HIPAA Compliance Checklist

The 4 Point HIPAA Compliance Checklist

Two months back, in February 2016, Lincare, Inc was fined $239,000 for violating the Health Insurance Portability and Accountability Act of 1996 (HIPAA). But the story of how it got fined is even more interesting.

Lincare is a supplier of medical equipment including respiratory care and infusion therapy equipment. They deliver it directly to the patients’ home. To do this, Lincare employees often have to bring patients’ specific medical records like name, address, and contact numbers to the patients’ homes. These medical records are known Protected Health Information (PHI)

One of Lincare’s managers, Faith Shaw, once removed medical records from a Lincare operating center and kept the documents in her home over a period of nine-months. She, unfortunately, shared it with her then-husband, Richard Shaw, in their car. When the couple separated and Ms. Shaw moved out of the home, she left the records behind.

Several months later, Mr Shaw discovered the records under a bed and in a kitchen drawer. He delivered the records to and filed a complaint with the Office for Civil Rights (OCR), which enforces HIPAA. OCR opened an investigation into Lincare’s HIPAA compliance.

The result? $239,000 fines.


If you think this is too much for the penalties, here’s some more data on HIPAA non-compliance penalties:

  • NewYork-Presbyterian Hospital and Columbia University (New York City) fined $4.8 million in May 2014
  • Cignet Health (Temple Hills, Md.) fined $4.3 million in February 2011
  • Concentra Health Services (Addison, Texas) fined $1.7 million

You can check the top 15 biggest data breach settlements and HIPAA fines here!

Maximum HIPAA Fines

OCR (Office of Civil Rights) has just launched the second round of HIPAA audits. But it seems medical and health professionals are more informed about HIPAA, as recent studies confirm 69 percent of professionals know and understand the HIPAA Omnibus Rule.

That’s also putting pressure on software companies to develop software and systems that comply with HIPAA rules.

Even though HIPAA looks plain and simple, keeping PHI confidential requires complying with certain rules. There are basically 4 major parts of HIPAA compliance that you need to understand:

  1. HIPAA Breach Notification Rule
  2. HIPAA Privacy Rule
  3. HIPAA Security Rule
  4. HIPAA Enforcement Rule

But what does it all mean for software companies? And what do they have to keep in mind before they start developing a product for hospitals? Well here is the answer:

HIPAA Compliance Checklist

Here’s the HIPAA compliance checklist for all software managers and companies. This checklist is also useful for hospitals (they’ll be our example) so that they know what to ask for from the software companies.

#1 Does the software package track the actions of each person involved?

In hospitals and other medical institutions, for example, there are a lot of people involved in a single task. Additionally, the hospital staff is extremely diverse in its functions. That’s why HIPAA requirements state that it is important to keep track of who did what.

Technically, it is about keeping an electronic audit log of what each user did in the software package. Using the software one must be able to track the activities of each and every person and when did they access the records (down to the client level). It also involves seeing if the records were simply viewed, updated, or deleted.

If you are a software guy, you would have figured out by now that it implies each user must have a distinct username and password to access the software.

#2 Does the software takes care of patient-based security?

HIPAA clearly mentions that each user type—doctor, nurse, administration, finance, etc.—must have defined roles.

Let’s take an example to see what they mean by this. A doctor and a nurse have different roles. Even though they need to know a lot of details about the patient, their need for information is also different. A nurse wouldn’t need as many details as a doctor.

Based on this, HIPAA states that each employee should be able to see only the necessary information pertaining to the job. The idea is to keep the information about the patient safe and secure.

#3 Is there physical security and encryption?

Although this one seems obvious, it is not. There are many hospitals which were fined due to negligence in this area. HIPAA is very focused on keeping the patients’ data secure.

For example, apart from a password, some software packages offer OTP (one-time password) based login where after login, the user is sent another code on his phone to continue. Having firewalls protection has almost become the standard.

This one is also crucial because it automatically makes it easier as you can choose to have an installed system or host the application simply on the internet, or even on the cloud. Cloud-based solutions are the better option because they provide so many security and monitoring features that a medical institution might not be able to take care of itself.

This also extends to emails and messaging. Even in businesses, it is common these days that emails are not secure. So the software has to ensure that emails containing patients’ data must be encrypted. It can easily be done using solutions from third-party systems which gets integrated into your email client.

#4 Does the software offer backups and faster up-time?

Apart from keeping the patient information secure HIPAA also requires that all the patient data must be available to those who need it, including the patients whose data it is. This makes some demanding implications from the software.

Firstly, the system must be working all the time—yes, that is, 24x7x365. Plus, in the case of a system failure or fire or any other disaster that may destroy the data, there must be a robust system to back the data up.

It again raises questions about where your system should be hosted. If you choose a third-party vendor, have they implemented a way to back up the data and ensure the system is always accessible? And if you want to host it locally, it becomes necessary to implement contingency plans in case of emergencies. To avoid this problem, however, using cloud services like Google Could and Amazon Web Services is the best option.


You can also use this checklist to guide your clients and assist them in implementing a HIPAA compliant solutions. In case you’re developing custom solutions, the best way to go about is to use your own HIPAA knowledge along with what client knows. Although there’s much more to HIPAA, following this 5 point HIPAA compliance checklist will help software companies make HIPAA compliant software.

Contact Snyxius