Use this checklist to make sure you have complied with all the new and modified requirements in the HIPAA final rule:
Notice of privacy practices
- Addresses breach notification rules
- Discusses uses for which authorization is required
- Advises patients they can request nondisclosure to health plan if they pay out-of-pocket
- Addresses sale of PHI
- Advises patients they can opt out of fundraising related disclosure
- Explains right to notice of breach of unsecured PHI
- Amended NPP posted on website
- Amended NPP is posted in delivery site in “clear and prominent” location [or summary is so posted with full NPP available without request]
- Copies of NPP are available in office to provide patients requesting same
Business associate agreements
- BAAs are entered into with all patient safety organizations and entities involved with patient safety, health information organizations (e-prescribing gateways or health information exchanges that transmit and maintain PHI), and personal health record vendors
- Require assurances that BAs will comply with HIPAA security rule and safeguard PHI
- Mandate that BAs report any security incident and breaches of unsecured PHI
- Require BAs to have breach notification policies and procedures
- Require BAs obligate subcontractors to comply with HIPAA and report any security incidents or breaches of unsecured PHI
- Require BAs to coordinate with your practice on provision of breach notification
- All agreements needing amendment prior to September 23, 2013 were amended
- Any agreements not required to be amended prior to September 23, 2013 are identified for modification before September 22, 2014
Security
- Review security measures to ensure continuous protection of PHI
- Check policies and procedures to be sure security efforts are documented
Breach notification
- Check breach notification procedures to ensure they require risk analysis for any breach using four factors required
- Ensure BA agreements require BAs to have breach notification policies and procedures
- Ensure your BA agreements require BAs to coordinate with your practice on provision of breach notification
- Policy and procedure for flagging information patients request not be disclosed to their health plan (ensure information is segregated and tracked so can be sure it is never reported inadvertently)
Marketing policies/procedures
- Ensure policies/procedures require patient consent before marketing information is provided to patients unless conditions are satisfied (face-to-face, no compensation received by physician, etc.)
Access/copies
- Do you have procedures for providing requestors access to their PHI, and for providing in the form required/requested
- Procedures require access/requested copies within 30 days
- Procedures require requested PHI be provided in format requested if readily reproducible in that format; hard copies only permissible if requestor rejects all readily reproducible formats
- Procedures prohibit email communication of PHI unless requestor is warned of risk of email security and still requests disclosure via email
- Procedures clarify permissible charges include labor, supply costs (to extent permitted by state law) and affidavit of completeness
Permitted disclosures
- Do policies and procedures address disclosure of childhood immunizations to schools
- Have procedures regarding sharing information with deceased patients been updated to clarify disclosures can be made to family/friend of deceased regarding PHI related to the death
- Do disclosure policies indicate PHI may be disclosed 50 years after patient’s death
