HIPAA IT Compliance Checklist

October 23, 2019   |   Ken Reiher

Struggling with staying on top of HIPAA? Our easy-to-use HIPAA IT compliance checklist will help you keep track of your administrative, technical and physical safeguards.

HIPAA IT compliance can be complex, but managing your compliance strategy and program doesn’t have to be overwhelming, especially with tools (like our handy proactive checklist below), GRC software, and subject matter expertise at your disposal.

The HIPAA Privacy Rule serves to protect all individually identifiable health information – also known as protected health information (PHI) – either stored or transmitted by any covered entity and its business associates. While the goal of the Privacy Rule is to ensure PHI is guarded, it also allows provisions for the flow of information across providers who need to use the information for the best patient care possible. That’s where the Security Rule comes in.

The HIPAA Security Rule requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting electronic protected health information (ePHI), including:

  • Ensuring the confidentiality, integrity and availability of all ePHI created, received, maintained or transmitted;
  • Identifying and protecting against reasonably anticipated threats to the security or integrity of the information;
  • Protecting against reasonably anticipated, impermissible uses or disclosures; and
  • Ensuring workforce compliance.

It’s up to each healthcare organization that stores, uses or transmits PHI to make sure they have the right HIPAA IT compliance controls in place, and that their policies and procedures are documented and updated to comply with the HIPAA rules.

In addition to having policies, procedures and controls in place, you must also have documented evidence that the policies and procedures are actually carried out. This is where a HIPAA IT compliance audit comes into play.

How often do you assess your organization’s HIPAA IT compliance and readiness? Are you prepared in case you get audited?

While a full HIPAA Security audit includes over 70 standards and implementation specifications to review and document, below is a sample list of some of the most critical risk areas to get you started:

  1. Audit and compare terminations in your Active Directory and EMR systems.
  2. Inventory and audit system access by business associate employees, including physician office affiliates.
  3. Conduct audit using CMS Guidance for HIPAA Security.
  4. Perform cybersecurity tactical simulations, including scenarios from the latest industry threats.
  5. Pull random reports on user access for normal work hours. Assess and audit any suspicious off-hour usage.
  6. Conduct table top tests of your Disaster Recovery / Business Continuity plan.
  7. Conduct random audit for operational policy and procedure readiness.
  8. Perform intrusion vulnerability audit, comparing current server patches against the patch list.
  9. Audit PCI data in transit to confirm proper encryption and conformity to standards.
  10. Perform random facility walkthrough audits.
  11. Audit for unauthorized or inappropriate record access by employees and business associates.
  12. Conduct virus detection testing, using detection alerts and random review of PC workstations to confirm integrity of virus protection software.

Want the customizable version of ComplyAssistant’s HIPAA IT compliance checklist? Download it here. You’ll also find suggested frequency for each item on the checklist. 

Additional HIPAA IT compliance tools from ComplyAssistant:

Guide: Fundamental Guide to HIPAA Compliance Software

Guide: Fundamental Guide to HIPAA Security Risk Assessments

Blog: HIPAA and Social Media – The Need for Policies and Training

Free Tool: HIPAA Business Associate Agreement Template

Featured