hipaa cybersecurity

The Essential HIPAA Cybersecurity Checklist

Did you know that the average cost of a HIPAA data breach is $3.92 million?

That figure is enough to strike fear in any practice owner’s heart. Investing in HIPAA compliance easily pays for itself if you fend off even one breach. It’s also crucial for earning your patients’ trust and keeping your practice open.

Interested in learning more about how to keep patient information secure? Read on for a HIPAA cybersecurity checklist.

Conduct a HIPAA Cybersecurity Risk Assessment

What are the biggest HIPAA risks at your business or practice? The answers will be different for everyone.

Some entities may need highly secure cloud computing. Others need top-of-the-line payment encryption. HIPAA rules are deliberately vague in some areas to account for exactly these kinds of variations.

Don’t mistake vagueness for permissiveness. Your entity must address all security risk areas, or face the consequences.

That’s why a risk assessment is always the first step towards HIPAA compliance. Knowing your risk profile will help you create a solid HIPAA compliance plan.

A third-party firm may help you identify easily overlooked risks. Risk assessment is a continuous process, not a one-time event, so be sure to regularly re-assess as your business grows and changes.

Create and Update Procedures

Consistent cybersecurity procedures can go a long way towards keeping your firm HIPAA compliant. No amount of high-tech will make up for a lax attitude towards day-to-day security procedures.

What those procedures look like will vary according to what your risk assessment finds. Your policies should be written down and clear.

Do your employees move around workstations across the day? Create distinct login profiles and enforce logout procedures. Do your employees sometimes work from home? Create protocols to keep PHI off of personal computers.

Invest in Technology

Whether it’s email or cloud computing, your firm will need technological protections in place if it handles any kind of electronic PHI.

Ordinary firewalls and other common cybersecurity technology aren’t necessarily enough to keep a firm HIPAA compliant. Your firm may have to invest in higher-grade solutions to become HIPAA compliant.

Train Employees

Between caring for patients and running the business, your employees already have a lot on their plates. HIPAA compliance is yet another high-stakes responsibility, and it’s your job to make sure it doesn’t fall by the wayside.

Make HIPAA compliance training part of your firm’s onboarding. Provide regular refreshers on HIPAA compliance. You may want to pay for your employees to take HIPAA compliance courses.

With adequate training, HIPAA compliance will become less of a burden to your employees. Instead, it can be a second nature while they focus on patient care.

Assign Responsibility

A well-run practice doesn’t overload its employees, but it doesn’t leave them sitting around without much to do, either. That’s why HIPAA compliance can get slack when things get busy.

Consider assigning specific HIPAA compliance responsibilities to specific employees to counter this trend. If your firm is large enough, HIPAA compliance could be one or more employees’ full-time jobs.

The goal of having a HIPAA compliance officer isn’t to let other employees off the hook for day-to-day cybersecurity. But a compliance officer can take a holistic, total-firm approach to HIPAA compliance. They can look out for emerging risks and patterns while enforcing day-to-day security procedures.

Don’t Forget Vendors and Partners

If you work with any kind of vendor or business partner, making sure your own firm is HIPAA compliant isn’t enough. And it’s not enough to make sure your transmissions to partners are encrypted and secure. Any partner entity that comes into contact with PHI must also have HIPAA-compliant internal protocols.

If you’re trying to work with another health firm, getting trustworthy HIPAA compliance certification can go a long way. There is no “official” HIPAA certification program from the HHS itself. But showing a potential partner your certification can show your commitment to HIPAA compliance.

Document Everything

There are many reasons to document every step of your HIPAA compliance journey.

One reason to document is meeting “addressable” HIPAA objectives. “Required” HIPAA rules are practices all practices must follow. “Addressable” rules are security objectives that your practice must meet within the circumstances of your unique business.

All practices are different. So there’s also plenty of variation in meeting addressable requirements.

Proving you meet the required rules is simple—either you follow the rule or you don’t. But proving you meet addressable requirements can be more complicated. Instead of hard-and-fast rules, you must explain why your security measures best meet those addressable objectives in your business.

Documentation helps you show the HHS your thought process when it comes to addressable requirements. Proper documentation can show why your practice must focus on some cybersecurity practices over others.

Hope For the Best, but Prepare For the Worst

Documentation plays another important role when things go wrong. It can show HIPAA you did as much as you could to keep PHI safe, even if a leak happened anyway. And that can make a big difference when it comes to the long-term financial consequences of HIPAA violations.

It’s important to realize that HIPAA compliance isn’t just about having high security standards. It’s also about having a plan for dealing with leaks and cybersecurity failures.

The HHS has specific requirements for reporting data leaks to both enforcers and affected patients. Your response plan should include strategies for finding and plugging cybersecurity holes. Consider offering free identity protection to affected patients.

Never Stop Learning How to Improve Cybersecurity

HIPAA cybersecurity is an ongoing process, not a one-time investment. Auditing, reassessing, and continuing education are all essential to keeping patients safe.

HIPAA Security Suite has years of experience teaching practices on how to improve cybersecurity. Interested in learning more about how how to keep confidential information protected? Contact us today to learn more about improving your HIPAA cybersecurity compliance.

HIPAA Security Reminders


HIPAA Security Suite has developed a weekly HIPAA Security Reminder series that’s FREE for all of us who are responsible for, or engaged in, the use and protection of PHI.

Pursuant to Section 164.308(a)(5) of the HIPAA Security Rule, the Standard states: Implement a security awareness and training program for all members of its workforce (including management).

This standard is part of our Best Practices Recommendations for HIPAA Security Suite users, but it’s available for FREE to anyone who wants to comply with HIPAA using the easiest, best tools available.

Sign Up

Scroll to Top