The following areas have been identified by the HHS Office for Civil Rights as essential elements
of an effective HIPAA compliance program.
Have you conducted the following audits/assessments within the last 12 months?
Cyber Security Risk Assessment (i.e., HiTECH)Privacy AssessmentAdministrative AssessmentPhysical Site Audit
Have you documented all program gaps identified in the above audits/assessments?Have you created and documented work plan to address any deficiencies?Do you review and update these remediation plans quarterly and annually?How about reporting gaps to compliance committee and governing body?
Do you have Policies and Procedures relevant to the annual HIPAA Privacy, Security, and Breach Notification Rules?Have all staff members read and legally attested to the Policies and Procedures?Do you have documentation of their legal attestation?Do you have documentation for annual reviews of your Policies and Procedures (i.e., disciplinary policies for non adherence)?
Does your staff understand how to support/reinforce a culture of compliance in accordance with your Policies and Procedures?Do you train all staff members on HIPAA rules and requirements annually and upon onboarding?Do you have documentation of their training (i.e., competency demonstration)?Have you designated a staff member as the HIPAA Compliance, Privacy, and/or Security Officer?Have you created a Compliance Committee which is adequately represented by various department leaders?
Do the vendors with whom you share PHI maintain a culture of compliance?Have you identified all vendors with whom you share PHI (Business Associates)?Are your Business Associate Agreements listed in an OCR audit ready format?Have you performed due diligence on your Business Associates to ensure HIPAA compliance?Do you annually review your Business Associate Agreements?Do you have confidentiality agreements with vendors who do not meet the standard of Business Associate (i.e., named insured on BAAs cyber policies)?
Do you have the ability to track and manage the investigations of all incidents?Have you created reports to prove due diligence?Do you have a process for reporting minor or meaningful breaches or incidents?Do you have an anonymous hotline for staff members to report an incident?Do you have policies/processes for breach notifications to HHS?
Email us to set up a time to speak to one of our compliance and risk experts who will run through each aspect of the checklist with you and answer any questions you have.
President, SCALE Compliance & Risk Management
Elevating healthcare solutions through research and innovation on a global scale.