Review Your HIPAA Compliance

Please answer Yes or No to each of these questions


    1. Have you conducted the following Audits/Assessments? (NIST Guidelines)

    1.(a)Security Risk Assessment (Yes/NO)
    1.(b)Privacy Assessment (Yes/NO)
    1.(c)Administrative Assessment(Yes/NO)
    2. Have you identified all deficiencies discovered during the audits?
    2.(a)Have you documented all deficiencies?(Yes/NO)
    3.Have you created remediation plans to address deficiencies for the following?
    3.a Security Risk Assessment(Yes/NO)
    3.b Privacy Assessment (Yes/NO)
    3.c Administrative Assessment(Yes/NO)

    3.a Do you have Policies and Procedures relevant to the HIPAA Privacy, Security, and Breach Notification Rules?

    3.a.a Have all staff members read and attested to the Policies and Procedures?(Yes/NO)
    3.a.b Do you have documentation of their attestation? (Yes/NO)
    3.a.c Do you have documentation for annual reviews of your Policies and Procedures?(Yes/NO)

    3.b Have all staff members undergone basic HIPAA training?

    3.a.a If yes, how? (Yes/NO)
    3.a.b If no ask why it’s no! (Yes/NO)
    3.a. c Do you have documentation of their training?(Yes/NO)
    3.a.d Is there a staff member designated as the HIPAA Compliance, Privacy, and/or Security Officer?(Yes/NO)
    4.Have you identified all Business Associates? (See Definitions attached)
    4.(a) Business Associate Agreement (“BAA”) to Business Associate (“BA”)(Yes/NO)
    4.(b)Business Associate Agreement (“BAA”) to Covered Entity (“CE”) (Yes/NO)
    4.(c)Do you have Business Associate Agreements in place with all Business Associates?(Yes/NO)
    4.c.(i) Have you confirmed your Business Associates are HIPAA compliant?(Yes/NO)
    4.c.ii. Do you have reporting to prove your due diligence?(Yes/NO)
    5.Do you have a management process in the event of incidents or breaches?
    5.(a) Can you track and manage the investigations of all incidents?(Yes/NO)
    5.(b).Can show that you have investigated each incident?(Yes/NO)
    6.Are you able to provide reporting of minor or meaningful breaches or incidents?
    6.(a)Can your staff members anonymously report an incident?(Yes/NO)



    What Is a “Business Associate?”


    A “business associate” is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.  A member of the covered entity’s workforce is not a business associate.  A covered health care provider, health plan, or health care clearinghouse can be a business associate of another covered entity.  The Privacy Rule lists some of the functions or activities, and the particular services, that make a person or entity a business associate, if the activity or service involves the use or disclosure of protected health information. The types of functions or activities that may make a person or entity a business associate include payment or health care operations activities, and other functions or activities regulated by the Administrative Simplification Rules.  

    Business associate functions and activities include: claims processing or administration; data analysis, processing or administration; utilization review; quality assurance; billing; benefit management; practice management; and repricing.  Business associate services are: legal; actuarial; accounting; consulting; data aggregation; management; administrative; accreditation; and financial. See the definition of “business associate” at 45 CFR 160.103.

    A Covered Entity is one of the following:

    A Health Care Provider A Health Plan A Health Care Clearinghouse
    This includes providers such as:
    • Doctors
    • Clinics
    • Psychologists
    • Dentists
    • Chiropractors
    • Nursing Homes
    • Pharmacies
    …but only if they transmit any information in an electronic form in connection with a transaction for which HHS has adopted a standard.
    This includes:
    • Health insurance companies
    • HMOs
    • Company health plans
    • Government programs that pay for health care, such as Medicare, Medicaid, and the military and veterans’ health care programs.
    This includes entities that process nonstandard health information they receive from another entity into a standard (i.e., standard electronic format or data content), or vice versa.