outline the risks of non-compliance), and help you take important next steps on your HIPAA compliance journey.
HIPAA basics and terminology you need to know
Let’s start with a HIPAA overview. What is HIPAA and what is its purpose? HIPAA, the Healthcare Insurance Portability and Accountability Act, was signed into law on August 21, 1996. HIPAA’s overarching goal is to keep patients’ protected health information (PHI) safe and secure, whether it exists in a physical or electronic form. HIPAA was created to improve the portability and accountability of health insurance coverage for employees moving between jobs. HIPAA was also created to deal with waste, fraud, and abuse in health insurance and delivery of healthcare, as well as to promote the use of medical savings accounts, provide coverage for employees with pre-existing medical conditions, and simplify the administration of health insurance.
To achieve this administrative simplification in particular, the healthcare industry was encouraged to computerize patients’ medical records — an effort that has both improved patient healthcare and communication, and introduced increased risk to patient data privacy through the possibility of identity theft and patient privacy violations.
HIPAA compliance checklist
Attaining HIPAA compliance can be a complex and time-consuming process, and the work to maintain your compliance never ends. However, a clear to-do list will help you simplify this and plan the project accordingly. Download our HIPAA compliance checklist to keep you on track toward compliance. To begin assessing and planning your compliance process, though, start with these steps:
1. Determine what you need; which annual audits and assessments are required for your organization?
2. Get a starting point by conducting initial audits and assessments to see which requirements you don’t yet meet.
3. Create a plan for meeting any missing criteria and put it into action.
4. Delegate your compliance by appointing a HIPAA Compliance Officer.
5. Plan HIPAA training for all your staff, conducted by the HIPAA Compliance Officer, and make sure your HIPAA Compliance Officer conducts these training sessions every year.
6. Get a completed attestation of HIPAA policies and procedures from all members of staff.
7. Ensure that your business associates are HIPAA compliant as well by conducting your own audits and assessments of them, and conduct these reviews every year.
8. Create policies and protocols for potential data breaches, review these policies with your staff, and make sure you have a plan for reporting these breaches to the HHS OCR.
HIPAA compliance requirements
There have been a number of additions to HIPAA since its initial passage that require the critical attention and compliance of covered entities and business associates, such as healthcare providers and plans, and vendors or subcontractors who have access to protected health information. These HIPAA additions include the HIPAA Privacy Rule, Security Rule, Enforcement Rule, the HITECH (Health Information Technology for Economic and Clinical Health) Act, the Breach Notification Rule, and the Final Omnibus Rule.
- The HIPAA Privacy Rule (2003) sets national standards to safeguard individuals’ medical records and other protected health information, and establishes when PHI may be used and disclosed.
- The HIPAA Security Rule (2005) specifies safeguards to protect the confidentiality, integrity, and availability of electronic protected health information (ePHI), and articulates three types of security safeguards — administrative, physical, and technical — that must be adhered to in order to ensure HIPAA compliance.
- The HIPAA Enforcement Rule (2006) was introduced to give the U.S. Department of Health and Human Services the ability to investigate complaints against covered entities not operating in compliance with the Privacy and Security Rules, and to enact penalties.
- The Health Information Technology for Economic and Clinical Health Act (HITECH) was introduced in 2009; its primary goal was to urge healthcare authorities to implement the use of electronic health records (EHRs), as well as to incentivize healthcare organizations to maintain patient protected health information in electronic format as opposed to paper files. This led to the extension of the HIPAA Rules to business associates and third-party healthcare industry suppliers, so that any organizations interacting with protected health information were bound to comply with HIPAA.
- The HIPAA Breach Notification Rule (2009) was also introduced in conjunction with the HITECH Act’s changes, requiring that in the event of a breach of unsecured PHI, notification of the breach is communicated to affected individuals, the U.S. Department of Health and Human Services, and in some cases, the media.
- The Final Omnibus Rule (2013) clarified gray areas and fleshed out necessary details in existing HIPAA and HITECH regulations, while also establishing new penalties for HIPAA noncompliance.
The encouragement to use electronic health records and to maintain patient PHI in electronic form led to the wider development of technology and platforms for digital health data storage and distribution — which in turn increased the need for healthcare and related organizations to effectively manage and monitor access to sensitive healthcare information.
Organizations working in and with the healthcare industry must have a range of clear policies and procedures in place to ensure the safety of patient data, to ensure their compliance with the various rules and components of HIPAA, and to track and document their compliance for audit and verification purposes.
What does it mean to be HIPAA compliant — and how can my company get started?
Achieving HIPAA compliance isn’t a matter of proving your company’s adherence to a single static standard. HIPAA’s rules and requirements are intentionally broad and flexible to accommodate the range of types and sizes of covered entities and business associates that create, access, process, or store protected health information (PHI), and that must thus comply with HIPAA.
HIPAA compliance is an evolving process; your organization is responsible for proving in an ongoing way that you are abiding by all the rules of HIPAA. Your company’s compliance with HIPAA involves fulfilling the requirements of the initial act of 1996, its subsequent amendments and additions, and any related legislation.
Who needs to be HIPAA compliant?
Covered entities and business associates with access to PHI are obligated to ensure that administrative, physical, and technical safeguards are in place to maintain the security of patient data; that they are in compliance with the HIPAA Privacy Rule; and that they have procedures in place to comply with the Breach Notification Rule should a data breach occur. An individual or a team within your organization must be identified as the responsible party for ensuring your organization’s HIPAA compliance. They should lead the charge in managing HIPAA compliance and assume the business risk to your company.
Your company will want to develop and implement a system for tracking policies, processes, procedures, documents, and related compliance materials. Your goal is to maintain compliance with HIPAA’s various component elements, to track any changes in ongoing HIPAA regulations, and to establish and maintain organizational processes for gathering compliance metrics, such that the status of your compliance with HIPAA is evident at any time.
HIPAA’s recommendations for how organizations can go about achieving compliance are technology-neutral, in that there are no expectations of use of certain prescribed systems or services; the expectation is that organizations and entities are advancing a serious approach to achieve compliance with HIPAA’s data protection regulations.
Understanding the penalties for non compliance with HIPAA
The creation of the HIPAA Enforcement Rule introduced the ability of the U.S. Department of Health and Human Services (HHS) to fine organizations for avoidable ePHI breaches. HHS’s Office for Civil Rights (OCR) is responsible for this enforcement, which it achieves through conducting compliance reviews, conducting outreach to encourage compliance, and investigating complaints.
The financial and other penalties incurred as a result of HIPAA violations and data breaches can be extraordinarily costly — from steep fines that vary by violation, to the organizational costs of issuing breach notifications and mitigating the damages following breaches, to the further possibility of criminal prosecution.
Fines may be levied against an organization whether a violation was unintentional or deliberate. Civil violations tend to involve situations where a covered entity fails to resolve a breach violation, and civil money penalties are subsequently levied to compensate for the violation. The Office for Civil Rights separates civil money penalties into four categories that range from a Tier 1 violation committed without an entity having reasonably known (incurring a possible fine of $100 – $50,000 per violation, with an annual maximum of $25,000 for repeat violations) to a Tier 4 violation in which a breach has occurred due to willful neglect and the cause of the violation has not been remedied (incurring a fine of $50,000 per violation, and capped at $1.5 million per year). A recently revised interpretation of the HITECH Act implemented restructured caps, with annual maximums increasing with the severity of the violation tier — a change intended to acknowledge an entity’s level of culpability in a breach and set maximum fines accordingly.
By managing and monitoring your organization’s compliance with the rules and regulations of HIPAA on an ongoing basis, you will be best positioned to identify any potential data security risks or threats and to mitigate those risks before they turn into larger and much costlier problems.
How can your company begin its HIPAA compliance journey?
Vanta streamlines your HIPAA and SOC 2 audit prep and support you as you prepare for a smooth and thorough evaluation and reporting process. As there is no official HIPAA compliance reporting mechanism, leveraging the SOC 2+ HIPAA report allows you to demonstrate your compliance using an industry standard report structure in the SOC 2 audit and to save on both time and cost.
Vanta includes HIPAA compliance support, and we’re able to offer guidance and information on preparing for your HIPAA audit — helping you track how ePHI flows through your systems and access points, helping you develop a breach notification policy and template, building a statement of applicability that describes how your organization controls for each of the HIPAA safeguards, and more. As part of Vanta’s HIPAA support package, we include features for tracking resources on your inventory list that store or process ePHI, as well as tracking Business Associate Agreements for vendors with whom you share ePHI. Vanta also offers HIPAA addendum policy templates to help you get started with your HIPAA policy language. We can help you utilize Vanta’s feature set to help track a range of HIPAA tasks, such as employee training, and to further customize your HIPAA compliance approach. Vanta will additionally support your company in preparing for
Vanta provides a set of security and compliance tools that scan, verify, and secure a company’s IT systems and processes. Our cloud-based technology identifies security flaws and privacy gaps in a company’s security posture, providing a comprehensive view across cloud infrastructure, endpoints, corporate procedures, enterprise risk, and employee accounts. Vanta also offers a suite of tools streamlining the non-technical components of security tracking and audit preparation, so gathering and consolidating audit evidence is easier for both your company and your auditor. Vanta is “security in a box” for technology companies, trusted by hundreds for their SOC 2 preparation and more.
FEATURED VANTA RESOURCE
The ultimate guide to scaling your compliance program
Learn how to scale, manage, and optimize alongside your business goals.
PCI Compliance Selection Guide
Determine Your PCI Compliance Level
If your organization processes, stores, or transmits cardholder data, you must comply with the Payment Card Industry Data Security Standard (PCI DSS), a global mandate created by major credit card companies. Compliance is mandatory for any business that accepts credit card payments.
When establishing strategies for implementing and maintaining PCI compliance, your organization needs to understand what constitutes a Merchant or Service Provider, and whether a Self Assessment Questionnaire (SAQ) or Report on Compliance (ROC) is most applicable to your business.
Answer a few short questions and we’ll help identify your compliance level.
Does your business offer services to customers who are interested in your level of PCI compliance?
Identify your PCI SAQ or ROC level
The PCI Security Standards Council has established the below criteria for Merchant and Service Provider validation. Use these descriptions to help determine the SAQ or ROC that best applies to your organization.
Good news! Vanta supports all of the following compliance levels:
A SAQ A is required for Merchants that do not require the physical presence of a credit card (like an eCommerce, mail, or telephone purchase). This means that the Merchant’s business has fully outsourced all cardholder data processing to PCI DSS compliant third party Service Providers, with no electronic storage, processing, or transmission of any cardholder data on the Merchant’s system or premises.
Get PCI DSS certified
A SAQ A-EP is similar to a SAQ A, but is a requirement for Merchants that don't receive cardholder data, but control how cardholder data is redirected to a PCI DSS validated third-party payment processor.
Learn more about eCommerce PCI
A SAQ D includes over 200 requirements and covers the entirety of PCI DSS compliance. If you are a Service Provider, a SAQ D is the only SAQ you’re eligible to complete.
Use our PCI checklist
A Report on Compliance (ROC) is an annual assessment that determines your organization’s ability to protect cardholder data. If you’re a Merchant that processes over six million transactions annually or a Service Provider that processes more than 300,000 transactions annually, your organization is responsible for both a ROC and an Attestation of Compliance (AOC).
Automate your ROC and AOC
Download this checklist for easy reference
Learn more about how Vanta can help. You can also find information on PCI compliance levels at the PCI Security Standards Council website or by contacting your payment processing partner.
The compliance news you need. Delivered securely to your inbox.