HIPAA Compliance Checklist for 2020

3 min read Michael Carroll on Mar 13, 2020

HIPAA Compliance Checklist for 2020

What is HIPAA?

HIPAA stands for the Health Insurance Portability and Accountability Act. This act, which passed in 1996, protects patient data and rights to that data. HIPAA involves a series of requirements and recommendations for covered entities. Covered entities include health plans, health care clearinghouses, and healthcare providers who transmit ePHI, or electronic protected health information. 

If your company is a covered entity, HIPAA requires you to do everything in your power to protect your patients’ information during data collection, storage, and transmission. In HIPAA’s mandates, the Security Rule includes key guidance for the policies and procedures required to meet HIPAA compliance. This rule consists of three safeguards: administrative, technical, and physical. Use the following checklist to see if your company is following the basics of HIPAA compliance. 

HIPAA Compliance Checklist

Administrative Safeguards

  • Assess Your Risk. Is a specific employee set up to manage and conduct risk assessments to identify potential risks or misuse? 

  • Regular Audits and Risk Assessments. Does your company perform regular audits and risk assessments to evaluate risk, identify noncompliant employees, and improve internal practices?

  • Record of Audits and Risk Assessments. Does your company have a comprehensive and easily accessible record of previous audits and risk assessments?

  • Emergency Protocol. Does your organization have an emergency protocol to protect the integrity of ePHI during an emergency? 

  • Breach Notification. If your company experiences a breach, are processes set up to inform your customers of the breach and potential data corruption? 

  • Third-Party Access. Does your organization restrict third party access to ePHI? Do you review and track Business Associate Agreements (BAAs)? Do you have confidentiality agreements with all your third-party vendors? 

  • Comprehensive Employee Training. Do you train new employees on security requirements and provide additional learning for long term employees?

  • Patient Access to ePHI. Is patient data easily accessible by an authorized patient? Is your organization able to provide patients access to copies of their health information on request? 

  • Notice of Privacy Practices. Has your organization created a notice of privacy practices (NPP)? Is your NPP posted on your website and in a prominent location in your office? Have you given a copy of your NPP to each of your patients?

Technical Safeguards

  • Data Access. Is your database only accessible with a unique username and password to control access? Does your system automatically log out users after a period of inactivity?

  • Data Encryption. If needed, is your data stored and transmitted safely using encryption? 

  • Data Storage. If encryption is not needed, do you have controls set up to prevent unwanted access to ePHI?

  • Proper Deletion. If ePHI is no longer needed or you are requested to delete ePHI, does your organization properly delete ePHI to ensure that it cannot be accessed?

  • Access Logs. Are access logs set up to record access and any alterations to data?

Physical Safeguards

  • Workstation Management. Does your company have policies set up to manage and restrict the use of workstations? 

  • Mobile Device Access. If ePHI is accessible on mobile devices, are policies set up to manage and restrict access on these devices?

  • Proper Disposal. Does your organization correctly dispose of old technology so that ePHI cannot be accessed?

Please note that this checklist is designed to answer top questions about HIPAA compliance and does not qualify as legal advice. We encourage you to reach out to a certified HIPAA expert for advice regarding your company’s specific needs for HIPAA compliance. 

How to Become HIPAA Compliant

If your company is a HIPAA covered entity that collects, stores, and transmits electronic private health information, your technology choices must also meet HIPAA requirements. Features like doctor-patient communication via in-app messaging can quickly deliver information, like test results and recommendations to patients. But, certain features can be risky if data is not secured and does not meet requirements laid out by the HIPAA Security Rule. PubNub has been HIPAA compliant since 2005 so you can be assured that your data is managed safely and securely. 

Tips for HIPAA Compliance

  • Protect the security of your data with secure logins.

  • Encrypt any ePHI to ensure that it is protected during storage and transmission. 

  • Manage access to your database, including your software, your network, and any physical locations to avoid breaches. 

  • Use caution when third parties are handling ePHI. Review your business associate agreement (BAA) to ensure that data access standards are met and data is used appropriately.

  • Use HIPAA compliant APIs to ensure that your app is HIPAA compliant.