Introduction to the HIPAA Checklist for HR:

In 1996, the United States Government passed a legislation for the privacy and safeguarding of all medical data. 

This legislation is known as the Health Insurance Portability and Accountability Act, but is more commonly referred to as HIPPA (which is thankfully, easier to remember).

Anyone in the healthcare industry who deals with Protected Health Information (PHI), must comply with HIPAA Rules.

What happens if you don’t comply with HIPAA rules? 

You have to pay out a lot of money. And I mean a lot. The following healthcare providers didn't fully comply with HIPPA and are great examples of the kind of money we're talking about: 

The University of California Los Angeles Health System was fined $865,000 for failing to restrict access to medical records.

North Memorial Health Care of Minnesota had to pay $1.55 million in a settlement, for failing to enter into a Business Associate Agreement with a major contractor.

The Memorial Healthcare System received a $5,500,000 penalty for insufficient ePHI access controls.

The Memorial Hermann Health System had to pay $2.4 million in a settlement for disclosing a patient’s PHI in a press release.

It clearly pays to be compliant.

What do you have to do to be HIPAA compliant? 

HIPAA compliance is a series of regulatory standards which outline the lawful use and disclosure of PHI. 

Healthcare entities must perform ongoing technical and non-technical evaluations to establish if their security policies and procedures meet these regulatory standards.

Don’t be fooled though.

It may sound simple, but HIPAA compliance is never 100% complete.

Changes to medical processes, technology, policies, procedures, staffing, HIPAA rules, and business practices all mean a change to the environment and will easily render a HIPAA certification invalid.

To prove this point, researchers found, in the first 6 months of 2019, a total of 285 incidents were reported.

Luckily, Process Street is here to help. 

HIPAA requires transparency first and foremost, which means activity revolving around regulated data systems may be audited at any time. 

The HIPAA compliance checklist that Process Street has created will make sure you are ready for an audit. 

We’ve created a series of tasks and questions, based on the advice given by the HHS’ Office for Civil Rights and the HIPAA Journal, about the measures your organization should have in place to keep you HIPAA compliant. 

A word of warning!

This checklist allows you to self-evaluate HIPAA compliance in your organization.

However, successfully completing this checklist does not guarantee you are HIPAA compliant.

To be safe, you should always consult a HIPAA compliance expert.  

Process Street is super-powered checklists. It’s the easiest way to manage your recurring tasks, procedures and workflows. Create a template and run individual checklists for each member of your team. You can check tasks off as you work through them, set deadlines, add approvals, assign tasks, and track each team member's progress. You can also connect to thousands of Apps through Zapier and automate your workflows even more.

Complete checklist information

Fill out the checklist information in the fields below.

The date of the next audit should be 1 year after the date of the assessment.

You can either select the next audit date in the field below, or you can use the dynamic due dates feature to automatically set the date.

Find out more about setting dynamic due dates here

Assign tasks

Assign the below tasks to the relevant internal HIPAA representatives so they can ensure that their department / assigned area of focus is compliant.

Assign task 12 to the designated HIPAA Compliance, Privacy, and/or Security Officer

Assign tasks 18 - 26 to the IT lead

Annual Audits/Assessments:

Complete the security risk audit

Complete and upload the security audit for this year's assessment.

Identify the gaps found during the audit and create and upload a remediation plan to address these gaps.

Current Year
Upload the security audits and remediation plans from the last six years. 
Year 1
Year 2
Year 3
Year 4
Year 5
Year 6

Complete the privacy assessment (not required for BA's)

Complete and upload the privacy assessment for this year.

Identify any gaps found during the assessment and create and upload a remediation plan to address these gaps.

Current Year
Upload the privacy assessments and remediation plans from the last six years. 
Year 1
Year 2
Year 3
Year 4
Year 5
Year 6

Complete the HITECH subtitle D audit

Complete and upload the HITECH subtitle D audit for this year.

Identify any gaps found during the audit and create and upload a remediation plan to address these gaps.

Current Year
Upload the HITECH subtitle D audits and remediation plans from the last six years. 
Year 1
Year 2
Year 3
Year 4
Year 5
Year 6

Complete the security standards audit

Complete and upload the security standards audit for this year.

Identify any gaps found during the audit and create and upload a remediation plan to address these gaps.

Current Year
Upload the security standards audits and remediation plans from the last six years. 
Year 1
Year 2
Year 3
Year 4
Year 5
Year 6

Complete the asset and device audit

Complete and upload the asset and device audit for this year.

Identify any gaps found during the audit and create and upload a remediation plan to address these gaps.

Current Year

Upload the asset and device audits and remediation plans from the last six years. 

Year 1
Year 2
Year 3
Year 4
Year 5
Year 6

Complete the physical site audit

Complete and upload the physical site audit for this year.

Identify any gaps found during the audit and create and upload a remediation plan to address these gaps.

Current Year

Upload the physical site audits and remediation plans from the last six years. 

Year 1
Year 2
Year 3
Year 4
Year 5
Year 6

HIPAA Training:

Ensure all staff complete the annual HIPAA training

Send an email to all staff about the annual HIPAA training and deadline.

Upload a registration document, once all staff members have completed the training.

Ensure all staff complete the security awareness training

Send an email to all staff about the security awareness training and deadline. 

Upload a registration document, once all staff members have completed the training.

Set quarterly reminders to reinforce security awareness training

The date of the next security awareness training should be 3 months after the completion of the current security awareness training.

You can either select the next security awareness training date in the field below, or you can use the dynamic due dates feature to automatically set the date.

Find out more about setting dynamic due dates here

Emergency Planning:

Develop plans for emergencies

Develop and upload contingency plans for the below situations. 

Responding to Emergencies 

Upload your policy for responding to general emergency situations and select the date of the policy upload.

You will need to review, test & re-upload this policy, 6 months after the policy was uploaded.

You can either select the date to review, test & re-upload in the field below, or you can use the dynamic due dates feature to automatically set the date.

Find out more about setting dynamic due dates here

Continuing Critical Business Processes 

Upload your policy for continuing with critical business processes during emergency situations and select the date of the policy upload.

You will need to review, test & re-upload this policy, 6 months after the policy was uploaded.

You can either select the date to review, test & re-upload in the field below, or you can use the dynamic due dates feature to automatically set the date.

Find out more about setting dynamic due dates here

Security Incidents & Breaches

Upload your policy for dealing with security incidents and data breaches and select the date of the policy upload.

Within the security incidents & data breaches policy, make sure you include the following information:

1. a process for tracking and managing investigations for all incidents

2. a process for staff members to anonymously report a privacy/security incident or potential HIPAA violation.

Access to ePHI:

Assess whether encryption of ePHI is needed

Upload a risk analysis that determines if the encryption of ePHI is needed and confirm the answer in the fields below. 

Implement alternative measures

As encryption is not needed, you will need to implement alternative measures to ensure the confidentiality, integrity, and availability of ePHI.

Create and upload a policy which covers these alternative measures.

Guard against unauthorized access of ePHI

As encryption is needed, you will need to guard against unauthorized access of ePHI during electronic transmission. 

Create and upload a policy that covers how you will guard against unauthorized access to ePHI.

Implement identity management and access to ePHI controls

Answer the following questions on identity management and upload policies for terminating access to ePHI and device recovery.  

Create and monitor ePHI access logs

Answer Yes/No to the following questions on ePHI access logs. 

Disposal of PHI/ePHI:

Develop a policy for preventing PHI from being reconstructed

Upload a policy for rendering physical PHI unreadable, indecipherable, and incapable of being reconstructed when no longer required.

Develop a policy for permanently erasing ePHI

Upload a policy for permanently erasing ePHI on electronic devices when they are no longer required, or the devices reach end of life.

Confirm if devices containing ePHI/ PHI are stored securely

Answer the following question to establish if devices containing ePHI/ PHI are stored securely.

Patient Access to Health Information:

Develop a policy for patient access to health information

Create and upload a policy for providing patients with access to their health information.

This policy must include detailed processes around:

1. providing individuals with access to their health information or copies of their health information on request  

2. providing copies of PHI in the format requested by the individual

3. providing copies of PHI in the format requested by the individual

4. providing individuals with copies of their health information in a timely manner and within 30 days

5. reasonable and cost-based fees

Obtaining & Storing Authorizations:

Store all HIPAA authorizations

Upload HIPAA authorizations for uses and disclosures of PHI, not otherwise permitted by the HIPAA Privacy Rule.

Stored authorizations must: 

1. be written in plain language

2. state the classes of people to whom PHI will be disclosed

3. include an expiry date 

4. contain the individual’s signature and date of signature

Notice of Privacy Practices (NPP):

Send the notice of privacy practices to all patients

Create and upload the notice of privacy in the field below and answer the following questions about the notice of privacy

Develop a procedure for dealing with NPP complaints

Upload a procedure for dealing with complaints about failures to comply with the NPP

HIPAA Privacy, Security & Breach Notification Rules:

Develop policies for privacy, security & breach notification rules

Create and upload policies for the following:

  • HIPPA privacy rules
  • Security rules 
  • Breach notification rules

All uploaded policies must include an ‘’updates’’ section, for annual reviews.

HIPPA Privacy Rules Policy

The HIPPA privacy rules policy must be reviewed 1 year after the date of the upload.

You can either select the next review date in the field below, or you can use the dynamic due dates feature to automatically set the date.

Find out more about setting dynamic due dates here

Security Rules Policy

The security rules policy must be reviewed 1 year after the date of the upload.

You can either select the next review date in the field below, or you can use the dynamic due dates feature to automatically set the date.

Find out more about setting dynamic due dates here

Breach Notification Rules Policy

The breach notification rules policy must be reviewed 1 year after the date of the upload.

You can either select the next review date in the field below, or you can use the dynamic due dates feature to automatically set the date.

Find out more about setting dynamic due dates here

Ensure all staff have legally attested HIPAA policies & procedures

Upload documentation to prove that all staff members have read and legally attested to the HIPAA policies and procedures.

Vendors & Business Associates:

Identify all vendors & business associates

List all your vendors and business associates in the field below. 

Create Business Associate Agreements for business associates

Upload Business Associate Agreements (BAA's) for all business associates

All BAA's must be reviewed after 1 year.

You can either select the next review date in the field below, or you can use the dynamic due dates feature to automatically set the date.

Find out more about setting dynamic due dates here

Assess business associates HIPAA compliance

Upload business associates HIPAA compliance assessments.

Create confidentiality agreements for non-business associates

Upload confidentiality agreements for non-business associate vendors here:

Sources:

Sign up for a FREE account and
search thousands of checklists in our library.

Sign up for a FREE account and search thousands of checklists in our library.