HIPAA Compliance Help

HIPAA Compliance Checklist

1. Are you a “Covered Entity” under HIPAA?
   • If yes – You are responsible for complying with the federal HIPAA and HITECH laws, as well as state confidentiality law. Continue answering the questions below.
   • If no – You must comply with state confidentiality law. Additionally, it is suggested that you review the questions below as the Privacy and Security Rules are floors of confidentiality protection, and as a psychiatrist, you are held to a much higher legal and ethical standards from protection of patient information.
   • If you do not know – HHS (the Department of Health and Human Services), responsible for enforcement of the Privacy and Security Rules, has created the following resources to assist you in determining whether you are a Covered Entity:
     • Covered Entity Guidance HHS
     • Covered Entity Guidance CMS 
2. Do you have your Privacy Rule policies and procedures documented?
   • Summary of the Privacy Rule from HHS
   • PRMS^® resources: If you are a PRMS client, we provide checklists which may assist you in drafting policies as well as model forms (from 2003) in PRMS U.
3. Do you have your Notice of Privacy Practices?
   • Model from HHS
4. Are your Privacy Rule policies and procedures being followed?
   • Are patients actually receiving your Notice of Privacy Practices?
   • Are all requests for restrictions considered?
   • Are access and amendment requests handled timely?
   • Is only the minimum necessary amount of PHI (Protected Health Information) being released unless the patient has authorized release of the entire record? 
5. Do you have your Security Rule policies and procedures documented?
   • Summary of the Security Rule from HHS
   • Guidance on compliance from HHS
   • PRMS resource: If you are a PRMS client, Security Rule Compliance Checklist with Resources for Small Practices is available in PRMS U.
6. Are your Security Rule policies and procedures being followed?
   • Are all of your computers with PHI password-protected?
   • Are all of your portable devices with PHI, such as laptops and tablets, encrypted?
   • Are all of your electronic devices containing PHI, including copiers, stripped of all PHI prior to disposal, sale, or return to vendor?
     • See HHS’ recommended resource, FTC’s Copier Data Security
     • See $1.2 million enforcement action against a Covered Entity for failing to remove PHI from a copier
   • Are the other required elements being met?
7. Have you done your risk assessment – initially and on-going?
   • From HHS: Risk Assessment Guidance
   • From HHS: Security Risk Assessment (SRA) tool
   • To learn of risks that are the subject of HHS’ enforcement, subscribe to OCR’s listserv
8. Do you understand the requirements of the Breach Notification Rule?
   • Resources from HHS
9. Are your Breach Notification Rule policies and procedures being followed:
   • Can all employees identify a breach?
   • Do employees understand that all possible breaches must be reported to you ASAP?
   • Do you call your insurance company immediately upon learning of a potential breach of PHI? 
10. Have your employees signed confidentiality agreements?
    • PRMS resource: If you are a PRMS client, you can find a model confidentiality agreement in PRMS U.
11. Have you provided yearly HIPAA training to staff?
• HHS’ online HIPAA training courses (with CME) are available to all through Medscape

12. Are your training records documented?

13. Do your employees understand the training?
    • Is PIH being properly maintained at workstations?
    • How is PHI actually being disposed of?
    • Is PHI only be accessed and disclosed pursuant to authorization, legal mandate, or exception to confidentiality?
    • Does staff understand that merely not mentioning identifying information does not mean confidentiality is being maintained?
    • Are computers positioned so that patients cannot read the screens?
14. Are you prepared for a HIPAA audit?
    • HHS’ HIPAA Audit Protocol
15. Do you have Business Associate Agreements (BAAs) from all of your Business Associates (BAs)?
    • BAs are third parties that perform a function on behalf of or provides services to a Covered Entity that requires the release of PHI
    • Note: PRMS is a BA of any Program Participant that is a Covered Entity under HIPAA. Our BAA is available on our website for download
    • HHS’ Sample BAA Provisions
    • Have all BAs provided you with BAAs?
      • If a BAA was provided that incorporated the changes under HITECH, such as was provided by PRMS, the BA has until September 23, 2014 to provide a BAA that complies with the Omnibus regulation
      • If a BAA was updated with the HITECH provisions earlier, you will need an updated BAA that complies with the Omnibus regulation by September 23, 2013 

16. Are you aware that aside from criminal penalties, civil penalties for HIPAA violations can be as much as $50,000 per incident with a yearly cap of $1.5 million for multiple identical violations?

17. Are you familiar with HHS’ enforcement actions?
    • Case examples and resolution agreements are available at HHS 

18. Are your employees prohibited from removing PHI (paper or electronic) from the office?

19. If you have PHI on mobile devices, such as a laptop or tablet, is the device encrypted?
    • HHS’ educational materials on privacy and security with mobile devices

General Resources:

• OCR’s website

The content of this article (“Content”) is for informational purposes only. The Content is not intended to be a substitute for professional legal advice or judgment, or for other professional advice.  Always seek the advice of your attorney with any questions you may have regarding the Content.  Never disregard professional legal advice or delay in seeking it because of the Content.