Introduction:

The requirement for covered entities to conduct a HIPAA risk assessment was introduced in 2003 with the original HIPAA Privacy Rule.

Conducting periodic risk assessments is not only required by law, but will also help you avoid potential violations that can be incredibly costly.

"More recently, the majority of fines have been under the “Willful Neglect” HIPAA violation category, where organizations knew – or should have known – they had a responsibility to safeguard their patients´ personal information. Many of the largest fines – including the record $5.5 million fine issued against the Advocate Health Care Network – are attributable to organizations failing to identify where risks to the integrity of PHI existed." - HIPAA Journal, HIPAA Risk Assessment

Facing a sudden data breach by a group of skilled cyber-crime attackers would be a lot more damaging if an investigation showed that the breach could have been avoided, and was largely due to a failure to identify and safeguard risks.

This checklist is designed to guide you through a comprehensive evaluation of your compliance with the HIPAA Privacy Rule, and to identify areas that need to be addressed to improve PHI security.

The template is split up into the following sections:

  • Check-in procedures (patient identity verification, insurance etc.)
  • Clinical areas (ensuring no PHI is visible/accessible)
  • Medical records (staff access, physical security, patient authorization)
  • General security (computer monitors, paper records)
  • Personnel policies (employee training, documentation)

Once the checklist is complete, you will have an accurate understanding of how well your organization is protecting PHI. You will also identify areas that need to be addressed and set out clear action items to optimize security measures.

Let's get started!

A little info about Process Street

Process Street is superpowered checklists. By using our software to document your processes, you are instantly creating an actionable workflow in which tasks can be assigned to team members, automated, and monitored in real-time to ensure they are being executed as intended, each and every time.

The point is to minimize human error, increase accountability, and provide employees with all of the tools and information necessary to complete their tasks as effectively as possible.

Enter basic details

First, enter some basic details regarding your organization.

Check-in procedures:

Ensure assistance is provided for new patient form completion

When a new patient enters your medical institution, they may be unsure as to what information they are required to provide, and which form(s) they need to fill out. 

It is therefore important that the appropriate staff provide assistance when the patient is filling out the forms necessary for them to be admitted. 

Ensure patient insurance is verified

Its essential that patient insurance is verified for each and every patient that is admitted to your medical institution. 

To do so, you must carry out the process of checking a patients active coverage with the insurance company and verifying the eligibility of his or her insurance claims. 

Patients would be ineligible for benefits when they provide wrong or outdated information, or when their policies have been terminated or modified. A simple error can result in claim rejection or denial, so you have to be sure it is being done correctly.

To take the stress out of managing patient insurance, it is better to outsource insurance verification services to an outsourcing company that can get your claims billed and processed accurately. 

Ensure patients sign the Notice of Privacy Practices Acknowledgement

The Notice of Privacy Practices Acknowledgement is provided to the patient and details how the healthcare provider may use and share your health information. 

The law requires that the doctor, hospital, or healthcare provider must ask the patient to state in writing that they received the notice.


What is in the Notice?

As stated on the HHS website, the notice must describe:

  • How the Privacy Rule allows provider to use and disclose protected health information. It must also explain that your permission (authorization) is necessary before your health records are shared for any other reason
  • The organization’s duties to protect health information privacy
  • Your privacy rights, including the right to complain to HHS and to the organization if you believe your privacy rights have been violated
  • How to contact the organization for more information and to make a complaint

The patient can ask for a copy of the notice at any time.

Evaluate process for sending appointment reminders

According to the U.S. Department of Health & Human Services, medical appointment reminders are allowed under HIPAA privacy rules, which state:

“Appointment reminders are considered part of the treatment of an individual and, therefore, can be made without authorization.” 

When sending a HIPAA text message appointment reminder, it is best to avoid being too specific. Keep in mind that practice names can infer types of treatment or conditions. For example, “Oncology Clinic” clearly indicates that the patient has cancer.

Generic reminders include:

  • Appointment date and time
  • Provider’s first and last name
  • Location of the appointment

Ensure your NPP (Notice of Privacy Practices) is updated and includes information about opting-in for appointment reminders by SMS and/or email.

Evaluate identity verification procedure upon patient arrival

In order to ensure HIPAA compliance, during check-in, a patient should verify their identity in the following ways, depending on the method of verification:

In-Person:

  • Photo ID
  • Driver's License
  • Passport

Mail:

  • Signature validation: Compare the signature on the mailed request with the patient’s signature on file in the medical record. Most patients will have signed having been offered the Notice of Privacy Practices (NPP)
  • When possible, it is preferable to have the records mailed to the address on file for the patient.

Phone

  • Request full name and at least two other identifiers such as date of birth, address, emergency contact name, phone number, last 4 digits of their social security number.
  • Request most recent date of service or invoice number for billing questions.
  • If the request is not from the patient but by someone who may have appropriate authority to make a request such as another treatment provider, ask that the request be made in writing on letterhead.

To ensure HIPAA compliance when verifying patient identity, and in general to make the process more efficient, it is recommended to use a third-party service provider, such as TransUnion, to do it for you. 

Approval: Check-in procedures

Will be submitted for approval:
  • Ensure assistance is provided for new patient form completion
    Will be submitted
  • Ensure patient insurance is verified
    Will be submitted
  • Ensure patients sign the Notice of Privacy Practices Acknowledgement
    Will be submitted
  • Evaluate process for sending appointment reminders
    Will be submitted
  • Evaluate identity verification procedure upon patient arrival
    Will be submitted

Clinical areas:

Evaluate if staff discuss patient information in clinical areas

Even in our world of digital interaction, word-of-mouth still plays a huge role. 

When it comes to sensitive patient information, a serious breach of HIPAA compliance can arise if staff in your medical institution are discussing private patient information in clinical areas. 

Ensure that all staff are fully aware of the risks and are properly trained to know that discussing patient information in clinical areas is not acceptable. 

Assess if phone calls are made mentioning patient information

Similar to in-person discussions amongst staff, phone calls also present a risk of a breach to the HIPAA privacy rule, and therefore need to be assessed to ensure staff members on phone calls are not disclosing private patient information.

Ensure exam room doors are shut during patient encounters

To protect patient privacy, exam room doors must be shut during patient encounters.

This is a simple task that can be easily completed with sufficient training and security awareness by the medical staff. 

Ensure lab and X-ray logs are covered to protect PHI

If lab and X-ray logs are not covered properly, they can display PHI, which could potentially result in a breach. 

An important preventative measure that protects PHI and complies with HIPAA regulations, is to cover the logs when they are left unattended. 

Ensure no PHI is visible in clinical workstations while unattended

Just like with lab and X-ray logs, all clinical workstations must protect PHI while unattended. 

Hard-copy files must be securely stored and computers locked.

Any open screens displaying PHI while no staff are present breaks HIPAA regulations and presents a significant security risk. 

Ensure PHI shred bins are emptied and not overfilled

A final, easily overlooked step when conducting a privacy risk assessment in clinical areas is to ensure PHI shred bins are being emptied regularly.

A simple task that can prevent an easily avoidable privacy breach. 

Approval: Clinical areas

Will be submitted for approval:
  • Ensure PHI shred bins are emptied and not overfilled
    Will be submitted
  • Ensure no PHI is visible in clinical workstations while unattended
    Will be submitted
  • Ensure lab and X-ray logs are covered to protect PHI
    Will be submitted
  • Ensure exam room doors are shut during patient encounters
    Will be submitted
  • Assess if phone calls are made mentioning patient information
    Will be submitted
  • Evaluate if staff discuss patient information in clinical areas
    Will be submitted

Medical records:

Verify only appropriate staff can access medical records

Medical records are, of course, the gold mine of private patient information. They must be securely stored and only staff with the appropriate security clearance should have access to them. 

Evaluate which staff members can access patients medical records and verify that they all have the appropriate clearance. 

Assess physical security of medical records

Assess the physical storage of all medical records and ensure they are HIPAA compliant.

The room they are in should be secured, monitored, and only accessible by qualified staff members. 

Ensure patient authorization is received before release of PHI

This is an incredibly important requirement of the HIPAA Privacy Rule.

Before PHI is released (e.g. to a business associate), you must receive authorization from the patient, in the form of a signed HIPAA release/authorization form.

In order for an release form to be legally valid, it must inform the patient of the following:

  • The patient has the right to revoke an authorization at any time.
  • Authorization forms are completely voluntary.
  • There is a chance that the person you are choosing to trust with your information might disclose it to someone else.

HIPAA’s privacy rule demands that, in order for authorization to be considered valid, the release form must A) provide specific legal information about HIPAA’s Privacy Rule, and B) detail the nature of information being disclosed, the purpose, to who, and for how long.

Have more questions about how and when you need to use the HIPAA release form? Read through this article for a full breakdown.

Ensure authorizations are filed in patients medical record

In addition to ensuring an authorization form is completed for each patient prior to the release of their PHI, the next step is to ensure all of the forms are securely filed in the patients medical record. 

Ensure PHI can be destroyed after the retention period

According to HIPAA, medical records must be kept for either:

  • Six years from their creation; or
  • Six years from their last use

Most states have data retention laws, too. If the state’s law specifies a shorter retention period than HIPAA, the HIPAA regulation prevails. If the state requires a longer retention period, then providers must adhere to the state law and destroy the records according to the state’s schedule.

Here are some suggestions from HIPAA for the destruction of medical records:

  • PHI in paper records may be shredded, burned, pulped, or pulverized so the PHI is unreadable, indecipherable, and may not be reconstructed.
  • PHI in electronic media may be cleared by overwriting it, purged by degaussing or exposing the media to a magnetic field, or otherwise destroyed by disintegration, pulverization, melting, incinerating, or shredding.

They also state that it’s acceptable to maintain PHI in opaque bags in a secured area while it waits for destruction. The key is that any medical records you get rid of must be destroyed in a manner that prevents them from being reconstructed or otherwise accessed.

Approval: Medical records

Will be submitted for approval:
  • Verify only appropriate staff can access medical records
    Will be submitted
  • Assess physical security of medical records
    Will be submitted
  • Ensure patient authorization is received before release of PHI
    Will be submitted
  • Ensure authorizations are filed in patients medical record
    Will be submitted
  • Ensure PHI can be destroyed after the retention period
    Will be submitted

General security:

Ensure computer monitors are positioned appropriately

It may seem obvious that computer monitors need to be positioned appropriately, but a simple mistake could lead to a breach. 

Check all workstations and confirm that each monitor is positioned so that they cannot be viewed by patients and other individuals that do not have the appropriate clearance.

Ensure unattended computers are properly secured

All unattended computers must be properly secured, both physically and digitally. 

This means that they need to be secured to the desk they are on and the screen needs to lock automatically when left unattended. 

Ensure paper records are stored appropriately

Although it is estimated that 95% of practitioners will have started the conversion to electronic records, many healthcare providers have both hard copy and electronic records.

To best protect your records, your file room should be secured by a monitoring or card entry system. At a minimum, it should be supervised during working hours.

Larger organizations with sufficient resources should appoint a risk manager responsible for protecting the records storage site

Approval: General security

Will be submitted for approval:
  • Ensure computer monitors are positioned appropriately
    Will be submitted
  • Ensure unattended computers are properly secured
    Will be submitted
  • Ensure paper records are stored appropriately
    Will be submitted

Personnel policies:

Ensure HIPAA privacy policies are in the employee handbook

Your medical institution should have an employee handbook that contains all of the information regarding the HIPAA privacy policies and how they apply to your organization. 

This handbook should be easily accessible by all staff members.

Also ensure that all privacy policies are up to date.

Ensure employees receive privacy training

Employees need to be trained to understand HIPAA regulations regarding patient privacy.

Any kind of security breach is more likely to be caused my human error than anything else, and so with a comprehensive training program, the risk of getting in trouble is minimized. 

Visit the HHS.gov website for training materials.

Ensure training is documented

Ensure that all training is documented. This is incredibly important in the event of an external audit or investigation.

HIPAA requires that training be documented.  It doesn’t say much else on how training must be documented.  In the event of an OCR investigation or audit, it is best to be able to produce the content of the training as well as when it was administered, to whom, and how frequently.  You should also keep track of who completed it successfully and what successful completion entailed. - TeachPrivacy

Provide a brief summary of your HIPAA Privacy Rule training program in the form field below.

You can also attach and/or link to training documentation below.

Approval: Personnel policies

Will be submitted for approval:
  • Ensure HIPAA privacy policies are in the employee handbook
    Will be submitted
  • Ensure employees receive privacy training
    Will be submitted
  • Ensure training is documented
    Will be submitted

Final evaluation:

Summarize the privacy risk analysis

In the form fields below, provide a summary of the privacy risk analysis, as well as a concise list of the areas that need to be addressed, and action items

Approval: General risk analysis completed

Will be submitted for approval:
  • Summarize the privacy risk analysis
    Will be submitted

Sources:

Sign up for a FREE account and
search thousands of checklists in our library.

Sign up for a FREE account and search thousands of checklists in our library.