HIPAA Privacy Rule

Use this checklist to ensure the HIPAA Privacy Rule is complied with in your organization. The HIPAA Privacy Rule establishes standards to protect individual medical records and other personal health information.

HIPAA Privacy Rule



Use And Disclosure: General Rules

1. Consent is implied for treatment, payment and health care operations; no written authorization is required except for psychotherapy notes. 164.506


Photo Comment

2. Authorizations are required for all other uses or disclosures (including uses or disclosures of psychotherapy notes). For most marketing activities; sale of protected health information; etc. a valid authorization must be included.164.508


Photo Comment

3. Providing notice and chance for patient to agree or object is sufficient for certain disclosures (including disclosures to family members or those involved in the patient’s care), for facility directories and to provide notice in emergency situations. 164.510


Photo Comment

4. Certain disclosures such as those required by law; to avert a serious and imminent health; for public health activities; in response to a court order or subpoena; to law enforcement, etc may be made per regulatory exceptions subject to specific conditions. 164.512


Photo Comment
Use And Disclosure: Special Rules

1. Fund raising uses or disclosures generally require authorization except in certain circumstances. 164.514(f)


Photo Comment

2. Research generally requires authorization unless certain conditions are met. 164.512(i)


Photo Comment

3. Privacy protection continues after death for a period of 50 years. 164.502(f)


Photo Comment

4. Personal representatives and parents of unemancipated minors are generally entitled to access information and exercise other patient rights, subject to certain exceptions. 164.502(g)


Photo Comment

5. Covered entities should verify a requesting person’s identity and authority before disclosing information. 164.514(h)


Photo Comment

6. Covered entities may “de-identify” information, thereby avoiding HIPAA restrictions. 164.502(d), 164.514(e)


Photo Comment

7. Safeguards for facsimiles, e-mails, and telephone communications may be appropriate. Though not expressly required by regulations, but may help satisfy safeguards per 164.530(c).


Photo Comment
Minimum Necessary Standard

1. Use or disclosure must be limited to the minimum necessary to accomplish the purpose, subject to specified situations. 164.502(b)


Photo Comment

2. Define and limit workforce members’ access to protected information. 164.514(d)


Photo Comment

3. Establish protocols for routine disclosures, and processes for handling others on an individual basis. 164.514(d)


Photo Comment

4. Establish protocols for routine requests for information, and processes for handling others on an individual basis. 164.514(d)


Photo Comment

5. The entire record should not be requested, if not necessary. 164.514(d)


Photo Comment
Patient Rights

1. Right to request additional restrictions on use or disclosure for treatment, payment or health care operations; however, the provider is not obligated to agree to restrictions except in limited situation. 164.522(a)


Photo Comment

2. Right to request alternative means or location of communications, including process for requesting alternatives and limitations on requests. 164.522(b)


Photo Comment

3. Right to access protected health information, including process for requesting access; time limits and process for responding; bases for denials; and determination of reasonable costs. 164.524


Photo Comment

4. Right to amend protected health info, including process for requesting amendments; time limits and process for responding; bases and process for denials; attaching amendments or requests; and notifying others about requests. 164.526


Photo Comment

5. Right to request accounting of protected health information, including process for capturing information for accounting; process for requesting accounting; time limits and process for responding; and limitations on requests. 164.528


Photo Comment
Notice Of Privacy Practices

1. Provision and posting of notice. 164.520


Photo Comment

2. Good faith efforts to obtain acknowledgment. 164.520


Photo Comment
Business Associates

1. Process for obtaining business associate contracts; taking action for violations; and obtaining information from business associates to comply with provider’s responsibilities. 164.502(e); 164.504(e)


Photo Comment
Notification Requirements For Breaches Of Unsecured Protected Health Information

1. Identifying when a breach occurs. 164.402


Photo Comment

2. Securing protected health information. 164.402


Photo Comment

3. Notice to individuals, including timing, content, and providing substitute notice. 164.404


Photo Comment

4. Notice to HHS, including annual and immediate notices to HHS, timing, and content. The HHS electronic reporting process 164.408


Photo Comment

5. Notice to the media, including form, timing and content. 164.406


Photo Comment

6. Notice by business associates, including timing and required information. 164.410


Photo Comment

7. Delay in notice at request of law enforcement. 164.412


Photo Comment
Administrative Requirements

1. Designation of privacy offer and contact person. 164.530(a)


Photo Comment

2. Training existing and new members of the workforce. 164.530(b)


Photo Comment

3. Use of technical, administrative, and physical safeguards to avoid improper or incidental disclosures. 164.530(c)


Photo Comment

4. Sanctions against workforce members for violation of policies and regulations. 164.530(e)


Photo Comment

5. Patient complaints, including the process for complaining and responding to complaints. 164.530(d)


Photo Comment

6. Mitigation of improper disclosures. 164.530(f)


Photo Comment

7. Correction of any violations within 30 days to avoid penalties. 160.410


Photo Comment

8. No retaliation or intimidation against patients or others who exercise HIPAA rights. 164.530(g)


Photo Comment

9. No conditioning treatment on a waiver of HIPAA rights. 164.530(h)


Photo Comment

10. Document retention, including identifying documents that must be retained and period of retention. 164.530(i)


Photo Comment

11. Privacy officer designation. 164.530(a)


Photo Comment

12. Contact officer designation. 164.530(a)


Photo Comment

13. Employee training certification. 164.530(b)


Photo Comment

14. Complaint form / action on complaint. 164.530(d)


Photo Comment

15. Privacy violation report form / action in response to incident (including documentation of sanctions). 164.530(f)


Photo Comment

16. Log of breaches reportable to HHS on annual basis. 164.408


Photo Comment
Forms

1. Notice of privacy practices. 164.520


Photo Comment

2. Acknowledgment of receipt of privacy practices. 164.520


Photo Comment

3. Business associate contract. 164.504(e)


Photo Comment

4. Data use agreement (if used). 164.514(e)


Photo Comment
Use And Disclosure Forms

1. Authorization 164.508(c)


Photo Comment

2. Objection to disclosure per 164.510.


Photo Comment

3. Opt-out of fundraising. 164.514(f)


Photo Comment
Patient Rights Forms

1. Request for additional restrictions on use or disclosure / denial of request. 164.522(a)


Photo Comment

2. Request for alternative means or location for communication / action on request. 164.522(b)


Photo Comment

3. Request for access to information / action on request. 164.524; 164.524(d)


Photo Comment

4. Request for amendment of information / action on request. 164.526; 164.526(d)


Photo Comment

5. Request for accounting of information / action on request. Accounting log. 164.528; 164.528(b)


Photo Comment

Is this sample what you are looking for?
Sign up to use & customise this template, or create your own custom checklist:

Checklist by GoAudits.com – Please note that this checklist is intended as an example. We do not guarantee compliance with the laws applicable to your territory or industry. You should seek professional advice to determine how this checklist should be adapted to your workplace or jurisdiction.

Seeing is Believing

Get a live demo customized to your unique needs, or get started with a 14-day FREE trial.