Ensure written consent forms are in place for sharing of PHI
5
Check if all staff are trained on HIPAA policies
6
Implement mechanisms for tracking PHI disclosures
7
Validate that PHI is only disclosed for treatment, payment, or healthcare operations
8
Set up a process for individuals to request PHI
9
Establish written protocol for PHI breach
10
Implement a system of sanctions for HIPAA violations
11
Create a secure process for disposing of PHI
12
Assess if business associates comply with HIPAA
13
Approval: Business Associate Compliance
14
Establish a process for regular HIPAA compliance audits
15
Create guidelines for Workstation use
16
Confirm encryption of stored and transmitted PHI
17
Establish a procedure for responding to patient's request to amend PHI
18
Institute a mechanism for request and receipt of privacy practices notice
19
Approval: Privacy Practices Notice Distribution
20
Develop procedure for patients' request on disclosures of PHI
21
Assess the need of a privacy official and assign if required
Identify and document all types of PHI handled
Identify and document all types of Protected Health Information (PHI) that are handled by the organization. This includes any personal, medical, or financial information that is considered PHI. Understanding the different types of PHI will help ensure that privacy policies and procedures are properly implemented.
Determine locations of stored PHI
Determine all the locations where Protected Health Information (PHI) is stored. This includes both physical locations, such as filing cabinets or storage rooms, as well as digital locations, such as servers or cloud storage. Identifying these locations will help ensure that appropriate security measures are in place to protect PHI.
Evaluate current privacy policies
Evaluate the organization's current privacy policies to ensure compliance with the HIPAA Privacy Rule. This involves reviewing and analyzing existing policies, procedures, and practices to identify any gaps or areas for improvement. By evaluating current privacy policies, the organization can ensure that it is effectively protecting the confidentiality and integrity of PHI.
1
Access controls
2
Data encryption
3
Breach notification procedures
4
Employee training
1
Lack of staff awareness
2
Inadequate safeguards
3
Outdated procedures
1
Access control enhancements
2
Additional encryption measures
3
Improved breach notification procedures
4
Enhanced employee training
Ensure written consent forms are in place for sharing of PHI
Ensure that written consent forms are in place for the sharing of Protected Health Information (PHI) with external entities or individuals, as required by the HIPAA Privacy Rule. This involves reviewing and updating consent forms to ensure they meet all necessary requirements and clearly communicate the purpose and scope of PHI sharing.
1
General consent form
2
Specific consent form
3
Consent form for research purposes
Check if all staff are trained on HIPAA policies
Check if all staff members have received training on HIPAA policies and procedures. This includes understanding the HIPAA Privacy Rule, identifying and protecting PHI, and following the organization's privacy policies. By ensuring all staff members are properly trained, the organization can minimize the risk of privacy breaches and maintain compliance with HIPAA regulations.
1
Completed
2
Pending
1
Online training modules
2
In-person training sessions
3
Training materials and resources
Implement mechanisms for tracking PHI disclosures
Implement mechanisms for tracking and monitoring disclosures of Protected Health Information (PHI). This includes implementing systems or procedures to record when, where, and to whom PHI is disclosed, as well as the purpose for the disclosure. By implementing tracking mechanisms, the organization can ensure transparency and accountability in the handling of PHI.
1
Date and time of disclosure
2
Recipient of the disclosure
3
Purpose of the disclosure
Validate that PHI is only disclosed for treatment, payment, or healthcare operations
Validate that Protected Health Information (PHI) is only disclosed for purposes allowed under the HIPAA Privacy Rule, specifically for treatment, payment, or healthcare operations. This involves reviewing and verifying any disclosures made by the organization to ensure they comply with the permitted uses and disclosures of PHI.
1
Treatment
2
Payment
3
Healthcare operations
4
Other
Set up a process for individuals to request PHI
Set up a process for individuals to request access to or copies of their own Protected Health Information (PHI). This process should include clear instructions on how individuals can make a request, what information is required, and the timeline for fulfilling the request. By establishing a streamlined process, the organization can ensure individuals can exercise their rights to access their PHI.
1
Full name
2
Date of birth
3
Contact information
Establish written protocol for PHI breach
Establish a written protocol for responding to and managing breaches of Protected Health Information (PHI). This protocol should outline the steps to be taken in the event of a breach, including assessing the nature and extent of the breach, notifying affected individuals and appropriate authorities, and implementing corrective actions to prevent future breaches. By having a clear protocol in place, the organization can effectively respond to breaches and mitigate the impact on individuals and the organization.
Implement a system of sanctions for HIPAA violations
Implement a system of sanctions and disciplinary actions for violations of HIPAA regulations. This includes defining the types of violations, establishing appropriate consequences or penalties, and ensuring consistent enforcement of sanctions. By implementing a system of sanctions, the organization can promote a culture of compliance and discourage non-compliant behavior.
1
Unauthorized access to PHI
2
Failure to report breach
3
Failure to train staff on HIPAA policies
4
Improper disposal of PHI
Create a secure process for disposing of PHI
Create a secure process for disposing of Protected Health Information (PHI) to ensure compliance with the HIPAA Privacy Rule. This includes establishing procedures for the safe and proper disposal of physical and digital PHI, such as shredding paper documents or securely deleting electronic records. By implementing a secure disposal process, the organization can prevent unauthorized access to PHI and reduce the risk of privacy breaches.
1
Shredding
2
Incineration
3
Secure digital deletion
Assess if business associates comply with HIPAA
Assess whether business associates, such as vendors or contractors, comply with the HIPAA Privacy Rule. This involves reviewing the agreements and contracts with business associates, conducting audits or assessments of their policies and procedures, and ensuring they have appropriate safeguards in place to protect PHI. By assessing business associates' compliance, the organization can minimize the risk of privacy breaches through third-party relationships.
1
Contract review
2
On-site audit
3
Questionnaire assessment
4
Evidence-based assessment
Approval: Business Associate Compliance
Will be submitted for approval:
Assess if business associates comply with HIPAA
Will be submitted
Establish a process for regular HIPAA compliance audits
Establish a process for conducting regular audits of HIPAA compliance within the organization. This includes defining the scope and objectives of the audits, determining the frequency of audits, and assigning responsibilities for conducting the audits. By regularly auditing HIPAA compliance, the organization can identify areas for improvement, ensure ongoing adherence to privacy policies, and maintain compliance with the HIPAA Privacy Rule.
1
Quarterly
2
Annually
3
Biennially
Create guidelines for Workstation use
Create guidelines for the use of workstations that handle Protected Health Information (PHI). This includes defining acceptable use policies, password requirements, workstation security measures, and the responsibility of users to protect PHI. By establishing clear guidelines, the organization can minimize the risk of unauthorized access or disclosure of PHI.
1
Prohibited activities
2
Password requirements
3
Screen locking policy
4
Clear desk policy
1
Physical security controls
2
Antivirus software
3
Encryption requirements
Confirm encryption of stored and transmitted PHI
Confirm that all Protected Health Information (PHI) is appropriately encrypted both when stored and when transmitted. This includes reviewing existing security measures, implementing encryption tools or technologies if necessary, and verifying that encryption protocols are in place and functioning correctly. By confirming encryption of PHI, the organization can ensure the confidentiality and integrity of sensitive information.
1
Fully encrypted
2
Partially encrypted
3
Not encrypted
Establish a procedure for responding to patient's request to amend PHI
Establish a procedure for responding to patient requests to amend their own Protected Health Information (PHI). This includes defining the steps to be taken in reviewing the request, verifying the accuracy of the requested amendment, and communicating the decision to the patient. By having a clear procedure in place, the organization can effectively address patient requests and ensure the accuracy of PHI.
1
Verify patient identity
2
Assess requested amendment
3
Consult relevant medical records
Institute a mechanism for request and receipt of privacy practices notice
Institute a mechanism for individuals to request and receive the organization's privacy practices notice. This involves establishing a process for individuals to make a request, providing the notice in a clear and accessible format, and ensuring that requests are fulfilled within a reasonable timeframe. By instituting a mechanism for privacy practices notice, the organization can promote transparency and enable individuals to exercise their rights.
1
Paper copy
2
Electronic copy
3
Online access
Approval: Privacy Practices Notice Distribution
Will be submitted for approval:
Establish a procedure for responding to patient's request to amend PHI
Will be submitted
Institute a mechanism for request and receipt of privacy practices notice
Will be submitted
Develop procedure for patients' request on disclosures of PHI
Develop a procedure for handling patients' requests for disclosures of their Protected Health Information (PHI). This includes defining the steps to be taken in reviewing and fulfilling the request, ensuring the proper authorization and documentation are obtained, and communicating the disclosure to the patient. By developing a clear procedure, the organization can effectively handle patient requests and ensure compliance with the HIPAA Privacy Rule.
1
Confirm patient identity
2
Assess authorization requirements
3
Consult relevant medical records
Assess the need of a privacy official and assign if required
Assess whether the organization requires a dedicated privacy official to oversee and manage HIPAA compliance. This includes evaluating the size and complexity of the organization, the volume of PHI handled, and the existing resources and responsibilities. If determined necessary, assign an individual as the privacy official with the appropriate knowledge and authority to ensure compliance with HIPAA regulations.
