Blog

HIPAA Compliance Checklist & PHI Protection

HIPAA Compliance Checklist & PHI Protection

Have the following assessments been completed on a yearly basis?

  • Assessments for
    • Security risks
    • Privacy
  • Audits for
    • Security standards
    • Assets & devices
    • HITECH Subtitle D
    • Physical Location

Is there documented proof that the above assessments have been conducted for the last six years?

Have deficiencies been identified during these auditory exercises, and archived?

Has your organization developed corrective actions that address these deficiencies that have been identified?

  • Have these corrective actions been documented
  • Are they reviewed annually?
  • Are these yearly documents preserved in company records for at least six years?

Has HIPAA training been imparted to all employees?

  • Has the completion of HIPAA training modules for each staff member been archived?
  • Has an employee been assigned the task of overseeing HIPAA compliance, privacy and security?

Have all employees been trained on security awareness?

  • Is there documented evidence that employees have completed all modules of the security awareness training?
  • Are employees provided training reminders on a regular basis?

Is there a contingency plan in place for emergency situations?

  • Does your business have policies and procedures for responding to these emergencies?
  • Does your location generate backup copies of all electronic PHI so that the recent most data can be accessed during a crisis?
  • Does your facility have plans in place that can ensure operational continuity during emergencies?
  • Are contingency plans kept up to date through periodical testing?

Has your risk assessment exercise evaluated the relevance and need for ePHI encryption?

  • If ePHI encryption is not relevant, does your healthcare facility have workaround solutions for achieving ePHI confidentiality, integrity and availability?
  • Does your healthcare facility have controls in place to prevent unapproved ePHI access during electronic transmission?
  • Is documentation available for all encryption related decision making procedures?

Are there identity management and access control measures in place?

  • Do all employees accessing ePHI have unique user credentials?
  • Do employees access ePHI based on policies and procedures?
  • Are there written norms and guidelines for revoking employee access to ePHI during attrition and role change?
  • Is there a policy for recovering ePHI from systems and devices when an employee resigns?
  • Does a period of inactivity log out users from the system?

Are ePHI access logs created and monitored?

  • Are the ePHI access logs for successful and failed login attempts available for auditory purposes?
  • Does your healthcare facility regularly check the ePHI access logs for unauthorized access?
  • Are there controls in place that guarantee that the ePHI cannot be tampered or damaged through illegal access?

Are there policies and procedures in place for purging PHI and ePHI records?

  • Do you have policies and procedures for scrapping PHI files when no longer required?
  • Are there policies and procedures for the permanent deletion of ePHI records from electronic systems and devices when no longer necessary?
  • Are there safe storage procedures for ePHI and physical PHI records during their useful life?

Are there written norms and guidelines for managing patients’ access to their health information?

  • Can individuals access their health information upon request?
  • Are PHI copies made available to individuals in the formats requested?
  • Can individuals access their health information without delays and within 30 days?
  • Are applicable fees moderately priced? Do they follow a cost structure?

Does your healthcare facility maintain HIPAA authorizations for making use of and disclosing PHI that would otherwise be denied by the HIPAA Privacy Rule?

  • Do HIPAA authorizations state explicitly the reasons for disclosing and using PHI?
  • Do HIPAA authorizations carefully describe the profiles of individuals for whom PHI can be disclosed?
  • Are the expiry dates or events mentioned for HIPAA authorizations?
  • Have the individual’s signature and date been mentioned in the HIPAA authorization?

Has your healthcare center created a Notice of Privacy Practices (NPP)?

  • Are security awareness training practices fortified through regular reminders?
  • Have all patients been duly informed about privacy practices?
  • Have all patients confirmed that they have been informed about the privacy practices?
  • Is the notice of privacy practices (NPP) easily visible? Has it been published on your website?
  • Are there procedures in place for responding to noncompliance with NPP?

Are there written norms and guidelines pertaining to the yearly HIPAA Privacy, Security and Breach Notification Rules?

  • Have all the employees been familiarized with HIPAA guidelines?
  • Have employees legally attested to adhering to the standard? Has it been documented?
  • Are the yearly assessments of policies and procedures documented?

Have all third party contractors and business associates been listed?

  • Have Business Associate Agreements (BAAs) been established with all business associates?
  • Are business associates HIPAA compliant based on their due diligence evaluation?
  • Does your healthcare facility review business associate agreements on a yearly basis?
  • Are there confidentiality agreements with non-business associate providers?

Are there process driven strategies for responding to security incidents and data breaches?

  • Can the investigation of all incidents be supervised?
  • Is your healthcare facility able to generate reports on incidents and breaches?
  • Can employees raise the alarm on a privacy/security incident or a HIPAA violation without disclosing their identities?

Categories: Health

Request a Demo