HIPAA Compliance Checklist & Guide

Medicus IT

By Medicus IT

If you're in the health care industry, then you should already be familiar with HIPAA. If you're new to this field, then it is time to learn what exactly HIPAA is, and how to ensure that you are compliant with the stringent (and necessary) rules that this act contains.

In this post, we'll break down what exactly HIPAA is.

First, we'll talk about what it protects and why was it created.

Then, we'll discuss who has to follow the rules within HIPAA and what covered entities are.

Next, we'll provide you with a HIPAA compliance checklist to get you started on achieving HIPAA compliance.

Last, we'll dive into the penalties for non-compliance with HIPAA, as well as some stories of companies and people who were penalized for breaking the rules outlined in HIPAA — and then finish things up with a quiz to test your knowledge!

Download our HIPAA Security Risk Assessment Checklist to ensure your HIPAA  Assessment is done right.

HIPAA - What is it, and What Does it Protect?

HIPAA stands for the Health Insurance Portability and Accountability Act.

So, what exactly does it aim to do?

Well, the long title for HIPAA is:

"An Act To amend the Internal Revenue Code of 1986 to improve portability and continuity of health insurance coverage in the group and individual markets, to combat waste, fraud, and abuse in health insurance and health care delivery, to promote the use of medical savings accounts, to improve access to long-term care services and coverage, to simplify the administration of health insurance, and for other purposes."

That's a bit lengthy obviously, but we can break down the purpose of HIPAA in four simple points:

First, HIPAA provides the ability to transfer and continue online health insurance coverage for millions of American workers and their families when they change or lose their jobs.

Next, the act reduces the likelihood of health care fraud and abuse.

Third, it mandates industry-wide standards for health care information on electronic billing and other processes.

Last, HIPAA requires the protection and confidential handling of protected health information (PHI).

There are five titles within the act, which are:

  • Title I: Health Care Access, Portability, and Renewability
  • Title II: Preventing Health Care Fraud and Abuse; Administrative Simplification; Medical Liability Reform
  • Title III: Tax-related health provisions governing medical savings accounts
  • Title IV: Application and enforcement of group health insurance requirements
  • Title V: Revenue Offset governing tax deductions for employers

Why Was HIPAA Enacted?

HIPAA was enacted in 1996 by the 104th Unites States Congress and signed by President Clinton.

The Act was created to:

  • Modernize the flow of health care information
  • Stipulate how Personally Identifiable Information (PII) maintained by the health care and health care insurance industries should be protected from fraud and theft
  • Address limitations on health care insurance coverage

Who Has to Be HIPAA Compliant?

According to the U.S. Department of Health and Human Services (HHS), covered entities and business associates both fall under the rules outlined in HIPAA and therefore must be HIPAA compliant at all times.

First, let's break down what a covered entity is.

The three types of covered entities are:

  • Health care providers, including: 
    • Doctors
    • Clinics
    • Psychologists
    • Dentists
    • Chiropractors
    • Nursing Homes
    • Pharmacies

Note that this is only the case when the health care provider transmits any information in an electronic form in connection with a transaction, for which the HHS has adopted a standard.

  • A Health Plan, including: 
    • Health insurance companies
    • HMOs (Health Maintenance Organization)
    • Company health plans
    • Government programs that pay for health care (i.e., Medicare, Medicaid, and military and veterans health care programs)
  • A Health Care Clearinghouse
    • Entities that process nonstandard health information they receive from another entity into a standard

But what constitutes a business associate in terms of HIPAA? 

Well, if a covered entity uses a business associate to help it carry out any of its health care initiatives and functions, the covered entity must have a written business associate agreement with the business associate that establishes specifically what the business has been engaged to do.

This contract will also require the business associate to comply with HIPAA to protect the privacy and security of protected health information.

HIPAA Compliance Checklist

To help ensure that you are HIPAA compliant here is a handy checklist that will get you started on the right path.

Audits and Assessments

Have you performed the following annual audits and assessments that the HIPAA compliance program requires? You'll also need to have documentation to show that these audits are complete.

[ ] Security Risk Assessment

[ ] Privacy Assessment

[ ] HITECH Subtitle D Audit

[ ] Security Standards Audit

[ ] Asset and Device Audit

[ ] Physical Site Audit

Documenting and Fixing

[ ] Have you clearly documented any issues found during these assessments and audits?

[ ] Have you also created plans for addressing these issues?

HIPAA Training

[ ] Have all your employees gone through annual HIPAA training to ensure compliance throughout your organization?

[ ] Do you have documentation to prove the completion of the training?

[ ] Is someone on staff designated as the HIPAA Compliance/Security Officer?

Contingency Plans in the Event of an Emergency

[ ] Do you have clear and thorough instructions for dealing with data breaches and other emergencies?

[ ] Do you have copies of critical patient information if you can not recover lost data?

[ ] Do you update and test your contingency plans, to ensure that they are up-to-date and functional?


[ ] By going through risk analysis, have you decided whether or not encryption of private health information is necessary?

[ ] If encryption is not needed, have you implemented alternative measures to ensure the confidentiality and availability of PHI? 

Identity Management and Access Control

[ ] Do you have unique usernames to all employees who need access to PHI?

[ ] Do you have guidelines for determining if access to PHI is appropriate for each type of employee?

[ ] Do you have systems in place for terminating access to PHI when an employee leaves the organization?

[ ] Do you have systems in place for recovering any devices from employees leaving the organization that allow for access to PHI?

Protecting PHI

[ ] Are your PHI access logs consistently monitor to look for unauthorized access?

[ ] Have you implemented controls to ensure PHI is not altered in an unauthorized manner?

Secure Disposal of PHI

[ ] Do you have systems in place for properly disposing of PHI to ensure that it is incapable of being reconstructed once it is no longer needed?

[ ] Do you have policies for erasing PHI on electronic devices when they are no longer needed?

Patient Access to Their Health Information

[ ] Do your patients have access to their health information upon request, as well as promptly?

Annual Review of Policies and Procedures

[ ] Do you have documentation to prove you are going through annual reviews of your policies and procedures?

[ ] Have all your employees read and legally attested to the HIPAA policies and procedures?

Business Associates and Vendors

[ ] Do you have Business Associate Agreements with all your business associates?

[ ] Have you done your due diligence to ensure business associates are HIPAA compliant?

[ ] Do you have confidentiality agreements in place with non-business associate vendors?

Process For Security Incidents/Data Breaches

[ ] Do you have a defined process for security incidents and data breaches that are regularly reviewed?

[ ] Are you able to provide the required reporting of minor or meaningful breaches or incidents?

Penalties for Non-Compliance and Breaches

The rules within HIPAA is not only crucial for making sure that patients' data and private information is safe, but failure to abide by them can result in some hefty fines.

The penalties for HIPAA non-compliance are separated into four tiers.

Being penalized under the first tier would mean that your organization or practice is a covered entity that did not know and could reasonably have known of the breach. These fines are anywhere from $100-$50,000 per incident and max out at $1.5 million.

The second tier involves a covered entity that knew, or by exercising reasonable diligence would have known, of the violation, although they did not act with willful neglect. Fines in this tier range from $1,00 - $50,000 and once again max out at $1.5 million.

Tier three is when a covered entity acted with willful neglect when it comes to their violation, although they corrected the issue within 30 days. Fines start at $10,00 and can go as high as $50,000 per incident, once more reaching a maximum of $1.5 million total.

For the fourth and final tier, the covered entity acted with willful neglect, as well as failed to make a timely correction. Fines start at a whopping $50,000 and, once more, max out at $1.5 million.

10 Non-Compliance Stories

UCLA School Of Medicine Surgeon Sentenced to Prison

Losing a job is never easy, but attempting to get even on your employer who fired you can land you in some seriously hot water — especially when it comes to HIPAA.

A surgeon who left his position at the UCLA School of Medicine illegally accessed the UCLA medical records system over 300 times after he was fired.

The health records he looked at included his immediate supervisor's, co-workers', as well as the information of celebrities that included Leonardo DiCaprio, Tom Hanks, Drew Barrymore, and Arnold Schwarzenegger.

After being convicted, the ex-surgeon was sentenced to four months in jail and a $2,000 fine.

Dermatology Practice Comes Under Fire For Lost Flash Drive

Even private practice employees must be HIPAA compliant. A dermatology practice was once penalized with a fine of $150,000 (!) due to a lost flash drive that not only contained the protected health information of their patients but was also unencrypted.

In addition to the fine, the practice was also required to install a corrective action plan to prevent the error from occurring again.

Snooping Employees Fired After Being Caught

A clinic in Virginia put in place the proper HIPAA compliant safeguards to catch 14 of their employees who were viewing medical files of high-profile patients without approval. Due to a logging system the clinic uses in their backend, they were able to identify who the culprits were and rightly fire them.

Now that is an excellent example of a health care practice taking HIPAA seriously and ensuring that they remain compliant. While you hopefully trust all your employees, the fact of the matter is there may be a few bad apples in the mix somewhere.

Hospital Wrongly Gives Television Show Access to Patients

Here is a bizarre story back from 2013, in which NY MED — a reality show on ABC — filmed two hospital patients without first obtaining their consent. Unfortunately, one of the patients even died during filming.

The Office of Civil Rights (OCR) went on to conduct an investigation and found that the hospital gave ABC nearly unrestricted access to their facility, making it almost impossible for the protection of the private health information of the patients.

Due to their negligence, the hospital was fined $2.2 million and was told to create a thorough corrective action plan.

Social Media Posts Causes Medical Employee to Be Fired

In 2017, a medical employee was fired after posting information about a car accident victim who died. In the post, the employee had stated that the woman who lost her life, "should have worn her seatbelt..."

That may seem like a non-controversial thing to say, but it violated the protected health information clause within HIPAA.

Failure to Sign BAA Leads to $750,000 Fine 

In 2016, an orthopedic clinic hired an outside vendor to convert all X-Ray films on file to digital form. A pretty smart idea, as it will allow for the transfer and access of these files to be much more fluid than opposed to passing around the films.

However, the clinic failed to first sign a Business Associate Agreement prior to working with them, they had violated HIPAA — and badly. The clinic was ultimately left with a $750,000 fine and needed to implement a corrective action plan.

Accidental Faxing of Medical Records Causes Trouble

A few years ago, an HIV-positive patient requested his medical records transferred to his new urologist. Accidentally, the office manager in charge faxed the documents to his new employer.

Instead of being fired or the practice fined, a strong warning was issued, and a mandate for regular HIPAA training for all their employees was issued. Accidents and mistakes do happen but don't expect the Office of Civil Rights always to be this lenient.

Laptop Stolen Equates to $2.5 Million in Fines

After a laptop was stolen containing patient medical data out of a parked car, a cardiac monitoring vendor was fined $2.5 million, showing just how serious the federal government is in prosecuting HIPAA cases that involve both third parties and portable digital media.

UCLA Medical Center Employees Get too Nosey

Thirteen hospital workers at the UCLA medical were fired after viewing the medical records of Britney Spears after her 2008 psychiatric hospitalization. Many of the employees were non-medical support staff, and none of them had a legitimate medical need to view the PHI.

5 Separate Data Breaches Concludes with $3.5 Million Settlement

Fresenius Medical Care North America was involved in multiple HIPAA violations throughout several HIPAA covered-entities they owned — which ultimately caused five different data breaches. After an OCR investigation, risk analysis failures, a lack of policies covering electronic devices, no encryption or alternative safeguards, insufficient physical safeguards, and inadequate security policies were all discovered. By the end of each data breach, 521 different patients had their data compromised. In the end, Fresenius Medical Care North America settled for $3.5 million.

HIPAA Quiz - Test Your Knowledge!

Let's see how well you've paid attention. Here are a few questions about HIPAA with the answer below — See how many you can get right!

1. How many different tiers are there for HIPAA fines? 

A.) 2

B.) 10

C.) 4

D.) 5


2. Which of the following is NOT considered a 'covered entity'? 

A.) Health Care Provider

B.) A Health Plan

C.) A Health Care Clearinghouse

D.) A healthy restaurant


3. When was HIPAA enacted? 

A.) 1994

B.) 1995

C.) 1996

D.) 1997


4. Which president signed HIPAA into law? 

A.) Bill Clinton

B.) Ronald Reagan

C.) George H.W. Bush

D.) George W. Bush


5. What is the name of the contract covered entities must have with business associates to ensure HIPAA compliance? 

A.) Associated Agreement

B.) HIPAA Associate Contract

C.) Business Associate Agreement

D.) A Pinky Promise


6. To qualify for the third tier penalty, you have to have been proven negligent in your HIPAA non-compliance, but also have resolved the issue within how many days?

A.) 10 days

B.) 30 days

C.) 60 days

D.) 100 days


7. What does PHI stand for? 

A.) Patient Health Information

B.) Protected Health Information

C.) Patient Health Care Initiative

D.) Portable Health Information


8. Which of the following is NOT an assessment or audit that must be completed to maintain HIPAA compliance?

A.) Security Risk Assessment

B.) Physical Site Audit

C.) Asset Management Audit

D.) Security Standards Audit


9. What does HIPAA stand for? 

A.) Hospital's Internal Patient Accountability Act

B.) Health Insurance Patient and Accountability Act

C.) Health Care Patients and Accountability Act

D.) Health Insurance Portability and Accountability Act


10. How many different titles are within HIPAA? 

A.) 5

B.) 6

C.) 9

D.) 10


11.) Which organization will likely investigate a health care company is suspected of violating HIPAA?

A.) The Office of Civil Rights

B.) The Office of HIPAA Management Control

C.) The Federal Bureau of Investigation

D.) Central Intelligence Agency


12.) What is a Health Care Clearinghouse? 

A.) A health care provider like a dentist or chiropractor

B.) Entities that process nonstandard health information they receive from another entity into a standard

C.) Another name for a health insurance company?

D.) Government programs that pay for health care (i.e., Medicare, Medicaid, and military and veterans health care programs)


13.) Which of the following is NOT considered a purpose for HIPAA?

A.) To transfer and continue online health insurance coverage for millions of American workers and their families when they change or lose their jobs.

B.) To reduce the likelihood of health care fraud and abuse.

C.) To make sure doctors and other health care professionals are using the latest techniques when treating patients

D.)  To ensure the confidential handling of protected health information (PHI).


14.) What does the acronym "PII" stand for? 

A.) Personally Invalid Information

B.) Protected Internet Information

C.) Protected Individual Information

D.) Personally Identifiable Information


15.) What does HHS stand for? 

A.) Health Care and Human Services

B.) Hospitals and Health Care Society

C.) Health Honor Society

D.) U.S. Department of Health and Human Services

Answer Key: 

1.) C 2.) D 3.) C 4.) A 5.) C 6.) B 7.) B 8.) C 9.) D 10.) A

11.) A 12.) B 13.) C 14.) D 15.) D


Why Your HIPAA Security Solutions Are More Important Today Than Ever Before

These days, scammers and hackers are getting more and more creative when it comes to trying to infiltrate your protected information.

Whether it's through phishing tactics, malware, and ransomware, or false billings, there are now more ways than ever to breach your security systems.

Here at Medicus IT, we focus our services entirely on healthcare because we understand there is a significant need within the industry to keep patient data safe.

We know the complexity of information technology within the medical field. When you're dealing with hundreds, sometimes thousands of patients' data, making sure that information is safe and secure is your highest priority.

By choosing to partner with us, we'll provide you with the following services to ensure your data's safety:

  • HIPAA Security/Compliance
    • Our team has extensive healthcare-specific IT experience and provides ongoing training so that you can rest easy knowing that our engineers are helping your practice maintain HIPAA compliance and reduce potential liability daily.
  • Monthly Reporting
    • Regular reporting is also crucial in the case of an unexpected audit. You can rest assured that you will be able to quickly provide the required information to comply with an auditor’s requests
  • Risk Assessment
    • A risk assessment is required under the Security Rule implemented by the Department of Health and Human Services to implement policies and procedures to prevent, detect, contain, and correct security violations.
  • Application Integration
    • We support a wide range of applications. Take a look at a few of the many applications we integrate with here.

To get started on making sure that you're HIPAA compliant and that your information is protected from breaches, contact Medicus IT today!

We are looking forward to hearing from you!

Frequently Asked Questions

What does HIPAA stand for?

HIPAA stands for the Health Insurance Portability and Accountability Act and was enacted in 1986 to help keep patients’ data safe, as well as improve other functions of the healthcare industry. 

Which organizations must be HIPAA compliant?

There are three types of organizations that must be HIPAA compliant. They are healthcare providers, health plans, and health care clearinghouses. 

Why is being HIPAA compliant important?

Organizations that fail to be HIPAA compliant may be subject to severe fines, ranging from as low as $100 to as high as $50,000 per incident.

HIPAA Risk Assessment Checklist