WIXLIB

How to PrepareforComplianceA HIPAA Compliance Checklist

Get the Help You NeedThe Office of Civil Rights expects all organizations (covered entitiesand business associates) that manage protected health informationto have a viable functioning compliance plan with policies and procedures in place. Are you prepared? Have you recently reviewed yourplan? If you are unsure this is a good place to start.Thank you for using our HIPAA Compliance Checklist. Preparing yourorganization for HIPAA compliance can be a very stressful and daunting process if you are not armed with all of the correct information. Ourchecklist will give you the important steps you need to complete thistask. We have extensive experience with HIPAA programs and haveassisted multiple organizations in developing plans geared for theirown institutions.Walk through the steps on the checklist provided to begin a successful implementation of this important task. If at any time you feel overwhelmed, we are available to assist you and your organization withyour HIPAA compliance needs. Don’t hesitate to give us a call.We are here to help you,Mary & Al LopezPage 2HIPAA ASSOCIATES hipaasupport@hipaa-associates.org hipaa-associates.org

WHERE TO FIND s.orglinkedin.hipaa-associatesLegalAll text, images, logos, and content contained in this document are 2021 HIPAA ASSOCIATES.No part of this document may be reproduced or redistributed in any way,either online or in print, without prior written consent.Information and services provided on this site are for general informationaland educational purposes and do not constitute legal advice.The use of either does not establish an attorney-client relationship. For legaladvice consult with a competent attorney.Page 3HIPAA ASSOCIATES hipaasupport@hipaa-associates.org hipaa-associates.org

Table of ContentsImportant Numbers 5Checklist of Necessary Steps 6What is Important 7Implementing Written Policies 8Designating a Compliance Officer9Conducting Effective Training 12Developing Effective Lines of Communication14Conducting Internal Monitoring and Auditing15Enforcing Standards of Conduct17Responding Promptly to Detected Offenses18Getting Started 19Helpful Contacts 21Page 4HIPAA ASSOCIATES hipaasupport@hipaa-associates.org hipaa-associates.org

Important ContactsOffice of Civil Rights800.368.1019ocrprivacy@hhs.govhhs.govHIPAA ssociates.orgPage 5HIPAA ASSOCIATES hipaasupport@hipaa-associates.org hipaa-associates.org

To Do ListReview the compliance checklist to draft or refresh your plan. Thiswas written by the Office of Inspector General for billing compliance purposes; however, the principles are sound and apply toHIPAA compliance too. The words printed in red in the checklistbelow are additions to adapt the list for HIPAA.HIPAA Compliance Checklist1.2.3.4.5.6.7.Implementing written privacy and security policies, procedures andstandards of conductDesignating a privacy and security compliance officer, and if desireda HIPAA compliance committeeConducting effective HIPAA privacy training and security awarenesseducationDeveloping effective lines of communication to privacy and securityofficerConducting internal monitoring and auditing periodically to assessprogram effectivenessEnforcing standards of conduct through well-publicized disciplinarysanctions and guidelinesResponding promptly to complaints, investigations and detectedoffenses and undertaking efforts to mitigate damage to patient andimplement corrective actionsNotes:Page 6HIPAA ASSOCIATES hipaasupport@hipaa-associates.org hipaa-associates.org

What is ImportantThe intention of HIPAA compliance is to effectively safeguard protected health information (PHI) and give patient’s rights over theirPHI. The seven elements of a compliance program is a good frame work for organizationsto use to address HIPAA privacy rule requirements and security standards.Page 7HIPAA ASSOCIATES hipaasupport@hipaa-associates.org hipaa-associates.org

Seven Steps1. Implementing written policies, procedures andstandards of conductPolicies and procedures help establish rules and processes that help workforce members carry out their rolesin a manner to ensure compliance with privacy and security rules (HIPAA Rules). An organization must createthe policies and procedures necessary to implement therequirements of the HIPAA Rules. In a well-crafted program it is necessary to create privacy policies coveringpatient rights, uses and disclosures of PHI, and to address administrative physical and technical safeguardsfor PHI. It is important that your HIPAA compliance teamdeal with all aspects of the plan. We are available tohelp craft these policies.Key Points:1. Privacy policies and procedures2. Security policies and proceduresNotes:Page 8HIPAA ASSOCIATES hipaasupport@hipaa-associates.org hipaa-associates.org

Seven Steps2. Designating a compliance officer andsecurity officerThe privacy officer is responsible for establishing and updating policies and procedures to protect all forms of PHI,whether electronic, paper or verbal. Additionally, the privacyofficer will investigate and respond to complaints and the Office for Civil Rights (OCR) letters or investigations, managebreach responsibilities and oversee the day to day operationand monitoring of the program. The privacy officer may workwith other key members of the organization such as compliance, legal, information technology, and human resources.Further, the privacy officer is responsible for the educationand training of all workforce members on the HIPAA PrivacyRule and retaining documentation on HIPAA matters.The security officer assures that safeguards are in place forthe organization to protect the confidentiality, integrity andavailability of electronic PHI (ePHI). In addition, the securityofficer will assist the organization in performance of a security risk analysis and update it on a regular basis.Page 9HIPAA ASSOCIATES hipaasupport@hipaa-associates.org hipaa-associates.org

Seven StepsContinued:Besides those duties, the security officer will draft or oversee the creation of security policies and procedures tocomply with security standards. Finally, the security officeris responsible for security awareness training and providing periodic security updates to the workforce.Notes:Page 10HIPAA ASSOCIATES hipaasupport@hipaa-associates.org hipaa-associates.org

Key Points:1. Designate privacy and security officer2. Create a HIPAA compliance committee from keymembers of the entityNotes:Page 11HIPAA ASSOCIATES hipaasupport@hipaa-associates.org hipaa-associates.org

Seven Steps3. Conducting effective training and educationIt is a requirement that all workforce members receivetraining on the privacy policies and procedures that affect their job duties and security awareness training.Workforce members are employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity or business associate, is under the direct control of such covered entity orbusiness associate, whether or not they are paid by thecovered entity or business associate.A good training program will cover all of the key featuresof HIPAA to ensure workforce members are comfortableworking with PHI. The training will discuss the patient’srights under HIPAA and your organization’s responsibilities, and the permissible uses and disclosures of PHI.We have trained thousands of employees, and using ourPage 12HIPAA ASSOCIATES hipaasupport@hipaa-associates.org hipaa-associates.org

experience have created a practical on-line trainingprogram for teams and individuals who need HIPAAtraining.Key Points:1. Create or obtain HIPAA privacy and securitytraining for your organization2. Arrange for annual reviews of HIPAA and yourplanNotes:Contact us for your HIPAA TrainingLink to TrainingHIPAA ASSOCIATES hipaasupport@hipaa-associates.org hipaa-associates.orgPage 13

Seven Steps4. Developing effective lines of communicationWorkforce members must have avenues available tothem for reporting concerns internally. An organizationshould have multiple ways to report such as the ability to send concerns or complaints to the privacy officerand also an anonymous method for complaints, suchas a toll-free hotline. Organizations must take all reportsseriously, conduct a thorough investigation, provide follow-up, and resolution for each report. This is a very important way to deal with concerns within the organization. We have seen multiple situations where there wasnot an effective internal reporting system in place andthe lack of options led to complaint filing directly to theOCR. This creates a situation that may be preventable.Key Points:1. Assure the privacy officer is available to allemployees for complaints2. Establish a hotline or method for anonymouscomplaints.Page 14HIPAA ASSOCIATES hipaasupport@hipaa-associates.org hipaa-associates.org

Seven Steps5. Conducting internal monitoring and auditingA well-functioning program will have an ongoing processin place to assess and detect areas of non-compliance.Additionally, the program should monitor privacy compliance to identify and correct potential privacy issues. Aninternal review or audit is an important part of monitoringa privacy compliance program.Internal staff or an external contractor should conduct anaudit of the compliance program on a regular basis. Thefindings should be made available to the privacy and security officers and others as determined by the organization.The OCR has an audit program in place to audit activities of covered entities and business associates tosupport its other enforcement tools. It aims to proactively uncover risks and vulnerabilities to PHI and provideguidance to covered entities. It is recommended thatyour organization perform an internal audit and reviewPage 15HIPAA ASSOCIATES hipaasupport@hipaa-associates.org hipaa-associates.org

of your program to deal with any issues before you arefaced with an OCR audit.Key Points:1. Perform a regular audit of your privacy program2. Report all audit findings to privacy and securityofficers and senior management of your organizationNotes:Page 16HIPAA ASSOCIATES hipaasupport@hipaa-associates.org hipaa-associates.org

Seven Steps6. Enforcing standards of conduct throughwell-publicized disciplinary guidelinesIt is important that an organization has privacy and security policies available to members of the workforce.These must outline an organization’s responsibilities,policies, and procedures for protecting PHI.A sanctions or disciplinary action policy should clearlystate the implications and penalties of violating the HIPAA policies. In the event of an OCR investigation orto report a breach you will be asked by the OCR whatdisciplinary actions have been taken. The types of disciplinary actions might be reeducation, termination of theemployee or fines based on the type of violation.Key Points:1. Establish standards early and make sure youremployees are made awarePage 17HIPAA ASSOCIATES hipaasupport@hipaa-associates.org hipaa-associates.org

Seven Steps7. Responding promptly to concerns, complaints,and breaches and undertaking corrective actionIt is imperative for an organization to ensure timely andeffective remedial action for offenses and mitigation forthe party affected. Lack of a response may create additional exposure for the organization. In addition, everytime there is a breach or an incident it is mandatory theprivacy officer investigate, mitigate, offer a correctiveplan and provide notice according to regulatory guidelines to prevent future issues.Key Points:1. Maintain a record of all disciplinary and mitigationaction for offenses2. Review disciplinary guidelines annuallyPage 18HIPAA ASSOCIATES hipaasupport@hipaa-associates.org hipaa-associates.org