HIPAA Compliance Checklist

Using a HIPAA compliance checklist.

Most healthcare practices and business associates still don't accurately and regularly manage a true HIPAA program. For this reason, we created a simple HIPAA compliance checklist to quickly determine whether or not your office is on the right track.

The checklist only takes a couple minutes to complete and your responses are NOT transmitted anywhere. Therefore, answer honestly because you have nothing to lose and only knowledge to gain.

The HIPAA Checklist

Instructions: Review the list of 12 fundamental HIPAA compliance requirements and check only those items that you actively manage. To actively manage a HIPAA requirement, you must keep the information up-to-date and/or perform the task at least once per year (annual requirements are indicated by an asterisk*). Your checklist score is below along with a recommended next step. Good luck!

For in-depth instructions, please consider watching the HIPAA Checklist - What's Your Grade? recorded webinar, in which Dr. Jeff Brown guides you through each checklist item in detail.

No expert needed; however, this person should have access to an expert or be technology savvy and well versed in HIPAA requirements themselves.

Document the level of information access each job role requires to complete assigned job activities.

A history of physical changes, upgrades, repairs, and other modifications to your facility where ePHI is kept.

Know each person's level of ePHI access, mobile device usage, remote access authorization, inventory assignment, signed agreements, and training history.

Keep a list of, and obtain signed Business Associate Agreements from, those who perform a service on your behalf involving the use of protected health information.

List every device (computer, smart phone, printer, etc.) in which patient information is stored or passes through. Know what safeguards are in place to protect each inventory item.

A collection of independent policies & procedures, some of which must be custom to your office (can't be one-size-fits-all). Your policies must be reviewed and approved annually.

Generic online videos don't count because HIPAA training must be specific to your office's polices. Training topics include: breach notification, sanction policies, password management, malware basics, workstation use, and emergency operations.

Review records of information system activity, such as audit logs, to ensure patient records are being accessed in a manner consistent with your policies and procedures.

List reasonably anticipated threat-vulnerability combinations and assign risk scores based on likelihood and impact determinations. Warning: A "risk assessment" is not a risk analysis. Read More

Implement new security measures (a.k.a. safeguards) to reduce risk to reasonable and appropriate levels. "Mitigation plan" is another term often used to describe this HIPAA requirement.

Reports help prove you took reasonable steps to protect patient information. After all, "if it wasn't documented, it didn't happen."





Your Next Step

Want to Discuss Your HIPAA Checklist Results?
Let us help determine whether or not HIPAAMATE is the right fit for your office. Call (614) 706-2066 or watch a video demo of our software service.