Nowadays with the internet, information is easy to access. At the touch of our fingertips, we are able to search the internet to learn more about a person. This has caused people to be cautious about their personal information.
Protected health information is private information that individuals would like to keep, well.. private. Because of this, there are specific laws in place for covered entities and business associates to follow.
This is known as HIPAA, the Health Insurance Portability and Accountability Act.
Below, we will take a look at an employer HIPAA compliance checklist to cover everything you need to know about how to be compliant with HIPAA.
If you're looking for a convenient way to be compliant with HIPAA, then check out EasyLlama. Our HIPAA compliance training videos can make sure that your company is covered under regulations to avoid any unnecessary penalties. Our bite-sized videos are easy to understand and distribute to every employee in your company.
Get An Instant Free Course Preview
Try our best-in-class, interactive, and engaging courses for free!
What is HIPAA?
HIPAA is the Health Insurance Portability and Accountability Act that was passed into law in 1996 to protect individuals and their personal health information. It covers a specific set of rules that monitor how health care providers and health insurance providers handle patient data, health plans, medical records and more.
Under HIPAA, employees have the right to keep their protected health information (PHI) and electronic protected health information (ePHI) private. Only covered entities and certain business associates may access patients' healthcare information.
Because of this, employers must take certain measures to establish safeguards and procedures to manage employees' information and avoid risk.
Protected Health Information
Protected health information (PHI) is defined as any information that deals with the physical or mental health of a patient. By definition, this covers any specifics about an individual's health care data, health insurance, and identifiable health information.
Examples of identifiable health information includes:
- The name of a patient
- The home address of a patient
- The social security number of a patient
- The date of birth of a patient
- The medical records of any medical treatment or services of a patient
- The medical insurance or health plan of a patient
Electronically protected health information (ePHI) is PHI that is produced, saved, transferred, or received in an electronic form.
3 HIPAA Rules (Privacy, Security, Breach Notification Rule)
There are 3 rules to HIPAA that help provide security safeguards to protect employee PHI.
HIPAA Privacy Rule
The HIPAA privacy rule regulates the uses and disclosure of patient PHI. Under the HIPAA privacy rule, covered entities may disclose patient PHI in the interest of patient treatment, payment, or operations without a patient's written consent.
Any other disclosure of patient PHI from a covered entity would need permission from the patient themselves. This allows individuals to control and protect their PHI and release their personal information on their own free will.
The HIPAA privacy rule also requires the covered entities to notify individuals of the uses of their PHI. Covered entities must keep track of any and all disclosures so that the patient knows when and where their PHI was used. This allows patients to always be in the loop regarding their personal information.
HIPAA Security Rule
The HIPAA security rule requires doctors to protect the ePHI of patients by using the appropriate safeguards to ensure that it doesn't leak. This gives patients peace of mind to feel comfortable sharing their PHI to physicians to receive the proper medical treatment.
The privacy and security rules set the minimum safety requirements that are needed for a covered entity to guard patient PHI in terms of usage and protection.
To ensure you are compliant with the HIPAA security rule, check to make sure you know how to comply with the HIPAA security rule.
HIPAA Breach Notification Rule
The HIPAA breach notification rule is the final rule set by HIPAA. Unlike the privacy and security rules that regulate PHI usage and protection, this rule establishes what covered entities must do if they fail to protect patients' PHI.
If there are security breaches and any patient data has been disclosed inappropriately, then the Department of Health and Human Services must be notified within 60 days of the discovery of the breach. This must be reported regardless of how the data breach had happened. The covered entity must also notify patients within 60 days of the breaches if the data breach compromises any of their information.
Who are Covered Entities?
Covered entities are defined as an employer-sponsored health plan, health care clearinghouses, health insurance providers, and providers of medical services.
A covered entity is a business that must be compliant with HIPAA. Employers and employees of these organizations need to know the laws and rules about the safeguards and procedures required to protect PHI.
Covered entities include:
- Doctors
- Nurses
- Hospitals
- Clinics
- Pharmacies
- Dentists
- Optometrists
- Chiropractors
Who are Business Associates
A business associate is any employee or organization that personally handles or has access to the PHI of individuals. They typically work together with a covered entity. Whether physical or electronic form, these people may pose a risk to PHI breaches.
Therefore, business associates must also receive the proper HIPAA training to be HIPAA compliant. The employee or organization that has access to the personal data must follow the proper procedures and take the necessary measures to protect PHI and avoid any violations.
Common business associates include:
- IT consultants
- Lawyers
- Accountants
HIPAA Compliance Checklist
Now that we have covered the HIPAA regulations and who must be compliant with HIPAA, let's look at our employer HIPAA compliance checklist to make sure that you abide by the HIPAA requirements.
Step 1: Figure out which annual audits apply to your organization
The first thing you need to know is whether your business falls under the category of being a covered entity or business associate. Because the HIPAA rules apply to these organizations, you need to know if you must follow the proper procedures and safeguards that are listed in the HIPAA regulations.
If you fall under this category, then the HIPAA compliance checklist and HIPAA regulations apply to you, then you must follow compliance with how to access and handle healthcare data.
Step 2: Perform your required audits and assessments and note any flaws
You must go through your standard audits and assessments. It is important that you take note of any problems that may pose risk or potential violations that could affect whether your business is HIPAA compliant or not.
Make sure that your organization is following the policies and procedures set by the HIPAA compliance checklist to protect healthcare data.
Step 3: For any flaws, create plans of action and follow through ASAP
If you notice any security measures that are not up to par, then you must quickly create solutions to solve those problems. You must avoid risk by following through as soon as possible in order to stay HIPAA compliant.
If your business operates too long without the proper safeguards and procedures in place, then you are at a higher risk of not being compliant and facing unnecessary fines for not following the law.
Step 4: If you have not already done so, you should designate a HIPAA Compliance, Privacy and/or Security Officer for your business
One of the best ways for you to make sure that you are HIPAA compliant is to appoint a HIPAA compliance officer to monitor your business. This compliance officer can watch over your business, supervise the employees and ensure that everyone follows the privacy rule, policies and procedures, and regulations set forth by HIPAA.
It is always a good idea for employers to have your rules and regulations reinforced by an extra set of hands to keep an eye on the business's operations so that you are following the laws.
These HIPAA compliance officers can assist you with monitoring your HIPAA compliance checklist and follow your plans of action.
Step 5: Encourage the selected HIPAA Compliance Officer to have annual training for employees
In the many regulations and safeguards that HIPAA offers, one of the key measures is that a business must make sure that any employee receives proper HIPAA compliance training and is up to date with their knowledge.
HIPAA compliance requires all employees have training on data privacy and on the safeguards and knowledge about the law in order to protect healthcare and medical data.
To be HIPAA compliant, it is the duty of the employers to keep an employee of the company up to date with HIPAA compliance knowledge. Training for HIPAA compliance can either be physical or virtual.
A convenient way to reach an employee is with EasyLlama's online training videos. Employers can easily send bite-sized training videos to all employees of their business with a simple click of a button to be HIPAA compliant!
Step 6: Document all of your HIPAA compliance training and procedures to have proof that you are taking the necessary safeguards
It is not enough for employers to just provide HIPAA training to their employees so that they can be HIPAA compliant. It is also important that you document all of your actions as evidence that you follow the law set by the HIPAA regulations.
Organizations should document all of the policies and procedures so that their HIPAA compliance is recorded.
Operations such as how employees access data should be logged so that the Department of Health and Human Services' Office for Civil Rights (OCR) can clearly see that the proper safeguards are in place and that you follow the law to protect the private personal data and civil rights of your clients.
Luckily, EasyLlama's HIPAA compliance training program automatically keeps track of employee training progress. Employers can monitor the timeline and see how employees are coming along on the training timeline.
Step 7: Ensure that HIPAA compliance with your Business Associates by reviewing BAAs annually
The HIPAA compliance checklist does not just stop at you and your business. You must also make sure that all other organizations that are your business associates are following the HIPAA compliance checklist.
Since a business associate also has access to healthcare data, they must also follow HIPAA compliance. To follow compliance, health care providers and business associates who work together must checklist HIPAA compliance policies and procedures together.
So, what this means is that you also have to keep an eye on who you work with to make sure that they are following the same compliance policies and procedures checklist as you.
As an employer, you can make sure that your business associates, who are not healthcare providers, are following the same compliance checklist as you by creating Business Associate Agreements (BAA).
The BAA will help you set the minimum responsibilities that each party has for protecting and managing the healthcare data so that you do not unknowingly violate the law. When making a BAA, employers must put in place the correct compliance checklist and training so that those who are not healthcare providers obey the law too.
Step 8: Review the steps for employees to report security breaches
Employees may try their hardest to follow the law and the compliance checklist set by management. However, even though they may stick to the HIPAA compliance checklist, policies, and procedures, security breaches may leak healthcare information.
Although it may not be the employees' fault, it is still the responsibility of the employees to report the data breach. Your HIPAA compliance checklist should include detailed steps of the reporting process so that employees know how to handle the situation.
Employees must report breaches to OCR, and so you should occasionally review the checklist and steps for the reporting process in case an event like this happens.
Common HIPAA Violations
As mentioned above, accidents happen. Sometimes there are HIPAA compliance violations in a company. Let's take a look at some common HIPAA violations to be aware of and can avoid these mistakes when you checklist HIPAA compliance with your organization.
1) Having a non-encrypted, lost, or stolen device
A common HIPAA violation is having PHI stored on a device that is not encrypted. Sensitive information needs to be locked and hidden away behind some form of passcode or lock. Without this anyone can access said data.
The worst-case scenario has a non-encrypted device that gets lost or stolen. In this situation, not only is the device missing, but there is nothing stopping someone from accessing all of the PHI if they are in possession of the device.
2) Lack of employee training
Knowledge is power. If employees aren't properly trained on how to checklist HIPAA compliance, then they are more likely to make mistakes that violate your HIPAA compliance checklist.
It is best to make sure that it is in your priorities to train your employees enough so that they can follow your HIPAA compliance checklist (not to mention that untrained employees is a HIPAA compliance violation in of itself).
3) A database breach in the organization
Database breaches and hacks are very dangerous. These violations may feel like they are out of your control, but that is not necessarily true. Even though you may not be entirely at fault for being hacked, it is still your responsibility to handle the situation appropriately.
Make sure to do the right thing and report these breaches to the proper authorities, otherwise you are looking at a HIPAA compliance checklist violation of the notification rule.
4) Employee gossiping or discussing of PHI
Employee gossip in the workplace is inevitable. You just can't stop it. However, you can influence it.
Employee gossip or discussions about PHI is a violation of the HIPAA compliance checklist.
So, with the right training and knowledge you can make sure that your employees are not talking about things that they are not supposed to be discussing so openly.
5) Improperly disposing of PHI
The last common violation of the HIPAA compliance checklist is not disposing of PHI properly. You must take documents that have sensitive information on it and dispose of it appropriately.
This means that documents with PHI should be shredded and taken care of the right way rather than tossed into any empty trash can that is conveniently nearby.
Last Check on Your Checklist
So, we have covered HIPAA and a compliance checklist that you should follow.
You must plan accordingly and follow the steps of the checklist to ensure that you and your business are HIPAA compliant. Be careful of the HIPAA violations if you want to avoid any unnecessary fines.
The best way to do this is with the finest training for you and your employees.
Get started now with a free trial at EasyLlama to get your employees compliant and up to speed with everything related to HIPAA.
Written by: Austin Leuangpaseuth
