As a small business owner in the digital age, it takes true diligence to protect your business, customers and employee data as cyberattacks increase. While a data breach might seem like a remote possibility, 43 percent of cyber-attacks target small businesses according to the Verizon 2019 Data Breach Investigations Report (DBIR).
The stakes are higher for those small businesses handling electronic personal health information (ePHI) as part of their core function. It’s an ongoing challenge for them to meet and adhere to the Health Insurance Portability and Accountability Act’s (HIPAA) Privacy Rule and protect sensitive patient data. Setting up a system to ensure this data is stored securely, and used correctly is a daunting task, so we’ve put together a HIPAA compliance checklist to make the process easier.
Ensuring ePHI is kept private requires a small business to deal with a lot of moving parts to adhere to the Privacy Rule. These rules have levels of complexity that require very specific methods for implementing comprehensive privacy and security policies to assure compliance. That’s why the first thing a business must do before going through the checklist is gaining a good understanding of who must be compliant.
Businesses That Must Be HIPAA Compliant
There are four business classes that must adhere to HIPAA rules. The first three are called “Covered Entities” while the fourth one is called “Business Associate.” A general breakdown of all four classes includes:
- Health plans (HMOs, employer health plans, and health maintenance companies)
- Healthcare clearinghouses (healthcare billing services, health management information systems (HMIS), and any entity collecting PHI data from any healthcare entity for processing and/or formatting
- Healthcare providers (hospitals, group practices, pharmacies, clinics, physicians, surgeons, dentists, podiatrists, optometrists, testing labs/lab technicians and any other individual or organization treating patients)
- Business Associates of the three Covered Entity business classes
According to Department of Health and Human Services (HHS) 45 CFR 160.103, a “Business Associate” is a person or business that provides a service, function or activity for “Covered Entities” outlined above. This service or function must include the Business Associate having access to ePHI maintained by the Covered Entity. Some of the businesses that qualify as Business Associates include:
- Claims billing companies
- Independent medical transcriptionists working with physicians
- Consultants performing hospital utilization reviews
- Pharmacy benefits managers that manage a health plan’s pharmacist network
- Third-party administrators assisting health plans with claims processing
- Accounting firms with regular access to ePHI as part of their services to health care providers
- Attorneys with access to ePHI for their services to health plans
- IT contractors working with healthcare entities
- Cloud storage services
- Email encryption services
These and other entities like them must take steps to comply with the HIPAA Security Rule, which is a subset of the HIPAA Privacy Rule. To get a better handle on other business types that fall under the Business Associate designation, you can refer to HHS Business Associate privacy guidance, a liability fact sheet, and this downloadable PDF.
The HIPAA Security Rule is divided into three primary safeguard sections that include technical, physical, and administrative safeguards. These safeguards form the basis for the following HIPAA compliance checklist.
The HIPAA Compliance Checklist
Any business falling into a Covered Entity or Business Associate classification must implement an effective HIPAA compliance program tailored to their business. This checklist serves as a first step in understanding how to create a process for developing a program. The checklist also works as a means of ongoing self-evaluation for a compliance program that must include:
- Designating a HIPAA Compliance staff member as required by law
- Performing Annual Self-Audits to identify compliance gaps
- Developing Remediation Plans to fix those gaps and vulnerabilities
- Instituting employee HIPAA Compliance Policies and Procedures Training for handling ePHI as well as a process to document that training
- Developing a Business Associate Management and Associate Agreement documentation process if the business works with any vendors with whom they need to share ePHI
- Developing a Documentation Process proving HIPAA compliance in the event of an Office of Civil Rights (OCR) HHS investigation or audit
- Creating an Incident Management Plan that details the process of investigation and reporting of a breach to HHS OCR.
OCR released a Fact Sheet regarding “Direct Liability of Business Associates” which lays out the ways small businesses can be liable for non-compliance with certain requirements of the HIPAA Rule. A HIPAA Journal article explains the four HIPAA Violation Penalty Tiers that define the level of intent and the fines that can go as high as $1.5 million a year per HHS OCR guidelines.
While the same article is focused on how HHS OCR has reduced the penalties for HIPAA violations, the fines are still very significant. More importantly, small businesses should understand the final costs of recovering from such a violation can be much higher in terms of remediation and loss of business.
HIPAA rules are put in place to make sure any entity collecting, maintaining, or using confidential patient information handles it correctly. While it’s mandated by law that every Covered Entity and Business Associate must adhere to the Privacy Rules, setting up a system that meets every aspect of this checklist is a challenging task.
This HIPAA compliance checklist foregoes getting into the many details and the technology that must be put in place for an effective compliance plan. The fact is most small businesses will find themselves unprepared to deal with the process on their own, even with in-house IT personnel.
By enlisting a HIPAA technology consultant with a strong track record in compliance management, businesses have a partner that takes the time to learn how they operate. The consultant can then perform a security assessment to find any gaps as part of the process. This sets the stage for them to work with the business to develop, implement, and monitor a compliance program that keeps ePHI data and the business safe today and tomorrow.