HIPAA Compliance Checklist These questions cover the components to make you are HIPAA-compliant. You can use the checklist to mark each task as you accomplish it. The list is intended to be used for self-evaluation. Have you conducted the necessary audits and assessments according to National Institutes of Standards and Technology (NIST) Guidelines? The audits in question involve security risk assessments, privacy assessments, and administrative assessments. Have you identified all the deficiencies and issues discovered during the three audits? There are several things to consider before doing the self-audit checklist. You need to ensure that all security, privacy, and administrative deficiencies and issues are appropriately addressed. Have you created thorough remediation plans to address the deficiencies you have identified? After covering the deficiencies and issues mentioned above, you need to provide remediation for each group. Do you have policies and procedures in place that are relevant to the HIPAA Privacy Rule, the HIPAA Security Rule, and the HIPAA Breach Notification Rule? You must be aware of these three critical aspects of a HIPAA compliance program and ensure each is adequately addressed. · · Have you distributed the policies and procedures specified to all staff members? · Have all staff members read and attested to the HIPAA policies and procedures you have put in place? · Have you documented their attestation, so you can prove that you have distributed the rules? · Do you have documentation for annual reviews of your HIPAA policies and procedures? · Have all your staff members gone through basic HIPAA compliance training? · Have all staff members completed HIPAA training for employees? · Do you have documentation of their training? · Have you designated a staff member as the HIPAA Compliance, Privacy, or Security Officer as required by law? · Have you identified all business associates as defined under HIPAA rules? · Have you identified all associates who may receive, transmit, maintain, process, or have access to ePHI? · Do you have a Business Associate Agreement (Business Associate Contract) in place with each identify you have identified as a Business Associate? · Have you audited your Business Associates to make sure they are compliant with HIPAA rules? · Do you have written reports to prove your due diligence regarding your Business Associates? · Do you have a management system in place to handle security incidents or breaches? · Do you have systems in place to allow you to track and manage investigations of any incidents that impact the security of PHI? · Can you demonstrate that you have investigated each incident? · Can you provide reporting of all breaches and incidents, whether they are minor or meaningful? · Is there a system in place so staff members may anonymously report an incident if the need arises? As you work your way through this checklist, remember to be thorough. You must be able to provide proper documentation of your audits, procedures, policies, training, and breaches. As a final addition to our checklist, here is a review of the general instructions regarding a HIPAA compliance audit. · · If a document refers to an entity, it means both the covered entity and all business associates unless otherwise specified · Management refers to the appropriate officials designated by the covered entity to implement policies, procedures, and standards under HIPAA rules. · The covered entity must provide all specified documents to the auditor. A compendium of all entity policies is not acceptable. It is not the auditor’s job to search for the requested information. · Any documents provided must be the versions in use as of the audit notification and document request unless otherwise specified. · Covered entities or business associates must submit all documents via OCR’s secure online web portal in PDF, MS Word, or MS Excel. · If the appropriate documentation of implementation is not available, the covered entity must provide examples from “equivalent previous time periods” to complete the sample. If no such documentation is available, a written statement must be provided. · Workforce members include: · Entity employees · On-site contractors · Students · Volunteers · Information systems include: · Hardware · Software · Information · Data · Applications · Communications · People Proper adherence to audit rules is necessary. A lack of compliance will impact your ability to do business. In Closing, HIPAA Questions and Answers HIPAA rules are designed to ensure that any entity that collects, maintains, or uses confidential patient information handles it appropriately. It may be time-consuming to work your way through this free HIPAA self-audit checklist. However, it is essential that you cover every single aspect of it. Your compliance is mandated by law and is also the right thing to do to ensure that patients can trust you with their personal health information. One thing to understand is that it is an incredible challenge to try to do this by yourself. You need professional help such as a HIPAA technology consultant. Gone are the days you can have a server in your closet at the office, along with your office supplies. The cleaning personnel seeing a print out of a patient’s file constitutes a ‘disclosable’ event. Screen servers, privacy screens, and professionally-managed technology solutions are a must. Just because you use a SAS-based MR (Medical Records) solution, does not mean you are no longer responsible for the privacy of that data. If they have lax security, it is still the providers’ responsibility to protect that data. Therefore the burden of due diligence is still on the provider.