HIPAA Compliance Checklist: Essential Steps You Can Take to Get Compliant

Patients expect the clinics and hospitals they visit will honor their medical privacy. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) makes that expectation the law. Any organization receiving, storing, transmitting, or processing personal health information (PHI) must keep that information both private and secure.
Achieving HIPAA compliance requires evaluations of almost every aspect of your business operations. To help you get started, we drew on our compliance monitoring experience to create this HIPAA compliance checklist. Use it to build a program that applies reasonable measures to preserve patients’ privacy and keep their medical information secure.
What is HIPAA Compliance?
HIPAA provides the regulatory framework for protecting patient privacy in the United States. As you would expect, these regulations apply to healthcare providers, insurers, and health data clearinghouses. However, any company they share PHI with are HIPAA Business Associates and subject to the same regulations.
The law requires that organizations take reasonable and appropriate measures to protect patient information. “Reasonable and appropriate” will mean different things in different contexts. A doctor’s solo practice may care for several hundred patients. Hospital systems treat hundreds of thousands of patients every year. A law firm may handle a few cases per year that involve PHI.
All must comply with HIPAA, but they will comply differently. HIPAA compliance is not a one-size-fits-all standard.
A Checklist to Achieve and Maintain HIPAA Compliance
How you achieve HIPAA compliance depends on how your organization handles PHI.
What kind of PHI and in what quantities?
Do you manage PHI entirely within your systems?
Do you exchange PHI with other businesses?
Consider these questions as you use our HIPAA compliance checklist.
1. Form a Compliance Team
Create a dedicated compliance team that includes stakeholders from across the organization. Your IT and legal departments will play critical roles, but every department that deals with PHI has a role to play as well.
Hold each compliance team member accountable for specific, assigned responsibilities.
2. Conduct a Risk Assessment
There are many ways to evaluate organizational risks. An asset-based approach would look for weaknesses in the organization’s databases, servers, and network infrastructure that could expose PHI. A vulnerability-based assessment would consider ways PHI could fall into the wrong hands, whether accidentally or through a cyberattack.
Whatever approach you take, the risk assessment should identify and prioritize risks based on their impacts and probabilities.
3. Develop a Compliance Plan
Build a compliance plan by aligning your prioritized risks with the administrative, physical, and technical safeguards HIPAA requires.
Administrative safeguards include security risk management processes, access controls, training, and incident response planning.
Physical safeguards include measures that control physical access to your network infrastructure and endpoints.
Technical safeguards include the hardware and software that control and monitor PHI access as well as protect PHI at rest and in transit.
4. Implement Your Plans Internally
Establishing HIPAA-compliant safeguards and mitigating risks will require contributions from everyone in your organization. It goes beyond installing new firewalls and changing locks on the server room. How your employees use or share PHI must align with HIPAA’s requirements—which may mean changing how people work.
Executive leadership must set priorities across the organization.
Your compliance team will need support at every level, from management to frontline workers. That can only happen if your leadership team constantly reinforces the importance of HIPAA compliance.
5. Determine Which Vendors Must Sign a Business Associate Agreement
As you change your internal processes, you must also ensure compliance from any Business Associates that may encounter PHI. Consulting physicians or medical records processors are obviously subject to HIPAA. But don’t overlook cloud service providers, law firms, and other third-party services.
Conduct a third-party risk assessment to align your Business Associates with your compliance policies.
6. Develop Response Plans
Your compliance team must assume that PHI breaches can happen at any time and prepare accordingly. In particular, their incident response plans must address HIPAA’s Breach Notification Rule.
Any time unsecured PHI leaves your control, you must directly contact all patients affected by the breach. Written or emailed notices must go out within 60 days of the breach’s discovery. If direct contact is not possible, you may need to post notices on your website or in local newspapers.
You must report all breaches of unsecured PHI to the Department of Health and Human Services (HHS). Report large breaches affecting more than 500 people within 60 days. An annual report to HHS can summarize smaller breaches.
HIPAA requires media notifications of large breaches, so make sure you are ready for bad publicity.
Although not included in HIPAA, you should also prepare to report breaches to law enforcement, state or local regulators, and business partners.
Security and Privacy Steps to Take
Preserving the privacy of patients’ medical information requires a never-ending focus on security. Keep these six tips in mind as you build out your HIPAA compliance program.
1. Monitor Compliance Continuously
Achieving compliance only means you had PHI under control at an instant in time. Anything could happen after that to expose PHI. Someone may lose a laptop, hackers could breach your defenses, or an unqualified employee could accidentally receive PHI they shouldn’t have.
HIPAA compliance is a process, not an event.
The only way to stay compliant is by continuously monitoring your security controls and developing total visibility into your security posture.
2. Teach Employees and Reinforce Best Practices
Technical risk may not be the biggest threat to HIPAA compliance. You need to account for the human factor. Employees, consultants, and other agents who access your organization’s PHI must understand the importance of HIPAA, including:
Why patient privacy matters.
Their compliance responsibilities.
The consequences of HIPAA violations.
Your compliance team must develop a training program that raises awareness of your HIPAA compliance efforts. New hire onboarding and annual refresher sessions may be sufficient most of the time. However, the compliance team may identify situations—such as mitigating breaches or addressing new regulations—that require additional training.
3. Stay Current with HIPAA and HSS Developments
Congress regularly updates HIPAA to address emerging privacy risks. Even without legislation, HHS updates to existing rules may impact your organization’s HIPAA compliance. Monitor the evolving HIPAA landscape to understand how your organization should adapt.
Compliance partners with deep expertise in HIPAA can flag changes impacting your compliance status, giving you time to address any new risks.
4. Minimize Access to PHI
During the journey to HIPAA compliance, organizations often find that too many people have easy access to PHI. Over-permissioned accounts make breaches and HIPAA violations almost inevitable.
Apply role-based, least-privileged access policies that limit PHI access to the people who need it when they need it.
5. Eliminate Duplicate PHI
PHI risk increases when you store identical medical records in multiple locations, such as in different databases or on employee laptops. The more places you keep PHI, the more opportunities for that information to fall into the wrong hands.
The best way to limit PHI risk is not to have it in the first place.
An electronic health record (EHR) system centralizes PHI storage and distribution. Rather than storing permanent copies of medical records in multiple systems, EHRs can transmit data on a just-in-time basis.
6. Always Encrypt PHI
Keep PHI encrypted at all times, whether at rest or in transit. Strong encryption makes data impossible to extract should it fall into the wrong hands.
Encrypted data is secured data.
As far as HIPAA is concerned, secured PHI is not subject to the Breach Notification Rule or the regulation’s stiff civil penalties.
Automate Your HIPAA Compliance Program
Achieving HIPAA compliance can seem daunting. By introducing better security controls and mitigating your HIPAA-related risks, following this HIPAA compliance checklist will improve your overall security posture.
HIPAA has much in common with security frameworks, such as SOC 2 and ISO 27001, that you may already follow. Drata’s automated monitoring platform lets you manage your compliance programs at scale while keeping your data private and secure. We use our own platform to manage Drata’s HIPAA compliance.
Book a demo with our compliance experts to see how Drata can streamline your HIPAA compliance program.