HIPAA Compliance Checklist for Covered Entities

Modified on Wed, 14 Jun, 2023 at 12:16 PM

Documentation 

  1. Risk Assessments need to be completed annually. All gaps have been remediated. 
    1. Review your policy and procedures every year for business or legal changes. 

  2. Make sure all releases of information about patients that are not for TPO (Treatment, Payment, or Operations) have valid authorization forms signed by the patient and are stored in the EHR for  easy access (in the event a patient wants an Accounting of Disclosures). 

  3. Document that all audit logs have been reviewed in the current year and gaps have been remediated. 

  4. Keep track of visitors to your physical site. 

  5. Keep track of storage devices (Hard Drives, USB Flash Drives) that have been properly destroyed. 

  6. Log all viruses and malware attacks to The Guard’s Incident Manager. 

  7. Confirm any new business associates or subcontractors have completed their technical audit and that you have a signed BAA. 


Security 

  1. Send quarterly security and procedure reminders to staff. 

  2. Log out when leaving workstation, turn on alarm when leaving, etc. 

  3. Update passwords to a minimum of eight (8) characters in length, using a special character and  capital letter. 
    1. Restrict sequential, repetitive characters, context specific passwords, and commonly used  passwords (i.e. 12345, aaaaaa, the name of the site, p@ssw0rd, and dictionary words).

    2. Make sure you are not sharing passwords. 

  4. Make sure you have encrypted email or a policy that no emails containing ePHI are to be sent. 

  5. Restrict admin rights to any PHI software. 

  6. Make sure your staff understands that breaches occur. If a breach occurs, please report it to the Privacy or Security Officer for resolution. 


Training 

  1. Make sure all employees (new and existing) have completed their new hire, or yearly  HIPAA training. 
  2. Make sure if a patient pays out of pocket and does not want information about that  procedure sent to their insurance company, that it does not appear on the form sent in  any manner (including a charge of even $0). 

  3. Make sure you never release psychotherapy notes, unless by subpoena.

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article