Documentation
- Risk Assessments need to be completed annually. All gaps have been remediated.
- Review your policy and procedures every year for business or legal changes.
- Review your policy and procedures every year for business or legal changes.
- Make sure all releases of information about patients that are not for TPO (Treatment, Payment, or Operations) have valid authorization forms signed by the patient and are stored in the EHR for easy access (in the event a patient wants an Accounting of Disclosures).
- Document that all audit logs have been reviewed in the current year and gaps have been remediated.
- Keep track of visitors to your physical site.
- Keep track of storage devices (Hard Drives, USB Flash Drives) that have been properly destroyed.
- Log all viruses and malware attacks to The Guard’s Incident Manager.
- Confirm any new business associates or subcontractors have completed their technical audit and that you have a signed BAA.
Security
- Send quarterly security and procedure reminders to staff.
- Log out when leaving workstation, turn on alarm when leaving, etc.
- Update passwords to a minimum of eight (8) characters in length, using a special character and capital letter.
- Restrict sequential, repetitive characters, context specific passwords, and commonly used passwords (i.e. 12345, aaaaaa, the name of the site, p@ssw0rd, and dictionary words).
- Make sure you are not sharing passwords.
- Restrict sequential, repetitive characters, context specific passwords, and commonly used passwords (i.e. 12345, aaaaaa, the name of the site, p@ssw0rd, and dictionary words).
- Make sure you have encrypted email or a policy that no emails containing ePHI are to be sent.
- Restrict admin rights to any PHI software.
- Make sure your staff understands that breaches occur. If a breach occurs, please report it to the Privacy or Security Officer for resolution.
Training
- Make sure all employees (new and existing) have completed their new hire, or yearly HIPAA training.
- Make sure if a patient pays out of pocket and does not want information about that procedure sent to their insurance company, that it does not appear on the form sent in any manner (including a charge of even $0).
- Make sure you never release psychotherapy notes, unless by subpoena.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article