HIPAA Compliance Checklist: Security, Privacy, and Breach Notification Rules

by Sarah Harvey / October 25th, 2018

HIPAA sets a national standard for the protection of consumers’ PHI and ePHI by mandating risk management best practices and physical, administrative, and technical safeguards. HIPAA was established to provide greater transparency for individuals whose information may be at risk, and the OCR enforces compliance with the HIPAA Security, Privacy, and Breach Notification Rules.

  • The goal of the Security Rule is to create security for ePHI by ensuring the confidentiality, integrity, and availability of ePHI, protecting against threats, protecting against unpermitted disclosures, and ensuring workforce compliance. When learning the basics of the Security Rule, it’s vital to learn about the three types of safeguards: administrative, technical, and physical. As you’ll see in this checklist, administrative safeguards cover personnel, training, access, and process while technical safeguards cover access, audits, integrity, and transmission. Physical safeguards cover facility access, workstations, and devices.
  • The Privacy Rule regulates things like appropriate use and disclosure of PHI, patient access to PHI, and patient rights. The Privacy Rule is crucial for HIPAA because without it, healthcare organizations could disclose and distribute protected health information (PHI) without the consent of the individual. If this sensitive data were to end up in the wrong hands, it could negatively impact the individual. There are five main areas of the Privacy Rule according to 45 CFR Part 160 and Subparts A and E of Part 164. A Privacy Rule assessment evaluates policy and procedure documentation relating to these areas, which include: Notice of Privacy Practices, patient rights, minimum necessary standard, administrative requirements, and uses and disclosures.
  • The Breach Notification Rule requires covered entities and business associates to provide notification following a breach of unprotected PHI or ePHI. Covered entities have three parties that they need to notify of a breach: patients, HHS, and potentially the media. When you have a breach, you will always need to notify affected patients and HSS – no exceptions. If over 500 individuals have been affected, your covered entity will need to alert the media. Business associates always need to notify their covered entity of a breach. In order to properly comply with the Breach Notification Rule, there are several aspects of the breach your organization needs to communicate to the affected parties: what happened, what kind of PHI was disclosed in the breach, what patients should do to mitigate harm, what you’re doing to investigate and mitigate future harm, and how they can contact you.

If you need assistance walking through the requirements of the HIPAA Security, Privacy, and Breach Notification Rules, contact a KirkpatrickPrice information security specialist today.