Your Complete Checklist for Achieving HIPAA Compliance

The Health Insurance Portability and Accountability Act, or HIPAA, is a framework developed in 1996 and managed by the Department of Health and Human Services (HHS) and the Office for Civil Rights (OCR) to outline an organization’s legal obligations as it pertains to healthcare data management. This includes patient privacy rights, appropriate security controls to protect data privacy, and the requirements healthcare organizations have if that data has been breached by a malicious third party.

Regulations are needed to ensure the confidentiality of the private patient information due to the emergence of electronic record keeping, digital data transfer, and cloud services.

As a result, the physical security of data, encryption standards used to protect that data, and the procedures used to document, transmit, and store data are all critical parts of HIPAA compliance.

In this post, we’ll take a close look at HIPAA compliance, who’s impacted, what these organizations must do to demonstrate compliance, the risks of non-compliance, key strategies for demonstrating HIPAA compliance, and more.

Which Organizations Must Comply With HIPAA?

HIPAA compliance is applicable to any organization or individual that creates, receives, maintains, or transmits protected health information (PHI). This includes healthcare providers such as doctors and hospitals, health plans, health insurance companies, and any other organization that deals with the healthcare industry.

HIPAA compliance also applies to business associates, such as third-party billing companies, transcriptionists, and IT service providers. Ultimately, any entity that stores, transmits, or processes PHI must comply with HIPAA regulations.

Specifically, organizations that must demonstrate with HIPAA compliance include:

• Health insurance providers
• Healthcare clearinghouses
• Healthcare providers (hospitals, doctors, dentists, etc.)
• Business associates of covered entities (e.g., billing companies and document storage companies)
• Pharmacies
• Long-term care facilities
• Research institutions
• Public health authorities
• Employers
• Schools and universities

These organizations must comply with HIPAA to ensure that sensitive patient health data is secure and not disclosed to unauthorized individuals or entities. By demonstrating HIPAA compliance, these organizations also provide safeguards that help ensure that the data is used only for the purpose intended and not used or disclosed for any other purpose.

Which Organizations are Exempt from HIPAA Compliance?

Organizations that do not create, receive, maintain, or transmit PHI do not need to become HIPAA compliant. Examples include retailers and restaurants. However, even organizations that are not directly involved in healthcare may be subject to HIPAA requirements. For instance, if an organization provides services such as cloud storage for healthcare-related information, they must demonstrate HIPAA compliance.

Important HIPAA Regulatory and Compliance Terms

To understand what HIPAA compliance is and who it applies to, it’s important to know a few key terms:

Covered Entity

These are the hospitals, doctors, clinics, insurance agencies, or anyone that regularly works with patients and their private data.

Business Associate

Service providers that work closely with Covered Entities without directly working with patients. Business associates often handle private data because of their technology products, consulting, financial administration, data analysis, or other services.

Protected Health Information (PHI)

PHI refers to any health information that can identify an individual and is created, used, or disclosed in the course of providing healthcare services. This includes: printed medical records, doctor’s handwritten notes, and conversations between nurses about a patient.

Electronic Personal Health Information (ePHI)

ePHI is a subset of PHI. It is PHI that is created, stored, transmitted, or received electronically. Examples include: medical records in an EHR system, emails containing health information, cloud-stored X-ray images, and billing information sent via secure web portals.

Why is HIPAA Compliance Necessary?

HIPAA compliance is necessary to ensure the security of confidential healthcare information. It is a federal law that requires organizations, such as healthcare providers, to maintain the privacy and security of their patients’ data. Compliance with these standards is necessary for the protection of sensitive data, such as patient medical records, health insurance information, and other personally identifiable and protected health information (PII/PHI).

Risks and Penalties for Organizations that Fail to Comply with HIPAA

Organizations that fail to comply with HIPAA face serious penalties. The U.S. Department of Health and Human Services Office for Civil Rights can issue sanctions that include fines and penalties, corrective action plans, and civil money penalties. Additionally, businesses can be subject to criminal charges.

If an organization fails to meet or stay in HIPPA compliance, then they are considered in violation of HIPAA. Typical or common HIPAA violations include:

• The unlawful exposure of ePHI to unauthorized parties, whether willfully or accidentally
• Failure to implement proper security protocols as outlined by the HIPAA Security Rule
• Lack of proper administrative or training protocols meeting requirements
• Failure to properly notify affected parties and public officials following relevant data breaches
• Lack of willingness to update, upgrade or address existing compliance gaps

Civil vs. Criminal HIPAA Violations

HIPAA violations are either civil or criminal in nature. Of course, it’s important to know the difference.

Civil violations are noncompliance incidents where noncompliance was accidental or without malicious intent. This includes events like neglect or lack of awareness. Penalties tend to be less for civil violations:

• For individuals that are unaware of violations, the fine is $100 per incident.
• For those with reasonable cause without neglect, the fine is a minimum of $1,000.
• Willful neglect carries a minimum fine of $10,000 per incident.
• Willful neglect, followed without an immediate rectification of the violation, results in a minimum fine of $50,000 per violation.

Criminal violations, by contrast, are those committed with malicious intent, i.e., theft, profit, or fraud. Penalties here include:

• Knowingly obtaining or disclosing ePHI is up to $50,000 and 1 year in jail.
• Committing fraud as part of the violation is up to $100,000 and 5 years in jail.
• Committing violations with the intent to profit from the violation is up to $250,000 and up to 10 years in jail.
• Numerous and repeated violations can cost organizations millions of dollars a year.

Examples of HIPAA Violations

There are several common examples of violations. These are some of the more frequent kinds of HIPAA violations:

• Fraud. The most direct and obvious violation is when individuals steal ePHI for profit or gain. Hackers or insider operations are rare, but increasingly common as more hospitals and healthcare networks turn to cloud technology and rely on unproven service providers.
• Lost or stolen devices. In the world of desktop workstations, technology theft was less common. As more clinics and hospitals turn to mobile devices like laptops, tablets, and smartphones, however, it’s more and more likely that these devices can end up in the wrong hands.
• Lack of protection. The Security Rule defines the kinds of HIPAA encryption, firewalls, and other security measures that should be in place. Many organizations may not understand these, or they may work with a third-party associate who they believe is compliant but is not.
• Unauthorized access across organizations. Whether it’s sharing data from an authorized to an unauthorized individual, or using unencrypted devices or email, it’s extremely easy for untrained workers to access or transmit ePHI improperly. In fact, accidental disclosure of PHI is the most common form of violation, which is why there is an entire category of lower-end penalties to cover it.

HIPAA Compliance Violation Fines

Examples of HIPAA compliance violation fines include:

• Up to $1.5 million for a single violation and up to $15 million for multiple violations in a calendar year
• Up to $50,000 per violation for the knowing misuse of patient information
• Up to $100 per violation for failure to provide a patient an access request
• Up to $250,000 or up to 1 year of jail time or both for obtaining or disclosing identifiable health information without authorization

Why are HIPAA non-compliance penalties so high? If a patient’s records are stolen, the patient’s privacy may be violated. Stolen records can be used to commit identity theft or financial fraud, leading to financial losses or the unauthorized use of benefits. Intercepted sensitive medical information can also be used to blackmail the patient or to target them for harassment.

The 4 Main HIPAA Rules and How They Impact HIPAA Compliance

There are four primary rules that make up the HIPAA framework and set the requirements for HIPAA compliance. They are:

1. The HIPAA Privacy Rule
2. The HIPAA Security Rule
3. The HIPAA Breach Notification Rule
4. The HIPAA Omnibus Rule

Each rule provides a framework for one aspect of compliance and informs critical aspects of the other rules. We’ll take a closer look at each below.

The HIPAA Privacy Rule

The HIPAA Privacy Rule establishes the national standard for patients’ rights to privacy and private information. Furthermore, it sets up the framework that dictates what ePHI is, how it must be protected, how it can and cannot be used, and how it can be transmitted and stored.

An additional part of the Privacy Rule is the paperwork and waivers it requires for entities handling ePHI.

In this rule, ePHI is defined that any identifiable patient data is subject to privacy covered by the covered entity or any business associated. This is what is called “protected health information” and includes:

• Any past, present, or future documentation on physical or mental conditions
• Any records about the care of the patient
• And records referencing past, present, or future payments for healthcare

The HIPAA Privacy Rule states that the only scenarios where covered entities can disclose private health information involve very specific care, research, or legal situations. These situations are incredibly narrow and subject to interpretation in a court of law. As a result, it’s probably safer for every covered entity and their business associates to protect all PHI rather than focusing on nuances and exceptions.

HIPAA Privacy Rule Checklist

This HIPAA Privacy Rule Checklist includes 10 essential steps that healthcare organizations and their business associates must take to ensure compliance with the HIPAA Privacy Rule. From designating a privacy officer to establishing protocols for disclosing PHI to third parties, this checklist covers all the necessary aspects of protecting patients’ sensitive health information. Adherence to these guidelines will not only help organizations avoid HIPAA violations (and subsequent fines, penalties, and litigation), but also build patients’ trust and confidence in the healthcare system. They include:

1. Designate a data privacy officer (DPO)
2. Develop and implement written policies and procedures
3. Provide security awareness training to workforce members
4. Obtain patient consent for certain disclosures
5. Maintain appropriate safeguards for protected health information (PHI)
6. Implement a system for reviewing and verifying requests for PHI
7. Respond to patient requests for access to PHI
8. Notify patients in the event of a breach of unsecured PHI
9. Assign unique identifiers to individuals and groups
10. Establish protocols for disclosing PHI to business associates and other third parties

The HIPAA Security Rule

With the definition of privacy and ePHI in place, the next step is protecting that data. The HIPAA Security Rule established the national standards for the mechanisms required to protect ePHI data. These mechanisms extend across the entire operation of the covered entity, including technology, administration, physical safeguards for computers and devices, and anything that could impact the safety of ePHI.

The controls outlined in this rule are organized into three groups of safeguards:

1. Administrative Tasks for HIPAA Compliance: This includes policies and procedures that impact ePHI as well as the technologies, system design, risk management, and maintenance related to all other security measures. It also includes aspects of healthcare administration like Human Resources and employee training.
2. Physical for HIPAA Compliance: Physical safeguards secure the access to physical equipment—including computers, routers, switches, and data storage. Covered entities are required to maintain secure premises where only authorized individuals can access data.
3. Technical for HIPAA Compliance: Cybersecurity includes computers, mobile devices, encryption, network security, device security, and anything related to the actual technology of storing and communicating ePHI.

HIPAA Security Rule Compliance Checklist

Our HIPAA Security Rule Checklist covers 10 key areas that organizations must address to safeguard PHI and ePHI. This checklist should help organizations ensure compliance with HIPAA security standards and protect sensitive patient data from potential threats and vulnerabilities:

1. Conduct a risk analysis to identify potential threats and vulnerabilities
2. Implement policies and procedures for maintaining and monitoring the security of PHI and ePHI
3. Enforce access controls to limit access to PHI/ePHI to only authorized individuals who require access to perform their job functions
4. Ensure that all ePHI is protected with encryption in transit and rest, i.e., stored securely
5. Implement procedures for responding to security incidents and breaches
6. Train all workforce members on HIPAA security policies and procedures
7. Regularly review and update security measures to ensure they are current and effective
8. Establish a disaster recovery and business continuity plan, essentially a contingency plan for disasters or other emergencies that may impact the security of PHI/ePHI and patient privacy
9. Ensure all third-party vendors and contractors comply with HIPAA security requirements
10. Conduct regular audits and assessments to ensure compliance with HIPAA security standards

The HIPAA Breach Notification Rule

The Breach Notification Rule specifies what happens when a security breach occurs. It’s almost impossible to protect data with 100% effectiveness, and organizations need to have plans in place to notify the public, and victims of a HIPAA breach, about what has happened and what their next steps are.

The Breach Notification rule defines a series of steps any covered entity needs to take during a breach to stay in compliance, including:

1. Notifying individuals impacted by a breach. Covered entities need to give victims formal, written notice of the breach, either by first-class mail or email (if applicable).
2. If the covered entity doesn’t have contact information for more than 10 people in a breach, then they must provide alternative notice either through a posting on the website for 90 days or a notice in major print and broadcast news sources.
3. The entity must provide the notice no later than 60 days from the discovery of the breach.
4. If the breach affects more than 500 individuals in a state or other jurisdiction, the entity must provide prominent public notice of the breach through local media outlets.
5. The entity must additionally provide a notice to the secretary of health within 60 days if the breach affects more than 500 people. If less, then the entity can update the secretary by the end of the year.

These notification rules apply to any breaches made known to the Covered Entity by one of their business associates.

HIPAA Breach Notification Rule Compliance Checklist

Organizations that handle PHI and ePHI are legally obligated to comply with the HIPAA Breach Notification Rule, which requires prompt reporting of data breaches that compromise patient privacy. Failing to meet these requirements can result in significant fines, legal consequences, and reputational damage.

This checklist will help ensure compliance with the HIPAA breach notification rule. There are additional benefits, including building trust with patients and partners, strengthening incident response readiness, and reducing the risk of future breaches.

1. Identify and investigate breaches quickly, determining scope, impact, and risk.
2. Perform a risk assessment to evaluate the nature and extent of the PHI involved, who accessed it, whether it was actually viewed, and how the risk has been mitigated.
3. Document the breach with detailed records of what happened, findings, decisions, and actions taken — even if no notification is required.
4. Notify affected individuals within 60 days; send written notice via first-class mail, or email if authorized, describing what happened, what information was involved, and steps affected individuals can take.
5. Notify U.S. Department of Health and Human Services; if less than 500 individuals were impacted, notify HHS annually but if 500 or more individuals are impacted, notify HHS within 60 days via the HHS breach portal.
6. Notify the media if 500 or more individuals are affected in one state or region within 60 days to ensure broad public awareness.
7. Implement sanctions and corrective actions, including disciplinary action, retraining, or technical changes.
8. Update policies and procedures, including breach response plans and privacy/security practices based on what was learned.
9. Train workforce on breach procedures to ensure all staff are trained and retrained on recognizing, reporting, and responding to breaches.
10. Secure and encrypt PHI/ePHI to reduce the likelihood of a reportable breach.

The HIPAA Omnibus Rule

A more recent rule, the Omnibus rule expands the reach of regulations to organizations outside of covered entities. In short, the Omnibus Rule states that compliance obligations cover the business associates and contractors. Accordingly, this means that covered entities are responsible for any potential violations of business associates and contractors, and need to update their gap analysis, risk assessment, and compliance procedures accordingly.

HIPAA Omnibus Rule Compliance Checklist

The HIPAA Omnibus Rule, finalized in 2013, significantly strengthened privacy and security protections for protected health information (PHI). It expanded the scope of HIPAA by making business associates directly liable for compliance, enhancing patients’ rights, and clarifying rules around breach notification, marketing, and disclosures.

Demonstrating compliance with the Omnibus Rule is critical not only for avoiding costly penalties, but also for protecting patient trust, strengthening partnerships, and showing regulators a strong commitment to data privacy. By aligning policies, training, and vendor management with Omnibus Rule requirements, organizations can close compliance gaps and improve their overall security posture. Consider the recommendations provided in this HIPAA Omnibus Rule compliance checklist:

1. Review and Update Business Associate Agreements (BAAs) to ensure current or expanded liability and responsibilities under the Omnibus Rule.
2. Conduct a comprehensive risk analysis of security risks to all PHI and ePHI, including those held or accessed by business associates
3. Implement security and privacy policies to reflect new Omnibus Rule provisions, especially around data use, patient rights, and breach handling.
4. Train workforce on new requirements including updated HIPAA policies, breach notification changes, and patient rights under the Omnibus Rule.
5. Honor patients’ rights to restrict disclosure of PHI to health plans when services are paid for out-of-pocket.
6. Update Notice of Privacy Practices (NPP) to include new Omnibus Rule content, such as breach notification rights and uses of genetic information.
7. Secure written authorization for marketing and sale of PHI before using the data.
8. Enhance breach notification protocols; treat any unauthorized use/disclosure of PHI as a presumed breach unless a documented risk assessment proves otherwise.
9. Monitor business associate (BA) compliance to regularly verify that BAs are protecting PHI appropriately and adhering to their HIPAA obligations.
10. Document everything, including all HIPAA-related policies, training, assessments, and decisions to demonstrate compliance during audits or investigations.

What Is the HIPAA Enforcement Rule?

The HIPAA Enforcement Rule is a set of regulations that provide guidelines for investigations and penalties for violations of the privacy and security rules under the Health Insurance Portability and Accountability Act (HIPAA). The rule is designed to ensure that covered entities and business associates comply with HIPAA regulations and protect the privacy and security of patients’ protected health information (PHI). The Enforcement Rule also establishes procedures for responding to complaints and conducting investigations of alleged violations, including the imposition of civil monetary penalties and corrective action plans.

HIPAA Enforcement Rule Compliance Checklist

The HIPAA Enforcement Rule outlines how the Department of Health and Human Services (HHS), through the Office for Civil Rights (OCR), investigates potential HIPAA violations and imposes penalties for non-compliance. It defines the procedures for investigations, the structure of civil monetary penalties, and the process for resolution, including corrective action plans and formal sanctions.

Demonstrating compliance with the Enforcement Rule is critical because it shows regulators that your organization takes privacy and security seriously. It can help reduce penalties, avoid escalated enforcement actions, and reflect a proactive, well-governed compliance program. By being audit-ready and responsive, organizations also boost patient trust, mitigate risk, and reinforce a culture of accountability across the workforce. Consider the following recommendations for demonstrating compliance with the HIPAA Enforcement Rule:

1. Maintain complete documentation of HIPAA compliance activities with thorough records of policies, training, risk assessments, incident responses, and audit logs to demonstrate a culture of compliance.
2. Respond promptly to investigations and requests; cooperate fully and timely with the U.S. Department of Health and Human Services (HHS) and the Office for Civil Rights (OCR) during investigations or compliance reviews.
3. Implement a formal sanctions policy; enforce disciplinary measures for HIPAA violations consistently, and document actions taken against non-compliant staff or vendors.
4. Conduct regular internal audits to detect gaps in compliance and address issues before they escalate into violations.
5. Develop a corrective action plan (CAP) process for any identified violation to resolve compliance issues and prevent recurrence.
6. Train staff on enforcement consequences, including potential civil and criminal penalties for HIPAA violations to promote accountability.
7. Establish a clear complaint intake process, providing patients and employees with a confidential, easy-to-use way to report suspected HIPAA violations or privacy concerns.
8. Ensure leadership oversight and accountability by assigning clear roles with executive backing to drive enforcement rule readiness and compliance.
9. Regularly review and update policies and procedures to stay aligned with changes in law and enforcement trends.
10. Engage legal and compliance experts as Needed when facing complex compliance issues or enforcement actions.

Recent HIPAA Updates for HIPAA Compliance

The most recent updates to HIPAA were implemented in 2013 and 2016.

In 2013, the HIPAA Omnibus Rule was introduced, which made significant changes to the regulations governing how protected health information (PHI) is handled and protected. Some of the key changes included:

• Expanded protections for patient rights, including the right to access and receive copies of their PHI, and the right to request restrictions on the use or disclosure of their PHI
• Strengthened enforcement of HIPAA regulations, including increased fines for noncompliance and a requirement for business associates (third-party service providers) to comply with HIPAA regulations
• Updated definitions of key terms like “business associate” and “protected health information”

In 2016, the HIPAA Privacy Rule was modified to allow certain covered entities, such as healthcare providers or insurers, to disclose the names of individuals who have been identified as having a mental health condition to the National Instant Criminal Background Check System (NICS). This change was made in response to the 2012 shooting at Sandy Hook Elementary School, which prompted concerns about the ability of individuals with mental health issues to obtain firearms. However, the disclosure of this information is subject to certain limitations and protections, including requirements for the covered entity to obtain specific written consent from the individual before disclosing their information, and to provide certain disclosures to the individual about the potential consequences of such a disclosure.

What is HIPAA IT Compliance?

HIPAA compliance and HIPAA IT compliance vary slightly.

HIPAA compliance is a set of rules and regulations set forth by the U.S. Department of Health and Human Services (HHS) to protect the privacy, security, and integrity of patients’ sensitive health information. This includes requirements for administrative, physical, and technical safeguards, such as the implementation of policies, procedures, and security measures.

HIPAA IT compliance, by contrast, refers to the technical aspects of the HIPAA Security Rule, specifically regarding the implementation, maintenance, and monitoring of technical safeguards for electronic protected health information (ePHI). This includes implementing strong authentication and access control measures, periodic security risk assessments, and encryption and security of stored data.

Is There a Specific HIPAA Compliance Checklist for IT?

Some IT organizations must be HIPAA compliant because they handle sensitive and/or confidential data that is protected by HIPAA. As such, IT organizations must take the necessary steps to ensure that their systems and procedures are compliant with HIPAA regulations.

IT organizations should consider these checklist Items to demonstrate HIPAA IT compliance:

1. Have a dedicated HIPAA Privacy Officer responsible for developing and implementing security measures.
2. Identify and classify all data that falls under the jurisdiction of HIPAA.
3. Educate all staff on HIPAA laws and regulations.
4. Establish and document administrative, technical, and physical policies and processes as they relate to HIPAA.
5. Equip all computers and/or workstations with enough security measures to protect against unauthorized access.
6. Securely store all documents containing protected health information and limit access to authorized personnel only.
7. Use encryption software where appropriate to protect data at rest.
8. Practice secure web browsing and use email security software.
9. Properly dispose documents and records containing patient data; shredding or burning are the preferred, most secure methods.
10. Establish and maintain procedures for handling security breaches and unauthorized access attempts.
11. Regularly review and monitor access logs for any potential unauthorized access.
12. Implement comprehensive user logging and auditing procedures.
13. Develop and implement backup procedures that comply with HIPAA guidelines.
14. Develop and maintain a contingency plan and disaster recovery system.

Getting Started With HIPAA Compliance

If you’re new to HIPAA compliance, here are some steps your organization can take to start becoming HIPAA compliant:

1. Develop a HIPAA security and privacy compliance plan.
2. Develop policies and procedures for handling and protecting protected health information (PHI).
3. Implement physical, administrative, and technical safeguards to protect PHI.
4. Train staff on HIPAA best practices and protocols.
5. Have employees sign HIPAA acknowledgments and confirm they understand their responsibilities and obligations.
6. Ensure that business associates, vendors, and contractors have signed business associate agreements (BAA) and are in compliance with HIPAA regulations.
7. Implement procedures for regularly reviewing, auditing, and updating HIPAA compliance.
8. Record and document all PHI security and privacy measures.
9. Have an incident response plan in place in case of a breach or data loss.
10. Monitor the security of PHI regularly and ensure complete compliance with HIPAA regulations.

What Is HITECH and How Does It Relate to HIPAA Compliance?

The Health Information Technology for Economic and Clinical Health Act was signed into law in 2009 and informs compliance requirements for all the years after. Critically, this act revised the legal requirements of healthcare organizations across several industries, including direct healthcare and social security.

Before HITECH, only 10% of hospitals used electronic health records (EHR). HITECH was a critical part of pushing hospitals to switch to electronic record keeping. In part, HITECH promoted the adoption of digital ePHI management technology and subsequent compliance with HIPAA regulations. This includes offering incentives for switching to digital technology.

By 2017, in no small part thanks to HITECH, the rate of EHR adoption was up to 86% by 2017.

HITECH also shifted some responsibility for HIPAA compliance. To encourage adoption of technology, the HITECH Act revised healthcare regulations so that Business Associates became directly responsible for violations, and that their responsibility would be outlined in a necessary business associate agreement (BAA) with a Covered Entity.

HITECH also increased penalties for violations and encouraged law enforcement to pursue violations more rigorously so organizations would stay in compliance.

HIPAA Compliance Resources

To learn more about HIPAA and HIPAA compliance requirements, be sure to visit these resources:

1. HHS.gov website
2. HIPAA Journal website
3. HHS Office for Civil Rights
4. Centers for Medicare & Medicaid Services
5. National Institute of Standards and Technology
6. HHS Security Management Guidelines
7. HIPAA Security Rule
8. HIPAA Privacy Rule
9. National Institute of Standards and Technology (NIST) Special Publications
10. HITECH Security and Breach Notification Act

How to Achieve and Maintain HIPAA Compliance with a Self-Audit Checklist

By using a HIPAA self-audit checklist, healthcare organizations can identify potential areas of noncompliance and take corrective action before an audit by the Department of Health and Human Services (HHS) occurs. A self-audit can also help healthcare organizations avoid costly penalties and fines for HIPAA violations.

In addition, conducting a self-audit can help healthcare organizations establish best practices for HIPAA compliance and improve their overall data security posture. It can also help build trust with patients by demonstrating a commitment to protecting their sensitive information.

Using a HIPAA self-audit checklist is an important step in maintaining compliance with HIPAA regulations and protecting patient data.

Here’s a checklist to self-audit for HIPAA compliance:

1. Determine the scope of the audit, including which entities and processes will be evaluated.
2. Review policies and procedures to ensure compliance with HIPAA regulations.
3. Verify that all workforce members have received HIPAA training and that training is up to date.
4. Review access controls and verify that only authorized individuals have access to PHI.
5. Evaluate physical safeguards, including access controls to facilities and workstations.
6. Review technical safeguards, including access controls to systems, encryption of PHI, and password policies.
7. Verify that business associate agreements are in place with all third-party vendors that have access to PHI.
8. Evaluate incident response procedures and verify that they are up to date and effective.
9. Review breach notification procedures and verify that they are up to date and effective.
10. Verify that all required HIPAA documentation is up to date and readily available.
11. Evaluate compliance with the HIPAA Privacy Rule, including obtaining and documenting patient authorizations for disclosures of PHI.
12. Review compliance with the HIPAA Security Rule, including conducting regular risk assessments and addressing identified risks.
13. Verify that all PHI disclosures are properly authorized and documented, including disclosures for treatment, payment, and healthcare operations.
14. Review compliance with the HIPAA Breach Notification Rule, including the timely reporting of any breaches of unsecured PHI.
15. Evaluate compliance with the HIPAA Omnibus Rule, including compliance with the new requirements for business associates and subcontractors.
16. Verify that all PHI is properly disposed of in accordance with HIPAA regulations.
17. Review compliance with state and local laws that may impact HIPAA compliance.
18. Conduct periodic audits and remediate any areas of noncompliance.
19. Document all audit findings and remediation activities.
20. Develop and implement a HIPAA compliance program that includes ongoing training, monitoring, and auditing.
21. Assign a HIPAA Compliance Officer to manage your compliance efforts across your organization.
22. Track and protect mobile devices so that they do not end up in unauthorized hands, and that all data contained in them is properly encrypted. Implement remote wipes to destroy PHI that is stolen, or simply avoid storing PHI on mobile devices in the first place.

HIPAA Compliance vs. GDPR Compliance: Who Has Priority?

The EU’s General Data Protection Regulation (GDPR) and the Health Insurance Portability and Accountability Act (HIPAA) are two separate regulations that aim to protect personal data privacy. GDPR applies to all businesses that process or handle EU citizens’ personal data, regardless of their location, while HIPAA is applicable to healthcare providers, insurers, and their business associates in the U.S. However, as healthcare entities and business associates are increasingly operating on a global scale, it is essential to understand the GDPR’s impact on HIPAA compliance.

The GDPR imposes stricter data protection requirements than HIPAA, including:

Explicit Consent in GDPR

GDPR requires explicit consent before processing an individual’s personal data, while HIPAA requires only a general authorization.

Data Subjects Rights in GDPR

GDPR grants individuals more extensive control over their data, including the right to access, rectify, and erase their personal data, whereas HIPAA provides limited rights to access and request amendments.

Data Protection Officer (DPO) Stipulated in GDPR

GDPR mandates that certain organizations appoint a DPO to oversee data protection, while HIPAA does not require this role.

Data Breach Notifications Required by GDPR

GDPR requires organizations to report data breaches within 72 hours, while HIPAA requires reporting within 60 days.

GDPR Penalties

GDPR imposes significantly higher penalties for noncompliance, with fines of up to €20 million or 4% of global annual revenue, whichever is higher. In contrast, HIPAA fines range from $100 to $50,000 per violation, up to a maximum of $1.5 million per year.

Therefore, healthcare entities and business associates that process EU citizens’ personal data must ensure compliance with both GDPR and HIPAA. They should review their data privacy policies and procedures, implement necessary changes to meet GDPR requirements, and train their staff on the regulations’ provisions. Failure to comply with either regulation can result in significant financial penalties and damage to an organization’s reputation.

Kiteworks Helps Organizations Achieve HIPAA Compliance with a Private Data Network

The Kiteworks Private Data Network helps covered entities and their business associates achieve and maintain HIPAA compliance by protecting PHI and other sensitive content they share with trusted third parties.

Kiteworks consolidates third-party communications like email, file sharing, managed file transfer, SFTP, and web forms so organizations can control, protect, and track the PHI that’s accessed, sent, stored, and received. Security and compliance features include:

• A self-contained, pre-configured hardened virtual appliance featuring embedded anti-virus protection and intrusion detection system (IDS)
• AES encryption of content at rest and TLS 1.2 encryption for content in transit, and additional security measures like key rotation, session timeouts, integrity checks, and anti-virus
• One-click HIPAA and GDPR compliance reports that demonstrate administrative, physical and technical safeguards are in place, in compliance with HIPAA
• Granular access controls, role-based permissions, and file/folder expiries that restrict access to PHI to authorized personnel and for only as long as necessary
• Secure deployment options including on-premises, private, hybrid, and FedRAMP virtual private cloud
• Threat detection, mitigation, and forensics via a CISO Dashboard analysis and comprehensive audit logs that can be exported to your SIEM

To learn how Kiteworks can help keep your organizations achieve HIPAA compliance, schedule a custom demo today.

Additional Resources

• Case Study NYC Health + Hospitals’ Clinicians and Staff Share PHI Securely and Efficiently
• Blog Post Top HIPAA-compliant Forms
• Blog Post HIPAA Encryption: Requirements, Best Practices & Software
• Blog Post Send HIPAA-compliant Email
• Blog Post HIPAA Breach [What It Is & How to Handle the Aftermath]