HIPAA Privacy Risk Assessment Checklist

The requirement for covered entities to conduct a HIPAA risk assessment was introduced in 2003 with the original HIPAA Privacy Rule.

Conducting periodic risk assessments is not only required by law, but will also help you avoid potential violations that can be incredibly costly.

"More recently, the majority of fines have been under the “Willful Neglect” HIPAA violation category, where organizations knew – or should have known – they had a responsibility to safeguard their patients´ personal information. Many of the largest fines – including the record $5.5 million fine issued against the Advocate Health Care Network – are attributable to organizations failing to identify where risks to the integrity of PHI existed." - HIPAA Journal, HIPAA Risk Assessment

Facing a sudden data breach by a group of skilled cyber-crime attackers would be a lot more damaging if an investigation showed that the breach could have been avoided, and was largely due to a failure to identify and safeguard risks.

This checklist is designed to guide you through a comprehensive evaluation of your compliance with the HIPAA Privacy Rule, and to identify areas that need to be addressed to improve PHI security.

The template is split up into the following sections:

• Check-in procedures (patient identity verification, insurance etc.)
• Clinical areas (ensuring no PHI is visible/accessible)
• Medical records (staff access, physical security, patient authorization)
• General security (computer monitors, paper records)
• Personnel policies (employee training, documentation)

Once the checklist is complete, you will have an accurate understanding of how well your organization is protecting PHI. You will also identify areas that need to be addressed and set out clear action items to optimize security measures.

Let's get started!

A little info about Process Street

Process Street is superpowered checklists. By using our software to document your processes, you are instantly creating an actionable workflow in which tasks can be assigned to team members, automated, and monitored in real-time to ensure they are being executed as intended, each and every time.

The point is to minimize human error, increase accountability, and provide employees with all of the tools and information necessary to complete their tasks as effectively as possible.

First, enter some basic details regarding your organization.

When a new patient enters your medical institution, they may be unsure as to what information they are required to provide, and which form(s) they need to fill out. 

It is therefore important that the appropriate staff provide assistance when the patient is filling out the forms necessary for them to be admitted. 

Its essential that patient insurance is verified for each and every patient that is admitted to your medical institution. 

To do so, you must carry out the process of checking a patients active coverage with the insurance company and verifying the eligibility of his or her insurance claims. 

Patients would be ineligible for benefits when they provide wrong or outdated information, or when their policies have been terminated or modified. A simple error can result in claim rejection or denial, so you have to be sure it is being done correctly.

To take the stress out of managing patient insurance, it is better to outsource insurance verification services to an outsourcing company that can get your claims billed and processed accurately. 

The Notice of Privacy Practices Acknowledgement is provided to the patient and details how the healthcare provider may use and share your health information. 

The law requires that the doctor, hospital, or healthcare provider must ask the patient to state in writing that they received the notice.

What is in the Notice?

As stated on the HHS website, the notice must describe:

• How the Privacy Rule allows provider to use and disclose protected health information. It must also explain that your permission (authorization) is necessary before your health records are shared for any other reason
• The organization’s duties to protect health information privacy
• Your privacy rights, including the right to complain to HHS and to the organization if you believe your privacy rights have been violated
• How to contact the organization for more information and to make a complaint

The patient can ask for a copy of the notice at any time.

According to the U.S. Department of Health & Human Services, medical appointment reminders are allowed under HIPAA privacy rules, which state:

“Appointment reminders are considered part of the treatment of an individual and, therefore, can be made without authorization.” 

When sending a HIPAA text message appointment reminder, it is best to avoid being too specific. Keep in mind that practice names can infer types of treatment or conditions. For example, “Oncology Clinic” clearly indicates that the patient has cancer.

Generic reminders include:

• Appointment date and time
• Provider’s first and last name
• Location of the appointment

Ensure your NPP (Notice of Privacy Practices) is updated and includes information about opting-in for appointment reminders by SMS and/or email.

In order to ensure HIPAA compliance, during check-in, a patient should verify their identity in the following ways, depending on the method of verification:

In-Person:

• Photo ID
• Driver's License
• Passport

Mail:

• Signature validation: Compare the signature on the mailed request with the patient’s signature on file in the medical record. Most patients will have signed having been offered the Notice of Privacy Practices (NPP)
• When possible, it is preferable to have the records mailed to the address on file for the patient.

Phone

• Request full name and at least two other identifiers such as date of birth, address, emergency contact name, phone number, last 4 digits of their social security number.
• Request most recent date of service or invoice number for billing questions.
• If the request is not from the patient but by someone who may have appropriate authority to make a request such as another treatment provider, ask that the request be made in writing on letterhead.

To ensure HIPAA compliance when verifying patient identity, and in general to make the process more efficient, it is recommended to use a third-party service provider, such as TransUnion, to do it for you. 

Even in our world of digital interaction, word-of-mouth still plays a huge role. 

When it comes to sensitive patient information, a serious breach of HIPAA compliance can arise if staff in your medical institution are discussing private patient information in clinical areas. 

Ensure that all staff are fully aware of the risks and are properly trained to know that discussing patient information in clinical areas is not acceptable. 

Similar to in-person discussions amongst staff, phone calls also present a risk of a breach to the HIPAA privacy rule, and therefore need to be assessed to ensure staff members on phone calls are not disclosing private patient information.

To protect patient privacy, exam room doors must be shut during patient encounters.

This is a simple task that can be easily completed with sufficient training and security awareness by the medical staff. 

If lab and X-ray logs are not covered properly, they can display PHI, which could potentially result in a breach. 

An important preventative measure that protects PHI and complies with HIPAA regulations, is to cover the logs when they are left unattended. 

Just like with lab and X-ray logs, all clinical workstations must protect PHI while unattended. 

Hard-copy files must be securely stored and computers locked.

Any open screens displaying PHI while no staff are present breaks HIPAA regulations and presents a significant security risk. 

A final, easily overlooked step when conducting a privacy risk assessment in clinical areas is to ensure PHI shred bins are being emptied regularly.

A simple task that can prevent an easily avoidable privacy breach. 

Medical records are, of course, the gold mine of private patient information. They must be securely stored and only staff with the appropriate security clearance should have access to them. 

Evaluate which staff members can access patients medical records and verify that they all have the appropriate clearance. 

Assess the physical storage of all medical records and ensure they are HIPAA compliant.

The room they are in should be secured, monitored, and only accessible by qualified staff members. 

This is an incredibly important requirement of the HIPAA Privacy Rule.

Before PHI is released (e.g. to a business associate), you must receive authorization from the patient, in the form of a signed HIPAA release/authorization form.

In order for an release form to be legally valid, it must inform the patient of the following:

• The patient has the right to revoke an authorization at any time.
• Authorization forms are completely voluntary.
• There is a chance that the person you are choosing to trust with your information might disclose it to someone else.

HIPAA’s privacy rule demands that, in order for authorization to be considered valid, the release form must A) provide specific legal information about HIPAA’s Privacy Rule, and B) detail the nature of information being disclosed, the purpose, to who, and for how long.

Have more questions about how and when you need to use the HIPAA release form? Read through this article for a full breakdown.

In addition to ensuring an authorization form is completed for each patient prior to the release of their PHI, the next step is to ensure all of the forms are securely filed in the patients medical record. 

According to HIPAA, medical records must be kept for either:

• Six years from their creation; or
• Six years from their last use

Most states have data retention laws, too. If the state’s law specifies a shorter retention period than HIPAA, the HIPAA regulation prevails. If the state requires a longer retention period, then providers must adhere to the state law and destroy the records according to the state’s schedule.

Here are some suggestions from HIPAA for the destruction of medical records:

• PHI in paper records may be shredded, burned, pulped, or pulverized so the PHI is unreadable, indecipherable, and may not be reconstructed.
• PHI in electronic media may be cleared by overwriting it, purged by degaussing or exposing the media to a magnetic field, or otherwise destroyed by disintegration, pulverization, melting, incinerating, or shredding.

They also state that it’s acceptable to maintain PHI in opaque bags in a secured area while it waits for destruction. The key is that any medical records you get rid of must be destroyed in a manner that prevents them from being reconstructed or otherwise accessed.

It may seem obvious that computer monitors need to be positioned appropriately, but a simple mistake could lead to a breach. 

Check all workstations and confirm that each monitor is positioned so that they cannot be viewed by patients and other individuals that do not have the appropriate clearance.

All unattended computers must be properly secured, both physically and digitally. 

This means that they need to be secured to the desk they are on and the screen needs to lock automatically when left unattended. 

Although it is estimated that 95% of practitioners will have started the conversion to electronic records, many healthcare providers have both hard copy and electronic records.

To best protect your records, your file room should be secured by a monitoring or card entry system. At a minimum, it should be supervised during working hours.

Larger organizations with sufficient resources should appoint a risk manager responsible for protecting the records storage site. 

Your medical institution should have an employee handbook that contains all of the information regarding the HIPAA privacy policies and how they apply to your organization. 

This handbook should be easily accessible by all staff members.

Also ensure that all privacy policies are up to date.

Employees need to be trained to understand HIPAA regulations regarding patient privacy.

Any kind of security breach is more likely to be caused my human error than anything else, and so with a comprehensive training program, the risk of getting in trouble is minimized. 

Visit the HHS.gov website for training materials.

Ensure that all training is documented. This is incredibly important in the event of an external audit or investigation.

HIPAA requires that training be documented.  It doesn’t say much else on how training must be documented.  In the event of an OCR investigation or audit, it is best to be able to produce the content of the training as well as when it was administered, to whom, and how frequently.  You should also keep track of who completed it successfully and what successful completion entailed. - TeachPrivacy

Provide a brief summary of your HIPAA Privacy Rule training program in the form field below.

You can also attach and/or link to training documentation below.

In the form fields below, provide a summary of the privacy risk analysis, as well as a concise list of the areas that need to be addressed, and action items. 

• HHS - Guidance on Risk Analysis
• HHS - Notice of Privacy Practices
• HIPAA Journal - HIPAA Release Form
• HIPAA HQ - HIPAA Forms Explained: Privacy and Authorization
• Gilmore Services - Medical Record Destruction, It's HIPAA Mandated
• TAB - How to Safeguard Paper Medical Records
• SafetyCulture - HIPAA General Privacy Risk Analysis Checklist
• Indiana University - Retention & Destruction of Protected Health Information
• Josh Orueta - How to Send Automated Medical Appointment Reminders Without Jeopardizing Patients’ Data Security

• HIPAA Compliance Checklist for HR
• HIPAA Omnibus Rule Checklist
• HIPAA Security Breach Reporting Checklist
• HIPAA Business Associate Agreement Checklist
• HIPAA Data Backup Plan Checklist
• Patient Intake Checklist for a Medical Clinic
• Patient Intake Checklist for a Dental Clinic
• Patient Satisfaction Survey Checklist
• Hospital Housekeeping Checklist
• Terminal Room Cleaning Checklist
• Hospital Safety Inspection Checklist
• General Infection Control Checklist
• Patient Satisfaction Survey Checklist
• Home Visit Checklist
• Mental Health Risk Assessment Checklist
• WHO Surgical Safety Checklist
• HIPAA Compliance Checklist
• COVID-19 Procedure: Isolation Area Management
• COVID-19 Procedure: Disinfection Procedures for COVID-19 Isolation Ward Area
• COVID-19 Procedure: Lung Transplantation Pre-Transplantation Assessment
• COVID-19 Procedure: Nursing Care During Treatment (ALSS)
• COVID-19 Procedure: Protocol for Donning and Removing PPE
• COVID-19 Procedure: Staff Management (Workflow and Health)
• COVID-19 Procedure: Daily Management and Monitoring of ECMO Audit
• COVID-19 Procedure: Digital Support for Epidemic Prevention and Control
• COVID-19 Procedure: Discharge Standards and Follow-up Plan for COVID-19 Patients
• COVID-19 Procedure: Disinfection of COVID-19 Related Reusable Medical Devices
• COVID-19 Procedure: Disinfection Procedures for Infectious Fabrics of Suspected or Confirmed Patients
• COVID-19 Procedure: Disposal Procedures for COVID-19 Related Medical Waste
• COVID-19 Procedure: Disposal Procedures for Spills of COVID-19 Patient Blood/Fluids
• COVID-19 Procedure: Procedures for Handling Bodies of Deceased Suspected or Confirmed Patients
• COVID-19 Procedure: Procedures for Taking Remedial Actions against Occupational Exposure to COVID-19
• COVID-19 Procedure: Surgical Operations for Suspected or Confirmed Patients