Running Head: HEALTH INFORMATION 1

HIPPA Compliance Checklist

Joan Schumacher
University of Cincinnati
HEALTH INFORMATION 2

The Six Rules of the HIPAA Compliance Checklist

#1: Standardize Your Coding and Electronic Transmissions
HIPAA seeks to make sure that everybody is communicating about healthcare issues in one
unified way, and regulations in its “Transactions and Code Sets” rule accomplish this.

One part of this rule specifies what code sets are allowable for describing medical data, including
ICD-CM for conditions, NDC for drug names, and CPT/HCPCS for procedures. Another
part then defines and mandates the specific electronic transmission formats that can be used to
convey the encoded data.

 HIPAA Checklist: How to Comply with Rule 1

1. Use a compliant electronic health record (EHR).

Simply pick a modern EHR to use in your practice. They will typically use the correct encoding
and transmission formats automatically, and you can confirm this with the vendor before you
buy anything.

#2: Get Unique Identifiers for You and Your Organization

In the “Identifier Standards” rule, HIPAA mandates that every individual or organization that
renders healthcare have a unique 10-digit National Provider Identifier (NPI). Type 1 NPIs are for
individuals, and type 2 NPIs are for organizations. NPIs are used in encoding and
transmitting healthcare data, and they help enforce clarity. Two doctors may have the same name
and practice in the same city, but their differing NPIs will ensure that they are not mistaken for
one another.

HIPAA Checklist: How to Comply with Rule 2

1. Make sure that all HIPAA-covered entities in your practice have an NPI.

You probably already have an NPI. If you don’t,  you can get one through the National Plan and
Provider Enumeration System (NPPES) that HHS runs.

#3: Protect Your Patients’ Privacy

The HIPAA Privacy Rule, in conjunction with the HIPAA Security Rule, constitutes the most
important part of HIPAA for most providers. Fundamentally, the Privacy Rule is all about
individuals’ health information, termed “protected health information (PHI).” The rule spells out
how healthcare entities may use PHI, and it also delineates patients’ rights to be informed of and
control those uses.
HEALTH INFORMATION 3

HHS has written an important summary of the Privacy Rule, and it’s worth a read. High-level
points from the summary to internalize:

 The Privacy Rule protects all “individually identifiable health information” held or
transmitted by a covered entity or its business associate, in any form or media, whether
electronic, paper, or oral. The Privacy Rule calls this information “PHI.”
 A central aspect of the Privacy Rule is the principle of “minimum necessary” use and
disclosure. A [healthcare] entity must make reasonable efforts to use, disclose, and request
only the minimum amount of PHI needed to accomplish [an intended purpose].
 Except in certain circumstances, individuals have the right to review and obtain a copy of
their PHI and any of its uses and disclosures. They may also demand corrections to it.
 Each [healthcare] entity, with certain exceptions, must provide a notice of its privacy
practices.

HIPAA Checklist: How to Comply with Rule 3

1. Designate a “privacy official” in your organization who will be tasked with developing

and implementing your privacy policies and procedures and ensure that this person
is available to receive requests and complaints related to the Privacy Rule.
2. Understand the definition of PHI and identify information in your practice that is PHI.
3. Keep a record of all uses and disclosures of PHI in your practice.
4. Understand the things your practice must do under the Privacy Rule, especially including
those things that relate to your patients’ control over their own PHI.
5. Understand the things your practice may do under the Privacy Rule, especially including
those uses and disclosures of PHI that are allowable without explicit, written patient
consent. Always use the concept of “minimum necessary” to guide your uses and
disclosures.
6. Identify your “business associates,” as defined by HIPAA. If another company interacts
with PHI from your practice, they are likely a business associate, and you need to have a
formal “business associate contract” with them that extends the duties of HIPAA to their
operations.
7. Create a Notice of Privacy Practices. This must contain specific items, and it’s best to
start with a template that HHS provides. Know when, where, and to whom this notice must
be made available.
8. Implement administrative, technical, and physical safeguards to prevent impermissible
intentional or unintentional use or disclosure of PHI. These should also act to limit
incidental uses or disclosures.
9. Ensure ongoing training of your practice’s workforce on your privacy policies and
procedures.
10. Have your privacy official create and maintain a written document of the policies and
procedures that you have developed to accomplish the above items.

HHS states that the Privacy Rule is comprised of 45 CFR Part 160 and Subparts A and E of 45
CFR Part 164, and you can refer to these directly or, at least, to the HHS Privacy Rule
summary to make sure that you are creating and following all of the privacy policies and
procedures that your specific practice needs.
HEALTH INFORMATION 4

#4: Secure Your Electronic Medical Information

The HIPAA Security Rule is a nitty-gritty rundown of “the technical and non-technical
safeguards that organizations […] must put in place to secure individuals’ electronic PHI.” That
quote comes directly from a Security Rule summary that HHS has written, in which they explain
that the Security Rule takes the somewhat amorphous concepts of the Privacy Rule and lays out
a more exact framework to implement them.

Unlike the Privacy Rule, which applies to all PHI, the Security Rule applies only to PHI that
your practice “receives, maintains or transmits in electronic form.” To comply with the Security
Rule, your organization must adopt an ongoing process of risk analysis that has the following
general form:

1. Assess risks to electronic PHI in your organization, the current state of your security
measures, and any gaps between the two
2. Implement “administrative, technical, and physical safeguards” to address the gaps
3. Document all of steps 1 and 2 and keep the records
4. Repeat steps 1 to 3 on a periodic basis

HIPAA Checklist: How to Comply with Rule 4

1. Perform a risk analysis for electronic PHI in your organization

2. Implement safeguards to address security gaps identified by the risk analysis:

1. Administrative
2. Physical
3. Technical
. Make sure everything is documented appropriately
. Repeat steps 1 to 3 on a periodic basis

Each HHS document linked above has a reproduction of Appendix A of the actual Security Rule,
which is effectively a checklist of necessary items to consider for the administrative, physical,
and technical safeguards that you need. Some of the documents extend this list with other items,
such as the document linked in step 3 above.

As with the Privacy Rule, it’s important that you read the Security Rule yourself at least one
time. HHS wrote the rules generally so that they could function for organizations of any size,
from one person to thousands, and because of this, only you can decide exactly how your
organization can best comply. Per HHS, “The Security Rule is located at 45 CFR Part 160 and
Subparts A and C of Part 164.”
HEALTH INFORMATION 5

#5: Understand the Penalties for Violations

The HIPAA Enforcement Rule (codified at 45 CFR Part 160, Subparts C, D, and E) establishes
procedures for the investigation of possible HIPAA violations and sets civil fines for infractions.
Fines can be up to $50,000 per violation per day, so it can add up quickly and is not a joke.
Violations can also carry criminal penalties, including fines and jail time, but these are not
covered by HHS regulation.

HIPAA Checklist: How to Comply with Rule 5

If HHS investigates your practice, then this rule becomes relevant to you, but there’s nothing
here that you need to do proactively.

#6: Learn How to Handle Information Breaches

The HIPAA Breach Notification Rule (codified at 45 CFR §§ 164.400-414) requires healthcare
organizations to provide notification after breaches of PHI. A “breach” is, basically, an
impermissible use or disclosure of PHI, as detailed in the HIPAA Privacy Rule. Depending on
the type of breach, notification might need to be made to the affected individuals, the media, or
the HHS Secretary. HHS has further guidance available on the topic.

 HIPAA Checklist: How to Comply with Rule 6

Once again, you only need to worry about this rule if you identify a PHI breach, which you
should be monitoring for as part of your compliance with the HIPAA Privacy Rule and Security
Rule.[CITATION Dav16 \l 1033 ]
HEALTH INFORMATION 6

References

David Craig, M. (2016, August). Complete HIPPA Compliance Checklist. Retrieved from
blog.sprucehealth: www.blogsprucehealth.co