The words “HIPAA compliance” have a legendary ability to simultaneously arouse both\u00a0extreme fear and extreme boredom in physicians and other healthcare providers. Everybody knows the legislation is critically important, but identifying your exact duties under it can be a confusing and soporific task.<\/p>\n
Let’s try to fix that. In this part of our blog series on HIPAA, we’re going to show you the easiest HIPAA compliance checklist that you’ll ever see. What’s our secret? Just telling you what\u00a0the Department of Health and Human Services (HHS) already does: HIPAA is its own checklist.<\/p>\n
Yes, basically. First let’s make sure we’re on the same page about what HIPAA is exactly. HIPAA is federal legislation, as is the HITECH act that updated parts of it. Title II\u00a0of that legislation relates to the privacy and security of protected\u00a0health information, and this is the meat of what most physicians need to care about when “HIPAA compliance” comes up.<\/p>\n
Title II of HIPAA also requires HHS to create federal regulations that implement the ideas in the rest of the act. These regulations spell out exactly what healthcare providers must do, and they are now complete and published in the Code of Federal Regulations (CFR)<\/a>, Title 45, Parts 160, 162, and 164.<\/p>\n Luckily, HHS also grouped these regulations into six\u00a0sections<\/a>, called “rules,” and these are really the ultimate HIPAA compliance checklist<\/strong>. If you can understand and comply with each of these six rules, you’ll have a good claim to HIPAA compliance. So let’s do it; let’s count down the checklist that HHS gives us:<\/p>\n *drum roll please* …<\/p>\n This one is easy. HIPAA seeks\u00a0to make sure that everybody is\u00a0communicating about healthcare issues in one unified\u00a0way, and regulations in its “Transactions and Code Sets”\u00a0rule accomplish this.<\/p>\n One part of this rule specifies what code sets are allowable for describing\u00a0medical data, including ICD-CM for conditions, NDC for drug names, and CPT\/HCPCS for procedures. Another part\u00a0then\u00a0defines and mandates the specific electronic transmission formats\u00a0that can be used to convey the encoded data.<\/p>\n Simply pick a modern EHR\u00a0to use in your practice. They will typically\u00a0use\u00a0the correct\u00a0encoding and transmission formats automatically, and you can confirm this with the vendor before\u00a0you buy anything.<\/p>\n That’s it. Done. Check.<\/p>\n In the “Identifier Standards” rule, HIPAA mandates that every individual or organization that renders healthcare\u00a0have a unique 10-digit National Provider Identifier (NPI). Type 1 NPIs are for individuals, and type 2 NPIs are for organizations. NPIs\u00a0are used in encoding and transmitting\u00a0healthcare data, and they help\u00a0enforce clarity. Two doctors may have the same name and practice\u00a0in the same city, but their differing NPIs will ensure that they are not mistaken for one\u00a0another.<\/p>\n You probably already have an NPI<\/a>. If you don’t, \u00a0you can get one through the\u00a0National Plan and Provider Enumeration System (NPPES<\/a>) that HHS runs.<\/p>\n That’s it. Done. Check.<\/p>\n The HIPAA Privacy Rule, in conjunction with the HIPAA Security Rule, constitutes\u00a0the most important part\u00a0of HIPAA\u00a0for\u00a0most providers. Fundamentally, the Privacy Rule is all about individuals’ health information, termed\u00a0“protected health information (PHI).” The rule spells out how healthcare entities may\u00a0use PHI,\u00a0and it also delineates patients’ rights\u00a0to be informed of\u00a0and control those uses.<\/p>\n HHS has written an important\u00a0summary of the Privacy Rule<\/a>, and it’s worth a read. High-level points from the summary to internalize:<\/p>\n Well, this section was a bit longer than the first two, but that’s because the Privacy Rule is so crucial to HIPAA. It is, unfortunately, also critical that you review the Privacy Rule yourself. The checklist above is a good start on minimum necessary activities, but\u00a0there is no perfect, comprehensive\u00a0checklist that will work for every type of practice. HIPAA is about ensuring best practices in every type of healthcare provider, and there is no substitute for figuring out what that means for you and your exact practice.<\/p>\n HHS states that the Privacy Rule is comprised of 45 CFR<\/a>\u00a0Part 160 and Subparts A and E of 45 CFR Part 164, and you can refer to these directly\u00a0or, at least, to the HHS Privacy Rule summary<\/a>\u00a0to make sure that you are creating and following all of the privacy policies and procedures that your specific practice needs.<\/p>\n The HIPAA Security Rule is a nitty-gritty rundown\u00a0of “the technical and non-technical safeguards that organizations […]\u00a0must put in place to secure individuals’\u00a0electronic PHI.” That quote comes directly from a Security Rule summary<\/a> that HHS has written, in which they explain that the Security Rule takes the somewhat amorphous concepts of the Privacy Rule and lays out a\u00a0more exact framework to implement them.<\/p>\n Unlike the Privacy Rule, which applies to all PHI, the Security Rule applies only to PHI that your practice “receives, maintains or transmits in electronic form.” To comply with the Security Rule, your organization must adopt an ongoing process of risk analysis that has the following general form:<\/p>\n That’s it, really. And continuing their pattern of being hugely helpful, HHS has created a seven-part educational paper series<\/a> that will walk you through this. For the checklist in this section, we’ll lean on these papers heavily…since HHS literally provides checklists in them.<\/p>\n Each HHS document linked above\u00a0has a reproduction of Appendix A<\/a> of the actual Security Rule, which is effectively a checklist of\u00a0necessary items to consider\u00a0for the administrative, physical, and technical safeguards that you need. Some of the documents extend this list with other items, such as the document linked in step 3 above.<\/p>\n As with the Privacy Rule, it’s important that you read the Security Rule yourself at least one time. HHS wrote the rules generally so that they could function for organizations of any size, from one person to thousands, and because of this, only you can decide exactly how your organization can best comply. Per HHS, “The Security Rule is located at 45 CFR<\/a> Part 160 and Subparts A and C of Part 164.” And again, they’ve also written a summary of it<\/a>.<\/p>\n The HIPAA Enforcement Rule<\/a> (codified at 45 CFR Part 160, Subparts C, D, and E) establishes procedures for the investigation of possible HIPAA violations and sets civil\u00a0fines\u00a0for infractions. Fines can be up to $50,000 per violation per day, so it can add up quickly and is not a joke. Violations can also carry criminal penalties, including fines and jail time, but these are not covered by HHS regulation.<\/p>\n If HHS investigates your practice, then this rule becomes relevant to you, but there’s nothing here that you need to do proactively.<\/p>\n The HIPAA Breach Notification Rule<\/a> (codified at 45 CFR \u00a7\u00a7 164.400-414) requires healthcare organizations to provide notification after breaches of PHI. A “breach” is, basically, an impermissible use or disclosure of PHI, as detailed in the HIPAA Privacy Rule. Depending on the type of breach, notification might need to be made to the affected individuals, the media, or the HHS Secretary. HHS has further guidance<\/a> available on the topic.<\/p>\n Once again, you only need to worry about this rule if you identify a PHI breach, which you should be monitoring for as part of your compliance with the HIPAA Privacy\u00a0Rule and Security Rule.<\/p>\n HIPAA compliance is all about adopting good processes in your organization, and HHS has laid out\u00a0a path to compliance\u00a0that\u00a0is nearly a checklist. All you have to do is follow it.<\/p>\n This article is part of a series of posts relating to HIPAA law and regulation. The information provided is\u00a0meant as general guidance only and is not intended to be legal advice.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":" The words “HIPAA compliance” have a legendary ability to simultaneously arouse both\u00a0extreme fear and extreme boredom in physicians and other healthcare providers. Everybody knows the legislation is critically important, but identifying your exact duties under it can be a confusing and soporific task.<\/p>\n","protected":false},"author":1,"featured_media":462,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"slim_seo":{"title":"The Easiest Complete HIPAA Compliance Checklist You'll Ever See - Spruce Blog","description":"The words \"HIPAA compliance\" have a legendary ability to simultaneously arouse both\u00a0extreme fear and extreme boredom in physicians and other healthcare provider"},"footnotes":""},"categories":[14],"tags":[16,15],"different-template":[],"class_list":["post-225","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-hipaa","tag-compliance","tag-hipaa"],"acf":[],"_links":{"self":[{"href":"https:\/\/sprucehealth.com\/blog\/wp-json\/wp\/v2\/posts\/225","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/sprucehealth.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/sprucehealth.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/sprucehealth.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/sprucehealth.com\/blog\/wp-json\/wp\/v2\/comments?post=225"}],"version-history":[{"count":0,"href":"https:\/\/sprucehealth.com\/blog\/wp-json\/wp\/v2\/posts\/225\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/sprucehealth.com\/blog\/wp-json\/wp\/v2\/media\/462"}],"wp:attachment":[{"href":"https:\/\/sprucehealth.com\/blog\/wp-json\/wp\/v2\/media?parent=225"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/sprucehealth.com\/blog\/wp-json\/wp\/v2\/categories?post=225"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/sprucehealth.com\/blog\/wp-json\/wp\/v2\/tags?post=225"},{"taxonomy":"different-template","embeddable":true,"href":"https:\/\/sprucehealth.com\/blog\/wp-json\/wp\/v2\/different-template?post=225"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}The Six Rules of the HIPAA Compliance Checklist:<\/h1>\n
#1:\u00a0Standardize Your Coding and Electronic Transmissions<\/h2>\n
\u2611\u00a0HIPAA Checklist: How to Comply with Rule 1<\/h3>\n
\n
#2:\u00a0Get Unique Identifiers for You and Your Organization<\/h2>\n
\u2611 HIPAA Checklist: How to Comply with Rule 2<\/h3>\n
\n
#3:\u00a0Protect Your Patients’ Privacy<\/h2>\n
\n
\u2611 HIPAA Checklist: How to Comply with Rule 3<\/h3>\n
\n
#4: Secure Your Electronic Medical Information<\/h2>\n
\n
\u2611 HIPAA Checklist: How to Comply with Rule 4<\/h3>\n
\n
\n
#5:\u00a0Understand the Penalties for Violations<\/h2>\n
\u2611 HIPAA Checklist: How to Comply with Rule 5<\/h3>\n
\n
#6:\u00a0Learn How to Handle Information Breaches<\/h2>\n
\u2611 HIPAA Checklist: How to Comply with Rule 6<\/h3>\n
\n
\n