Hipaa Compliance Checklist

Updated: over a week ago

HIPAA Compliance Checklist

Audits And Assessments

1. Has the Security Risk Assessment been completed?


Photo Comment

2. Has the Privacy Assessment (Not required for Bas) HITECH Subtitle D Audit been completed?


Photo Comment

3. Has the Security Standards Audit Asset and Device Audit Physical Site Audit been completed?


Photo Comment

4. Is there adequate documentation to show that the above audits / assessments had been carried out for the past six years?


Photo Comment

5. Have all gaps uncovered in the above audits been identified?


Photo Comment

6. Have all the discovered deficiencies been documented?


Photo Comment

7. Have remediation plans been created to address deficiencies found in all six audits?


Photo Comment

8. Are the created remediation plans properly documented in writing?


Photo Comment

9. Are these remediation plans updated and reviewed annually?


Photo Comment

10. Are annually documented remediation plans retained in records for six years?


Photo Comment
Employee Training And Communications

1. Have all staff members undergone annual HIPAA training?


Photo Comment

2. Is there document evidence to confirm each employee has completed their annual training?


Photo Comment

3. Have all staff members received Security Awareness training?


Photo Comment

4. Is documentation available to confirm each member of the workforce has completed their security awareness training?


Photo Comment

5. Are periodic reminders provided to reinforce security awareness training?


Photo Comment

6. Have all staff members read and legally attested to the HIPAA policies and procedures? Has their legal attestation been documented?


Photo Comment
Designated Privacy Official

1. Has a staff member been designated as the HIPAA Compliance, Privacy, and/or Security Officer?


Photo Comment
Policies And Procedures

1. Has a contingency plan been developed for emergencies?


Photo Comment

2. Have policies and procedures for responding to emergency situations been developed?


Photo Comment

3. Are backups of all ePHI created to ensure an exact copy can be recovered in the event of a disaster?


Photo Comment

4. Have procedures been developed to ensure critical business processes continue when operating in emergency mode?


Photo Comment

5. Are contingency plans regularly updated and tested?


Photo Comment

6. Are policies and procedures in place for assessing whether employees’ access to ePHI is appropriate?


Photo Comment

7. Are policies and procedures in place for terminating access to ePHI when an employee leaves the organization or their role changes?


Photo Comment

8. Are policies for recovering all electronic devices containing ePHI when an employee leaves the organization in place?


Photo Comment

9. Are policies and procedures in place to ensure the secure disposal of protected health information and electronic PHI?


Photo Comment

10. Are policies and procedures in place to render physical PHI unreadable, indecipherable and incapable of being reconstructed when no longer required?


Photo Comment

11. Have policies and procedures been developed for permanently erasing ePHI on electronic devices when they are no longer required, or when the devices reach end of life?


Photo Comment

12. Are policies and procedures in place for providing patients with access to their health information?


Photo Comment

13. Are policies and procedures relevant to the annual HIPAA Privacy, Security and Breach Notification Rules in place?


Photo Comment

14. Is documentation for annual reviews of policies and procedures in place?


Photo Comment
Data Safeguards – Physical, Technical, Administrative

1. Has the encryption of ePHI been assessed using risk analysis?


Photo Comment

2. If encryption is not appropriate, have alternative and equivalent measures been implemented to ensure the confidentiality, integrity, and availability of ePHI?


Photo Comment

3. Have controls to guard against unauthorized accessing of ePHI during electronic transmission been implemented?


Photo Comment

4. Has the decision-making process covering the use of encryption been documented?


Photo Comment

5. Identity management and access controls implemented?


Photo Comment

6. Have unique usernames / numbers been assigned to all individuals who require access to ePHI?


Photo Comment

7. Is access to ePHI restricted to individuals that require access to perform essential work duties?


Photo Comment

8. Are users automatically logged out after a period of inactivity?


Photo Comment

9. Are ePHI access logs created and monitored?


Photo Comment

10. Are auditable ePHI access logs created for successful and unsuccessful login attempts?


Photo Comment

11. Are ePHI access logs routinely monitored to identify unauthorized accessing of ePHI?


Photo Comment

12. Are controls in place to ensure ePHI cannot be altered or destroyed in an unauthorized manner?


Photo Comment

13. Are all permitted uses and disclosures of PHI/ePHI limited to the minimum necessary information required to achieve the purpose for which the PHI/ePHI is disclosed?


Photo Comment

14. Are physical PHI and electronic devices containing ePHI stored securely until they are disposed of in a secure fashion?


Photo Comment

15. Are individuals provided with access to their health information or copies of their health information on request?


Photo Comment

16. Are copies of PHI provided in the format requested by the individual?


Photo Comment

17. Are individuals provided with copies of their health information in a timely manner and within 30 days?


Photo Comment

18. If fees are charged, are those fees reasonable and cost-based?


Photo Comment

19. Are HIPAA authorizations obtained and stored for uses and disclosures of PHI not otherwise permitted by the HIPAA Privacy Rule?


Photo Comment

20. Are authorizations written in plain language clearly explaining the specific uses and disclosures of PHI?


Photo Comment

21. Do the authorizations state the classes of people to whom PHI will be disclosed?


Photo Comment

22. Do the authorizations include an expiry date or event?


Photo Comment

23. Do the authorizations contain the individual’s signature and date of signature?


Photo Comment

24. Has a Notice of Privacy Practices (NPP) been created?


Photo Comment

25. Are periodic reminders provided to reinforce security awareness training?


Photo Comment

26. Has a notice of privacy practices been provided to all patients?


Photo Comment

27. Has every patient stated in writing that they have received the notice of privacy practices?


Photo Comment

28. Has the notice of privacy practices been published in a prominent location and as well as the company website?


Photo Comment

29. Have procedures been developed for dealing with complaints about failures to comply with the NPP?


Photo Comment
Business Associates

1. Have all of vendors and business associates been identified?


Photo Comment

2. Are Business Associate Agreements (BAAs) in place with all business associates?


Photo Comment

3. Has the HIPAA compliance of all business associates been assessed?


Photo Comment

4. Are Business Associate Agreements tracked and reviewed annually?


Photo Comment

5. Are Confidentiality Agreements with non-business associate vendors in place?


Photo Comment
Breach Notification Process

1. Is there a defined process for security incidents and data breaches?


Photo Comment

2. Are the investigations of all incidents tracked and managed?


Photo Comment

3. Are minor or meaningful breaches or incidents reported?


Photo Comment

4. Do staff members have the ability to anonymously report a privacy/security incident or potential HIPAA violation?


Photo Comment

Is this sample what you are looking for?
Sign up to use & customise this template, or create your own custom checklist:

Checklist by GoAudits.com – Please note that this checklist is intended as an example. We do not guarantee compliance with the laws applicable to your territory or industry. You should seek professional advice to determine how this checklist should be adapted to your workplace or jurisdiction.

goaudits app

Get started on a free trial

Seeing is believing! Try the full platform FREE for 14 days with your own data.
Or ask us to setup the system for you, at no cost.