Workflow Templates: Health Insurance Portability and Accountability Act (HIPAA) Compliance Checklist

Risk Analysis and Management

Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI).

Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.

Develop, document, and implement a risk management plan that addresses the identified risks and vulnerabilities.

Policies and Procedures

Develop and implement privacy and security policies and procedures compliant with the HIPAA Privacy and Security Rules.

Regularly review and update policies and procedures to reflect changes in the law, organizational operations, or newly identified risks.

Ensure that all employees have access to these policies and procedures, and understand their roles and responsibilities.

Training and Awareness

Provide training to all workforce members regarding the organization’s HIPAA policies and procedures.

Offer additional job-specific training to employees who handle ePHI.

Conduct regular awareness campaigns to reinforce the importance of HIPAA compliance and update staff on new developments.

Business Associate Agreements

Identify all business associates and ensure that appropriate agreements are in place.

Review and update business associate agreements to comply with the Omnibus Rule requirements.

Ensure that business associates are aware of their responsibilities related to the protection of ePHI.

Incident Response and Reporting

Develop and implement an incident response plan that outlines procedures for responding to a breach of ePHI.

Identify and report breaches as required by the Breach Notification Rule.

Regularly test and revise the incident response plan.

Technical Safeguards

Implement access control measures to limit access to ePHI to only those individuals who need it to perform their job functions.

Ensure the integrity of ePHI by implementing electronic mechanisms to corroborate that ePHI has not been altered or destroyed.

Implement transmission security to protect against unauthorized access to ePHI that is being transmitted over an electronic network.

Physical Safeguards

Limit physical access to facilities where ePHI is housed, while ensuring authorized access is allowed.

Implement policies for the proper use and disposal of workstations and electronic media containing ePHI.

Ensure that workstation use policies and procedures are in place and that workstations are secure from unauthorized access.

Documentation and Record Keeping

Maintain required documentation of HIPAA compliance efforts, including but not limited to risk analyses, policy and procedure documents, and training materials.

Retain required documents for at least six years from the date of creation or the date when it last was in effect, whichever is later.

Review and update documentation periodically, and retain records of security incidents and their outcomes.