HIPAA Compliance Checklist

Using a HIPAA compliance checklist.

Most healthcare practices and business associates still don't accurately and regularly manage a true HIPAA program. For this reason, we created a simple HIPAA Security Rule compliance checklist to quickly determine whether or not your office is on the right track.

The checklist only takes a couple minutes to complete and your responses are NOT transmitted anywhere. Therefore, answer honestly because you have nothing to lose and only knowledge to gain.

The HIPAA Checklist

Instructions: Review the list of 12 fundamental HIPAA Security Rule compliance requirements and check only those items that you actively manage. To actively manage a HIPAA requirement, you must keep the information up-to-date and/or perform the task at least once per year (annual requirements are indicated by an asterisk*). Your checklist score is below along with a recommended next step. Good luck!

For in-depth instructions, please consider watching the HIPAA Checklist - What's Your Grade? recorded webinar.

No expert needed; however, this person should have access to an expert or be technology savvy and well versed in HIPAA requirements themselves.

Document the level of information access each job role requires to complete assigned job activities.

A history of physical changes, upgrades, repairs, and other modifications to your facility where ePHI is kept.

Know each person's level of ePHI access, mobile device usage, remote access authorization, inventory assignment, signed agreements, and training history.

List every device (computer, smart phone, printer, etc.) in which patient information is stored or passes through. Know what safeguards are in place to protect each inventory item.

Keep a list of, and obtain signed Business Associate Agreements from, those who perform a service on your behalf involving the use of protected health information.

A collection of independent policies & procedures, some of which must be custom to your office (can't be one-size-fits-all). Your policies must be reviewed and approved annually.

Generic online videos don't count because HIPAA training must be specific to your office's polices. Training topics include: breach notification, sanction policies, password management, malware basics, workstation use, and emergency operations.

Review records of information system activity, such as audit logs, to ensure patient records are being accessed in a manner consistent with your policies and procedures.

List reasonably anticipated threat-vulnerability combinations and assign risk scores based on likelihood and impact determinations. Warning: A "risk assessment" is not a risk analysis.

Implement new security measures (a.k.a. safeguards) to reduce risk to reasonable and appropriate levels. "Mitigation plan" is another term often used to describe this HIPAA requirement.

Reports help prove you took reasonable steps to protect patient information. After all, "if it wasn't documented, it didn't happen."





Your Next Step

Want to see an easy way to manage compliance?
Register to watch our software demo and see how quickly all the checklist items can be met.