HIPAA compliance prompt library

Determine HIPAA applicability to our organization:

Organization type:
- Healthcare provider: [physician, hospital, clinic, pharmacy, etc.]
- Health plan: [insurance, HMO, employer group health plan, etc.]
- Healthcare clearinghouse: [billing service processing health data]
- Business associate: [IT vendor, billing company, cloud provider, consultant handling PHI for covered entities]
- Hybrid entity: [covered entity with healthcare and non-healthcare functions]

HIPAA applicability:

Covered Entity:
- We conduct HIPAA standard transactions electronically (claims, eligibility, etc.): [Yes/No]
- Applicable rules: Privacy Rule, Security Rule, Breach Notification Rule, Enforcement Rule
- Responsibilities: Implement all HIPAA requirements, execute BAAs with business associates, report breaches

Business Associate:
- We create, receive, maintain, or transmit PHI on behalf of covered entity: [Yes/No]
- Examples: Medical billing, cloud hosting, IT support, legal/accounting services involving PHI access, data analytics
- Applicable rules: Security Rule (in full), applicable Privacy Rule provisions, Breach Notification Rule
- Responsibilities: Execute Business Associate Agreement (BAA), implement security controls, report breaches to covered entity

Subcontractor:
- We handle PHI on behalf of a business associate: [Yes/No]
- Responsibilities: Execute BAA with business associate, implement security controls

Hybrid entity determination (if applicable):
- Healthcare components: [list components subject to HIPAA]
- Non-healthcare components: [list components not subject to HIPAA]
- Must designate healthcare components and apply HIPAA only to those components

PHI in scope:
- Protected Health Information (PHI): Individually identifiable health information (demographic, health condition, healthcare provision, payment) in any form (electronic, paper, oral)
- Electronic PHI (ePHI): PHI in electronic form (databases, files, emails, backups)

Create HIPAA scope statement defining our role, PHI in scope, systems and processes covered, and organizational boundaries (for hybrid entities).

Create a comprehensive PHI inventory and data flow map:

PHI categories we handle:
- Demographic: Names, addresses, dates (birth, admission, discharge, death), SSNs, medical record numbers, account numbers, photos, biometrics
- Clinical: Diagnoses, treatments, medications, lab results, clinical notes, images (X-rays, MRIs)
- Financial: Insurance info, billing records, payment history
- Sensitive: Mental health, substance abuse, HIV/AIDS, genetic information, reproductive health

PHI locations and systems:
- Electronic systems: [EHR, practice management, billing, patient portal, PACS, lab systems]
- Databases: [SQL servers, cloud databases]
- File systems: [file servers, SharePoint, cloud storage]
- Backups: [backup media, cloud backups, offsite storage]
- Paper records: [medical charts, filing systems, storage locations]
- Mobile devices: [laptops, tablets, smartphones with PHI access]
- Portable media: [USB drives, external hard drives, CDs/DVDs]

PHI flows:
- Collection: How PHI enters organization (patient registration, provider documentation, claims, referrals)
- Use: Internal use (treatment, payment, healthcare operations)
- Disclosure: External sharing (referrals, billing, health information exchanges, public health reporting)
- Storage: Where and how long PHI is stored
- Disposal: How PHI is disposed at end of retention

Data flow diagram:
- Map PHI from collection → use → disclosure → storage → disposal
- Identify all touchpoints, systems, and personnel
- Highlight external PHI sharing (requires BAA if to business associate)

PHI retention:
- Medical records: [federal/state requirements, typically 6-10 years post-discharge or majority for minors]
- Billing records: [6+ years for Medicare/Medicaid]
- Minimum necessary: Retain only as long as needed for legal/business purposes

Create PHI inventory, data flow diagrams, and retention schedule suitable for Privacy Officer and Security Officer management and HHS audits.

Develop Privacy Rule policies and procedures per 45 CFR §164.530:

Privacy policy framework:

1. Uses and Disclosures (§164.502, §164.506, §164.508):
- Treatment, Payment, Healthcare Operations (TPO): Permitted without authorization
- Required disclosures: To individual (access requests), to HHS (compliance reviews)
- Permitted disclosures: Public health, law enforcement, judicial proceedings, research, etc.
- Prohibited disclosures: Marketing, sale of PHI (require authorization with exceptions)

2. Notice of Privacy Practices (NPP) (§164.520):
- Required content: How we use/disclose PHI, individual rights, our duties, complaint process, effective date
- Distribution: Provide at first service delivery, post prominently, available on request, website posting
- Acknowledgment: Obtain individual's acknowledgment of receipt (best effort)
- Revisions: Revise NPP when material changes, redistribute or post revised notice

3. Authorization (§164.508):
- Required for: Marketing, sale of PHI, psychotherapy notes, most research
- Authorization elements: PHI description, purpose, recipients, expiration, right to revoke, signature
- Valid authorization: Specific, informed, voluntary, not compound (combined with other documents)

4. Minimum Necessary (§164.502(b), §164.514(d)):
- Limit PHI use/disclosure to minimum necessary to accomplish purpose
- Exceptions: Treatment, disclosures to individual, authorized disclosures, required by law
- Implementation: Role-based access, need-to-know policies, routine disclosures limited to standard amounts

5. Individual Rights (§164.520-528):
- Right to access: Provide PHI copy within 30 days (extendable by 30 days once), reasonable fees allowed
- Right to amend: Allow corrections to inaccurate/incomplete PHI, may deny with explanation
- Right to accounting of disclosures: List disclosures (excluding TPO, to individual, authorized) for 6 years, provide within 60 days
- Right to request restrictions: Honor restrictions on disclosures to health plans for self-pay services, may deny other requests
- Right to request confidential communications: Accommodate reasonable requests (alternative address/phone)

6. Administrative Requirements (§164.530):
- Privacy Officer designation: Responsible for privacy compliance
- Workforce training: Train all workforce on privacy policies and procedures
- Sanctions: Disciplinary actions for privacy violations
- Mitigation: Mitigate harmful effects of unauthorized use/disclosure
- Refraining from intimidation or retaliation: Protect individuals exercising rights or filing complaints
- Waiver of rights prohibited: Cannot require individuals to waive privacy rights
- Documentation: Retain policies, procedures, training, complaints, actions for 6 years

Create privacy policy manual, Notice of Privacy Practices, authorization forms, individual rights request forms, and training materials.

Develop and execute Business Associate Agreements per §164.504(e):

Business associates requiring BAA:
- IT vendors: [cloud hosting, EHR vendors, IT support with PHI access]
- Billing and claims: [medical billing companies, clearinghouses]
- Legal and financial: [attorneys, accountants, consultants reviewing PHI]
- Administrative: [shredding services, copy services, courier services handling PHI]
- Other: [actuaries, data analytics, accreditation bodies]

Business associates NOT requiring BAA:
- Conduit exception: Transmission only with no access (e.g., internet service provider, phone company)
- Workforce members: Employees and volunteers (covered by workforce policies)

Required BAA provisions (§164.504(e)(2)):

1. Permitted uses and disclosures:
- Specify purposes BA may use/disclose PHI (limited to services for covered entity)
- Minimum necessary requirements
- No use/disclosure except as permitted by BAA or required by law

2. Safeguards:
- Implement appropriate safeguards to prevent impermissible use/disclosure
- Comply with Security Rule (§164.308, §164.310, §164.312, §164.316)

3. Subcontractors:
- Ensure subcontractors agree to same restrictions (flow-down BAAs)
- List of subcontractors or approval mechanism

4. Reporting:
- Report unauthorized use/disclosure, security incidents, breaches to covered entity
- Timeline: As soon as practicable, specific breach reporting timelines

5. Individual rights:
- Provide access to PHI within time frames (within 30 days)
- Make amendments to PHI at covered entity's request
- Provide accounting of disclosures
- Make PHI available for covered entity's accounting

6. Compliance and audits:
- Make internal practices, books, records available to HHS for compliance reviews
- Allow covered entity to audit BA compliance

7. Termination:
- Covered entity right to terminate if BA violates material term
- Return or destroy PHI at termination (if feasible), or extend protections if not feasible

8. Liability and indemnification:
- Liability for breaches and violations
- Indemnification for costs resulting from BA breach (negotiable)

BAA execution:
- Execute BAA before disclosing PHI to BA
- Review and update BAAs periodically (at least every 3 years or when services change)
- BA register: Track all BAs, BAA status, renewal dates

Create BAA template (legal review recommended), BA inventory, and BAA management procedure.

Conduct HIPAA Security Rule risk assessment per §164.308(a)(1)(ii)(A):

Risk assessment methodology (required implementation specification):

1. Scope definition:
- All ePHI: [systems, applications, databases, files, backups, mobile devices]
- All locations: [facilities, data centers, cloud environments]
- All access points: [user access, APIs, interfaces, network connections]

2. Asset inventory:
- IT assets: Hardware, software, networks, data stores
- ePHI assets: Databases, files, backups, transmissions
- Supporting infrastructure: Power, HVAC, physical security

3. Threat identification:
- Environmental: Natural disasters, fires, floods, power outages
- Human: Hacking, malware, ransomware, phishing, insider threats, social engineering, physical theft
- Technical: System failures, software bugs, misconfigurations
- HIPAA-specific: Unauthorized access/disclosure, data integrity compromise, availability loss

4. Vulnerability assessment:
- Technical vulnerabilities: Unpatched systems, weak authentication, unencrypted data, misconfigured firewalls
- Physical vulnerabilities: Unsecured facilities, inadequate access controls, lack of monitoring
- Administrative vulnerabilities: Insufficient policies, lack of training, inadequate oversight

5. Likelihood and impact analysis:
- Likelihood: Probability of threat exploiting vulnerability (Low/Medium/High)
- Impact: Harm to confidentiality, integrity, availability of ePHI (Low/Medium/High)
- HIPAA impact categories: Unauthorized access, unauthorized disclosure, data alteration, data destruction, unavailability

6. Risk determination:
- Risk level: Likelihood x Impact = Risk rating (Low/Medium/High/Critical)
- Existing security measures (current state)
- Gap analysis (required controls vs. implemented)

7. Risk treatment:
- Mitigation: Implement security measures to reduce risk
- Acceptance: Accept residual risk (document rationale for low risks)
- Avoidance: Eliminate risky process or system
- Transfer: Cyber insurance, contractual liability shifts

Risk assessment deliverables:
- Asset inventory
- Threat and vulnerability catalog
- Risk register (threat, vulnerability, likelihood, impact, risk level, controls, residual risk)
- Risk treatment plan (prioritized remediation actions, owners, timelines)
- Executive summary for management review and approval

Risk assessment frequency:
- Initial: Before implementing ePHI systems
- Ongoing: At least annually, or when significant changes (new systems, incidents, regulation changes)

Create risk assessment methodology, risk register template, and annual assessment schedule.

Implement HIPAA Security Rule administrative safeguards:

§164.308(a)(1) Security Management Process (Required):
- (i) Risk Analysis: Conduct risk assessment [as above]
- (ii) Risk Management: Implement controls to reduce risks to reasonable and appropriate level
- (iii) Sanction Policy: Disciplinary actions for security violations
- (iv) Information System Activity Review: Regular review of logs, access reports, security incidents

§164.308(a)(2) Assigned Security Responsibility (Required):
- Designate Security Officer: Responsible for developing and implementing security policies
- Security Officer role: [name, qualifications, authority, reporting line]

§164.308(a)(3) Workforce Security (Required):
- (i) Authorization and supervision: Authorize workforce access based on role, supervise access
- (ii) Workforce clearance: Determine access appropriateness before granting (background checks, role verification)
- (iii) Termination procedures: Revoke access upon termination, deactivate accounts, retrieve devices
- Joiner/Mover/Leaver (JML) process for ePHI access lifecycle

§164.308(a)(4) Information Access Management (Required):
- (i) Access authorization: Grant access based on role, minimum necessary
- (ii) Access establishment and modification: Formal process for provisioning and changes
- Role-based access control (RBAC): Define roles (physician, nurse, billing, IT) and associated access
- Least privilege: Users have only access needed for job functions

§164.308(a)(5) Security Awareness and Training (Required):
- (i) Security reminders: Periodic awareness communications (phishing tips, password hygiene, device security)
- (ii) Protection from malicious software: Training on malware risks and prevention
- (iii) Log-in monitoring: Educate users on monitoring and reporting suspicious log-in attempts
- (iv) Password management: Training on strong passwords, password managers, not sharing passwords
- Training frequency: Annual mandatory training, new hire onboarding, role-specific training

§164.308(a)(6) Security Incident Procedures (Required):
- Incident response and reporting: Detect, respond, report, mitigate security incidents
- HIPAA incident types: Unauthorized access, ransomware, phishing, lost devices, improper disposal
- Incident response plan addressing detection, containment, investigation, remediation, reporting

§164.308(a)(7) Contingency Plan (Required):
- (i) Data backup plan: Regular backups of ePHI, test restorations
- (ii) Disaster recovery plan: Procedures to restore ePHI and systems after disaster
- (iii) Emergency mode operation: Maintain critical functions during emergency
- (iv) Testing and revision: Test contingency plans periodically, revise based on results
- (v) Applications and data criticality analysis: Identify critical systems and data for prioritization

§164.308(a)(8) Evaluation (Required):
- Periodic technical and non-technical evaluation: Assess security posture compliance with Security Rule
- Frequency: At least annually or after environmental/operational changes
- Internal audits, vulnerability assessments, penetration testing, policy reviews

§164.308(b) Business Associate Contracts (Required):
- Execute BAAs with satisfactory assurances of ePHI safeguarding (as above)

Create policies and procedures for each administrative safeguard, training materials, incident response plan, contingency plan, and evaluation schedule.

Implement HIPAA Security Rule physical safeguards:

§164.310(a)(1) Facility Access Controls (Required):
- (i) Contingency operations: Procedures to access facility during emergency
- (ii) Facility security plan: Safeguard facility and equipment from unauthorized physical access, tampering, theft
- (iii) Access control and validation: Control and validate physical access (badge systems, visitor logs, escorts)
- (iv) Maintenance records: Document repairs and modifications to physical security (locks, alarms, cameras)

Physical security measures:
- Perimeter security: Fencing, lighting, surveillance cameras
- Access control: Badge readers, biometric scanners, PIN pads, security guards
- Visitor management: Sign-in/out, badges, escorts for non-employees
- Alarms and monitoring: Intrusion detection, 24/7 monitoring, response procedures

§164.310(a)(2) Workstation Use (Required):
- Policies on workstation functions, manner of use, physical security
- Workstation placement: Locate away from public areas, screen privacy filters
- Workstation controls: Auto-lock screens, log off when away, no unauthorized access

§164.310(a)(3) Workstation Security (Required):
- Physical safeguards for workstations accessing ePHI
- Cable locks, locked offices, screen positioning to prevent viewing

§164.310(b) Device and Media Controls (Required):
- (i) Disposal: Securely dispose of ePHI and hardware/media (shredding, degaussing, wiping, destruction)
- (ii) Media re-use: Remove ePHI before re-use (wiping, reformatting)
- (iii) Accountability: Track hardware and media movements (asset tracking, chain of custody)
- (iv) Data backup and storage: Create and maintain retrievable ePHI backups (offsite, encrypted)

Device and media security:
- Mobile device management (MDM): Encryption, remote wipe, access controls for laptops, tablets, smartphones
- Portable media controls: Encrypt USB drives, limit use, track distribution
- Disposal procedure: Certified destruction for hard drives and media, certificates of destruction

Facility types to address:
- Healthcare facilities: Clinics, hospitals, surgical centers (patient access areas vs. administrative areas)
- Data centers: [on-prem or colocation] - physical security, environmental controls, access logs
- Offices: Administrative and billing offices
- Remote work: Home offices and telehealth setups (limited physical control, rely on technical safeguards)

Create facility security plan, workstation use policy, device and media disposal procedures, and asset tracking system.

Implement HIPAA Security Rule technical safeguards:

§164.312(a)(1) Access Control (Required):
- (i) Unique user identification: Assign unique ID to each user (no shared accounts)
- (ii) Emergency access: Procedures for obtaining ePHI during emergency (break-glass accounts, emergency access logs)
- (iii) Automatic logoff: Auto-lock or logoff after inactivity period (e.g., 15 minutes)
- (iv) Encryption and decryption: Encrypt ePHI (addressable but highly recommended given HHS guidance and state breach notification laws)

Access control implementation:
- User IDs: Unique usernames, no generic or shared accounts
- Authentication: Passwords (complexity, length, no reuse), multi-factor authentication (MFA) for remote access and privileged accounts
- Session management: Timeouts, automatic logoff
- Encryption: AES-256 for data at rest, TLS 1.2+ for data in transit

§164.312(b) Audit Controls (Required):
- Implement mechanisms to record and examine ePHI access and activity
- Audit logging: Who accessed what ePHI, when, from where, what action (view, edit, print, export)
- Log retention: Minimum 6 years per HIPAA documentation requirement
- Log review: Regular review for unauthorized access, suspicious activity
- SIEM or log management for centralized logging and alerting

§164.312(c)(1) Integrity (Required):
- (i) Mechanism to authenticate ePHI: Ensure ePHI not improperly altered or destroyed
- Integrity controls: Checksums, hashing, digital signatures, version control, access controls preventing unauthorized modification
- Backup integrity: Verify backups not corrupted

§164.312(d) Person or Entity Authentication (Required):
- Verify identity of persons or entities accessing ePHI
- Authentication methods: Passwords, MFA, biometrics, smart cards, certificates
- Device authentication: Certificates for devices accessing ePHI systems

§164.312(e)(1) Transmission Security (Required):
- (i) Integrity controls: Ensure ePHI not improperly altered during transmission (hashing, digital signatures)
- (ii) Encryption: Encrypt ePHI during transmission (addressable but highly recommended)
- Transmission encryption: TLS/SSL for web, VPN for remote access, encrypted email (S/MIME, PGP), SFTP/FTPS for file transfers
- Integrity controls: Checksums, message authentication codes (MACs)

Technical safeguard tools and technologies:
- Identity and access management (IAM): [Active Directory, Okta, Azure AD]
- MFA solutions: [Duo, Okta, Azure MFA, FIDO2 keys]
- Encryption: [BitLocker, FileVault for endpoints; TDE for databases; TLS for web/APIs]
- Audit and logging: [SIEM platform, EHR audit logs, access logs]
- Network security: [firewalls, IDS/IPS, network segmentation]

Create technical safeguard policies, configuration standards (encryption, MFA, logging), and technical controls implementation plan.

Implement HIPAA Breach Notification Rule per 45 CFR §164.400-414:

Breach definition:
- Acquisition, access, use, or disclosure of PHI in violation of Privacy Rule
- Compromises security or privacy of PHI
- Exclusions: Unintentional access/use by workforce in good faith within scope of authority, inadvertent disclosure among authorized persons at same entity, where recipient couldn't reasonably retain information

Breach assessment (4-factor risk assessment):
When impermissible use/disclosure occurs, assess if it constitutes a breach requiring notification:

1. Nature and extent of PHI:
- Types and amount of PHI (names, SSNs, diagnoses, financial info)
- Sensitivity (mental health, HIV/AIDS, substance abuse = higher risk)

2. Unauthorized person who used/received PHI:
- Who accessed PHI? (another provider, hacker, unauthorized employee, public)
- Relationship to organization (insider vs. outsider)

3. Was PHI actually acquired or viewed:
- Actual access or just opportunity? (logs confirm viewing vs. potential exposure)
- PHI re-disclosed further?

4. Extent of mitigation:
- Received assurances PHI not further disclosed (signed confidentiality agreement)
- Deleted or destroyed by recipient
- Retrieved PHI before viewing

Conclusion:
- Low risk of harm to individuals → No breach notification required (document decision)
- Breach (risk of harm exists) → Notification required

Breach notification requirements:

1. Notification to individuals (§164.404):
- Timeline: Without unreasonable delay, no later than 60 days of discovery
- Method: Written notice (first-class mail or email if individual agreed to electronic notice)
- Substitute notice if contact info insufficient: Website notice or media notice (if >10 individuals)
- Content: 
  - Description of breach (what happened, when discovered)
  - Types of PHI involved
  - Steps individuals should take to protect themselves (credit monitoring, fraud alerts, etc.)
  - What organization is doing to investigate, mitigate, prevent future breaches
  - Contact information for questions

2. Notification to HHS (§164.408):
- Breaches affecting 500+ individuals: Within 60 days of discovery, contemporaneous with individual notice, via HHS website portal
- Breaches affecting

Establish HIPAA compliance program management:

Compliance program structure:

1. Privacy and Security Officers:
- Privacy Officer: Oversees Privacy Rule compliance, handles complaints, individual rights
- Security Officer: Oversees Security Rule compliance, risk assessments, incident response
- Combined role for small organizations or separate for larger organizations

2. Policies and procedures:
- Privacy policies (uses/disclosures, individual rights, NPP, authorizations)
- Security policies (administrative, physical, technical safeguards)
- Breach Notification procedures
- Policy maintenance: Review and update annually or when regulations/operations change

3. Training:
- Privacy training: All workforce on Privacy Rule, NPP, individual rights, minimum necessary
- Security training: All workforce on safeguards, incident reporting, password security
- Role-specific training: Specialized training for privacy/security officers, IT, clinicians, billing
- Frequency: Annual mandatory, new hire onboarding
- Documentation: Training completion records, curriculum, attendance

4. Monitoring and auditing:
- Internal audits: Annual compliance audits (policies, access controls, audit logs, BAAs)
- Risk assessments: Annual security risk assessments
- Audit log reviews: Regular review of ePHI access logs for unauthorized access
- Complaint tracking: Log and investigate privacy/security complaints

5. Incident and breach management:
- Incident response: Detect, investigate, contain, remediate security incidents
- Breach assessment: 4-factor risk assessment for impermissible uses/disclosures
- Breach notification: Individual, HHS, media notifications per timeline
- Post-incident review: Lessons learned, corrective actions

6. Business associate management:
- BA inventory: Track all BAs and BAA status
- BAA execution: Before PHI disclosure
- BA oversight: Periodic reviews, audit rights exercise, incident notification follow-up

7. Documentation and recordkeeping:
- Retain for 6 years: Policies, procedures, training records, risk assessments, audit logs, breach logs, complaints, BAAs
- Documentation for HHS audits or investigations

8. Corrective action:
- Address deficiencies from audits, incidents, risk assessments
- Corrective action plans with owners, timelines, validation
- Track to closure

HHS audit readiness:

HHS Office for Civil Rights (OCR) enforcement:
- Complaint investigations: Respond to complaints from individuals
- Compliance reviews: Proactive audits of covered entities and BAs (HIPAA Audit Program)
- Breach investigations: Investigate breaches affecting 500+ individuals

Audit preparation:
- Documentation repository: Centralized compliance documentation
- Point of contact: Designate compliance contact for OCR
- Response procedures: How to respond to OCR requests (legal counsel advisable)
- Corrective action: Address findings promptly to demonstrate good faith

Common HIPAA violations and penalties:
- Lack of risk assessment: Most common deficiency, required annually
- Insufficient access controls: Excessive access, no unique user IDs, no MFA
- Lack of encryption: While addressable, lack of encryption often cited if breach occurs
- Missing BAAs: No BAAs with business associates
- Delayed breach notification: Missing 60-day notification deadlines
- Inadequate training: No training or outdated training

Penalties:
- Civil penalties: $100 to $50,000+ per violation, up to $1.5M per year for repeated violations
- Criminal penalties: Up to $250,000 fines and 10 years imprisonment for willful violations
- State enforcement: State attorneys general can enforce HIPAA for state residents

Create compliance program charter, audit schedule, corrective action tracking system, and OCR response procedures.