HIPAA Compliance Checklist

Most healthcare practices and business associates still don't accurately and regularly manage a true HIPAA program. For this reason, we created a simple HIPAA compliance checklist so you can quickly determine if you're on the right track.

Using a HIPAA compliance checklist.

HIPAA Checklist

Instructions: Review this list of 12 fundamental HIPAA compliance requirements and check only those items that you actively manage. Your score is below along with a recommended next step.

No expert needed; however, this person should have access to an expert or be technology savvy and well versed in HIPAA requirements themselves.

Document the level of information access each job role requires to complete assigned job activities.

A history of physical changes, upgrades, repairs, and other modifications to your facility where ePHI is kept.

Know each person's level of ePHI access, mobile device usage, remote access authorization, inventory assignment, signed agreements, and training history.

Keep a list of, and obtain signed Business Associate Agreements from, those who perform a service on your behalf involving the use of protected health information.

List every device in which patient information is stored or passes through. Know what safeguards are in place to protect each inventory item.

A collection of independent policies & procedures, some of which must be custom to your office (can't be one-size-fits-all). Your policies must be reviewed and approved annually.

Generic online videos don't count because HIPAA training must be specific to your office. Training topics include: breach notification, sanction policies, password management, malware basics, workstation use, and emergency operations.

Review records of information system activity, such as audit logs, to ensure patient records are being accessed in a manner consistent with your policies and procedures.

Manage threat-vulnerability combinations and assign risk scores based on likelihood and impact determinations. Warning: A "risk assessment" is not a risk analysis. Read More

Implement new security measures (a.k.a. safeguards) to reduce risk to reasonable and appropriate levels.

Reports help prove you took reasonable steps to protect patient information. After all, "if it wasn't documented, it didn't happen."





Your Next Step