Article from RTCPA E-News ()
April 12, 2003
Are You In HIPAA Compliance? - A Checklist

ADMINISTRATIVE REQUIREMENTS

Has your practice created a HIPAA compliant Notice of Privacy Practices as well as policies and procedures for its distribution and modification?
NO ____ YES ____ 

Has your organization designated a Privacy Official and have you documented the duties of the Privacy Official in a policy and job description?
NO ____ YES ____ 

Have you assigned the responsibility for maintaining the security of information systems that contain Protected Health Information to an individual or an organization?
NO ____ YES ____ 

Does your organization have a policy and procedure that describes how you modify existing privacy policies and procedures, and how you add new policies and procedures, so you can accommodate changes in the law, or changes you make in your privacy practices?
NO ____ YES ____ 

Do you have a documented policy and procedure for the Security Management Process that defines your practice's commitment and intent to support the necessary security measures to protect the privacy and confidentiality of Protected Health Information?
NO ____ YES ____ 

Do you require all members of your workforce to sign a Confidentiality Agreement?
NO ____ YES ____ 

Does your organization have sanction policies and procedures explaining the consequences for violations of the HIPAA Privacy and Security Rule standards as well as other applicable laws or rules governing the protection of patient privacy and the confidentiality of a patient's Protected Health Information?
NO ____ YES ____ 

Do you have policies and procedures that address mitigation of harm due to violations of an individual's privacy on the part of your workforce or business associates?
NO ____ YES ____ 

Do you provide and document HIPAA Privacy training for all members of your workforce?
NO ____ YES ____ 

Do you provide HIPAA security training for all members of your workforce including vendors, consultants and volunteers, and, do you maintain adequate records of the training you provide to the members of your workforce?
NO ____ YES ____

Do you have a formal, documented process for receiving, acting on and documenting complaints about your privacy practices?
NO ____ YES ____

CONTACTS AND AGREEMENTS

Have you identified all persons or entities with whom you have a Business Associate relationship as defined by HIPAA?
NO ____ YES ____

Do you have written contracts with all Business Associates that meet the requirements as specified in the Privacy Rule?
NO ____ YES ____

Have you identified all persons or entities with which you electronically exchange Protected Health Information and entered into a Chain of Trust Agreement?
NO ____ YES ____

Has your practice entered into Trading Partner Agreements with those entities with which you exchange information in electronic transactions?
NO ____ YES ____

USES AND DISCLOSURES OF PROTECTED HEALTH INFORMATION

Do you have policies and procedures that meet the requirements of the HIPAA Privacy Rule for the use and disclosure of Protected Health Information for treatment, payment or health care operations?
NO ____ YES ____

Do you have policies and procedures and the appropriate form for obtaining individual authorization for the use or disclosure of Protected Health Information that meet all the HIPAA Privacy Rule requirements?
NO ____ YES ____

Do you have a policy and procedure requiring members of your work force to obtain an authorization from the individual prior to the use or disclosure of the individual's Psychotherapy Notes?
NO ____ YES ____

Do you have a policy and procedure for the use and disclosure of Protected Health Information in situations that do not require you to obtain authorization or the ability of the individual to agree or object?
NO ____ YES ____

Do you have a policy and procedure requiring verification of identity and authority of individuals and entities requesting disclosures of Protected Health Information?
NO ____ YES ____

Does your organization have a policy and procedure relative to disclosures of Protected Health Information that do not require authorization but which do require an opportunity for the individual to agree or to object?
NO ____ YES ____

Do you admit patients who stay overnight in your facility and list their names in a facility directory?
NO ____ YES ____

Do you have a policy and procedure for facility directory practices?
NO ____ YES ____

Do you have a policy and procedure that addresses the HIPAA requirements regarding personal representatives and deceased individuals?
NO ____ YES ____

Do you have a policy and procedure for limiting the uses and disclosures of Protected Health Information to the minimum necessary information required to accomplish the purpose of the use or disclosure?
NO ____ YES ____

Do you have a policy and procedure describing the processes to be used for the de-identification of Protected Health Information?
NO ____ YES ____

Does your practice have a policy and procedure for using or disclosing Protected Health Information for research purposes?
NO ____ YES ____

If you conduct marketing do you have a policy and procedure for using a patient's Protected Health Information for marketing purposes that conforms to the HIPAA requirements outlined above?
NO ____ YES ____

Do you have HIPAA compliant policies and procedures informing your staff of the processes to be followed for using your patients Protected Health Information for fundraising on your own behalf?
NO ____ YES ____


Published by Reed Tinsley CPA
Copyright © 2010 Reed Tinsley CPA. All rights reserved.