Add to collection(s) Add to saved
  1. Science
  2. Health Science

REC Privacy and Security Checklist v2.0

advertisement 
Date Started:
Dated Completed:
HIPAA/OMNIBUS PRIVACY & SECURITY CHECKLIST
ASSESSMENT INSTRUCTIONS
Below you will find some acronyms that are shown throughout the checklist as well as some brief instructions for completing the assessment.
Acronyms
NIST
FIPS
PHI
EPHI
BA
National Institute of Standards and Technology
Federal Information Process Standards
Protected Health Information
Electronic Protected Health Information
Business Associate
CE
EHR
HHS
IS
Covered Entity
Electronic Health Record
Health and Human Services
Information System
Instructions
HIPAA SECURITY RULE - ADMINISTRATIVE SAFEGUARDS
1
164.308(a)(1)(i)
2
164.308(a)(1)(ii)(A)
(R) = REQUIRED, (A) = ADDRESSABLE
Security Management Process: Implement policies and
procedures to prevent, detect, contain, and correct security
violations.
4
3
Has a Risk Analysis been completed in accordance with NIST
Guidelines? (R)
5
1 - The HIPAA Security Rule specifies a list of required or addressable safeguards. If an (R) is shown after the safeguard then implementation of that safeguard is
required. If an (A) is shown then the safeguard must be assessed to determine whether or not it is a reasonable and appropriate safeguard in your environment. If not
implemented, then it’s required to document the reason why and also implement an equivalent alternative safeguard if reasonable and appropriate.
2 – The reference refers to the C.F.R. (Code of Federal Regulations) that maps to the requirement or safeguard to the specific regulation.
3 – This field is the requirement of the safeguard that is being evaluated. If shown in bold, then specifying a status for that particular safeguard is not necessary because
it’s an overview of the following rows to be evaluated.
4 – For any of the highlighted fields, a status is not required since that row is just an overview of the following rows to be evaluated.
5 – This field is to specify the status of the requirement or safeguard. Please specify the following: N/A, Complete, In Progress, Not Complete, or Unknown. Please feel
free to add any additional comments to the field or on a separate sheet of paper.
P&S Checklist v2.3
Page |1
Date Started:
Dated Completed:
HIPAA/HITECH PRIVACY & SECURITY ASSESSMENT ANALYSIS
HIPAA/HITECH
REFERENCE
HIPAA PRIVACY RULE /
HIPAA SECURITY RULE
HITECH ACT
STATUS
N/A, COMPLETE,
IN PROGRESS, NOT
COMPLETE,
UNKNOWN
POLICY/
PROCEDURE
RISK
SCORE
RESPONSIBLE
PARTY
Name and/or number
HIPAA PRIVACY RULE
§164.502
§164.514
Develop "minimum necessary"
policies for:
- Uses
- Routine disclosures
- Non-routine disclosures
- Limit request to minimum
necessary
- Ability to rely on request for
minimum necessary
§164.504
Develop polices for business
associate (BA) relationships and
amend business associate
contracts or agreements:
- Obtain satisfactory assurances
in contract
- Document sanctions for noncompliance
§164.502
§164.504
§164.506
§164.508
§164.510
§164.512
P&S Checklist v2.3
Limit disclosures to those that
are authorized by the client, or
that are required or allowed by
the privacy regulations and state
law.
Complete
Not Complete
In Progress
Unknown
N/A
Complete
Not Complete
In Progress
Unknown
N/A
Complete
Not Complete
In Progress
Unknown
N/A
Page |2
DUE
DATE
Date Started:
Dated Completed:
HIPAA/HITECH
REFERENCE
§164.520
§164.522
§164.524
HIPAA PRIVACY RULE /
HIPAA SECURITY RULE
HITECH ACT
Develop and disseminate notice
of privacy practice.
Develop policies for alternative
means of communication
requests.
Develop policies for access to
designated record sets:
- Providing access
- Denying access
§164.526
Develop policies for amendment
requests:
- Accepting an amendment
- Denying an amendment
- Actions on notice of an
amendment
- Documentation
STATUS
N/A, COMPLETE,
IN PROGRESS, NOT
COMPLETE,
UNKNOWN
POLICY/
PROCEDURE
RISK
SCORE
RESPONSIBLE
PARTY
Name and/or number
Complete
Not Complete
In Progress
Unknown
N/A
Complete
Not Complete
In Progress
Unknown
N/A
Complete
Not Complete
In Progress
Unknown
N/A
Complete
Not Complete
In Progress
Unknown
N/A
Standard communication
templates
Storage of requests
P&S Checklist v2.3
Page |3
DUE
DATE
Date Started:
Dated Completed:
HIPAA/HITECH
REFERENCE
§164.528
§164.530
HIPAA PRIVACY RULE /
HIPAA SECURITY RULE
HITECH ACT
Develop policies for accounting
of disclosures.
Implementation of Privacy Rule
Administrative requirements,
including:
- Appoint of a HIPAA privacy
officer.
- Training of workforce & ongoing training plan
- Sanctions for non-compliance
- Develop compliance policies.
- Develop anti-retaliation
policies.
- Policies and Procedures
STATUS
N/A, COMPLETE,
IN PROGRESS, NOT
COMPLETE,
UNKNOWN
POLICY/
PROCEDURE
RISK
SCORE
RESPONSIBLE
PARTY
Name and/or number
Complete
Not Complete
In Progress
Unknown
N/A
Complete
Not Complete
In Progress
Unknown
N/A
HIPAA SECURITY RULE - ADMINISTRATIVE SAFEGUARDS
(R) = REQUIRED, (A) = ADDRESSABLE
164.308(a)(1)(i)
164.308(a)(1)(ii)(A)
P&S Checklist v2.3
Security Management Process:
Implement policies and
procedures to prevent, detect,
contain, and correct security
violations.
Has a Risk Analysis been
completed in accordance with
NIST Guidelines? (R)
Complete
Not Complete
In Progress
Unknown
N/A
Page |4
DUE
DATE
Date Started:
Dated Completed:
HIPAA/HITECH
REFERENCE
164.308(a)(1)(ii)(B)
164.308(a)(1)(ii)(C)
164.308(a)(1)(ii)(D)
164.308(a)(2)
P&S Checklist v2.3
HIPAA PRIVACY RULE /
HIPAA SECURITY RULE
HITECH ACT
Has the Risk Management
process been completed in
accordance with NIST
Guidelines? (R)
Do you have formal sanctions
against employees who fail to
comply with security policies
and procedures? Do you have a
documented policy and
procedure regarding this (R)
STATUS
N/A, COMPLETE,
IN PROGRESS, NOT
COMPLETE,
UNKNOWN
POLICY/
PROCEDURE
RISK
SCORE
RESPONSIBLE
PARTY
Name and/or number
Complete
Not Complete
In Progress
Unknown
N/A
Complete
Not Complete
In Progress
Unknown
N/A
Have you implemented
procedures to regularly review
records of IS activity such as
audit logs, access reports, and
security incident tracking? Do
you have a policy and procedure
for “pro-active monitoring?” (R)
Complete
Not Complete
In Progress
Unknown
N/A
Assigned Security
Responsibility: Identify the
security official who is
responsible for the development
and implementation of the
policies and procedures required
by this subpart for the entity. (R)
Complete
Not Complete
In Progress
Unknown
N/A
Page |5
DUE
DATE
Date Started:
Dated Completed:
HIPAA/HITECH
REFERENCE
164.308(a)(3)(i)
164.308(a)(3)(ii)(A)
164.308(a)(3)(ii)(B)
164.308(a)(3)(ii)(C)
P&S Checklist v2.3
HIPAA PRIVACY RULE /
HIPAA SECURITY RULE
HITECH ACT
Workforce Security:
Implement policies and
procedures to ensure that all
members of its workforce have
appropriate access to EPHI, as
provided under paragraph
(a)(4) of this section, and to
prevent those workforce
members who do not have
access under paragraph (a)(4)
of this section from obtaining
access to electronic protected
health information (EPHI).
Have you implemented
procedures for the authorization
and/or supervision of employees
who work with EPHI or in
locations where it might be
accessed? (A)
Have you implemented
procedures to determine that the
access of an employee to EPHI
is appropriate? (A)
Have you implemented
procedures for terminating
access to EPHI when an
employee leaves your
STATUS
N/A, COMPLETE,
IN PROGRESS, NOT
COMPLETE,
UNKNOWN
POLICY/
PROCEDURE
RISK
SCORE
RESPONSIBLE
PARTY
Name and/or number
Complete
Not Complete
In Progress
Unknown
N/A
Complete
Not Complete
In Progress
Unknown
N/A
Complete
Not Complete
In Progress
Page |6
DUE
DATE
Date Started:
Dated Completed:
HIPAA/HITECH
REFERENCE
HIPAA PRIVACY RULE /
HIPAA SECURITY RULE
HITECH ACT
organization? (A)
164.308(a)(4)(i)
164.308(a)(4)(ii)(A)
164.308(a)(4)(ii)(B)
164.308(a)(4)(ii)(C)
164.308(a)(5)(i)
P&S Checklist v2.3
Information Access
Management: Implement
policies and procedures for
authorizing access to EPHI
that are consistent with the
applicable requirements of
subpart E of this part.
If you are a clearinghouse that is
part of a larger organization,
have you implemented policies
and procedures to protect EPHI
from the larger organization? (A)
Have you implemented policies
and procedures for granting
access to EPHI, for example,
through access to a workstation,
transaction, program, or process?
(A)
Have you implemented policies
and procedures that are based
upon your access authorization
policies to establish, document,
review, and modify a user’s right
of access to a workstation,
transaction, program, or process?
(A)
Security Awareness and
Training: Implement a
security awareness and
STATUS
N/A, COMPLETE,
IN PROGRESS, NOT
COMPLETE,
UNKNOWN
POLICY/
PROCEDURE
RISK
SCORE
RESPONSIBLE
PARTY
Name and/or number
Unknown
N/A
Complete
Not Complete
In Progress
Unknown
N/A
Complete
Not Complete
In Progress
Unknown
N/A
Complete
Not Complete
In Progress
Unknown
N/A
Page |7
DUE
DATE
Date Started:
Dated Completed:
HIPAA/HITECH
REFERENCE
164.308(a)(5)(ii)(A)
164.308(a)(5)(ii)(B)
164.308(a)(5)(ii)(C)
164.308(a)(5)(ii)(D)
164.308(a)(6)(i)
164.308(a)(6)(ii)
P&S Checklist v2.3
HIPAA PRIVACY RULE /
HIPAA SECURITY RULE
HITECH ACT
training program for all
members of its workforce
(including management).
Do you provide periodic
information security reminders?
Do you provide periodic training
sessions? (A)
Do you have policies and
procedures for guarding against,
detecting, and reporting
malicious software? (A)
Do you have procedures for
monitoring login attempts and
reporting discrepancies? (A)
Do you have procedures for
creating, changing, and
safeguarding passwords? (A)
Security Incident Procedures:
Implement policies and
procedures to address security
incidents.
Do you have procedures to
identify and respond to
suspected or known security
STATUS
N/A, COMPLETE,
IN PROGRESS, NOT
COMPLETE,
UNKNOWN
POLICY/
PROCEDURE
RISK
SCORE
RESPONSIBLE
PARTY
Name and/or number
Complete
Not Complete
In Progress
Unknown
N/A
Complete
Not Complete
In Progress
Unknown
N/A
Complete
Not Complete
In Progress
Unknown
N/A
Complete
Not Complete
In Progress
Unknown
N/A
Complete
Not Complete
Page |8
DUE
DATE
Date Started:
Dated Completed:
HIPAA/HITECH
REFERENCE
164.308(a)(7)(i)
164.308(a)(7)(ii)(A)
164.308(a)(7)(ii)(B)
164.308(a)(7)(ii)(C)
P&S Checklist v2.3
HIPAA PRIVACY RULE /
HIPAA SECURITY RULE
HITECH ACT
incidents; mitigate to the extent
practicable, harmful effects of
known security incidents; and
document incidents and their
outcomes? (R)
Contingency Plan: Establish
(and implement as needed)
policies and procedures for
responding to an emergency or
other occurrence (for example,
fire, vandalism, system failure,
and natural disaster) that
damages systems that contain
EPHI.
Have you established and
implemented procedures to
create and maintain retrievable
exact copies of EPHI? (R)
Have you established (and
implemented as needed)
procedures to restore any loss of
EPHI data that is stored
electronically? (R)
Have you established (and
implemented as needed)
procedures to enable
continuation of critical business
processes and for protection of
EPHI while operating in the
STATUS
N/A, COMPLETE,
IN PROGRESS, NOT
COMPLETE,
UNKNOWN
POLICY/
PROCEDURE
RISK
SCORE
RESPONSIBLE
PARTY
Name and/or number
In Progress
Unknown
N/A
Complete
Not Complete
In Progress
Unknown
N/A
Complete
Not Complete
In Progress
Unknown
N/A
Complete
Not Complete
In Progress
Unknown
N/A
Page |9
DUE
DATE
Date Started:
Dated Completed:
HIPAA/HITECH
REFERENCE
HIPAA PRIVACY RULE /
HIPAA SECURITY RULE
HITECH ACT
STATUS
N/A, COMPLETE,
IN PROGRESS, NOT
COMPLETE,
UNKNOWN
POLICY/
PROCEDURE
RISK
SCORE
RESPONSIBLE
PARTY
Name and/or number
emergency mode? (R)
164.308(a)(7)(ii)(D)
164.308(a)(7)(ii)(E)
164.308(a)(8)
164.308(b)(1)
P&S Checklist v2.3
Have you implemented
procedures for periodic testing
and revision of contingency
plans? (A)
Have you assessed the relative
criticality of specific applications
and data in support of other
contingency plan components?
(A)
Have you established a plan for
periodic technical and non
technical evaluation of the
standards under this rule in
response to environmental or
operational changes affecting the
security of EPHI? (R)
Business Associate Contracts
and Other Arrangements: A
covered Entity (CE), in
accordance with Sec. 164.306,
may permit a business
associate to create, receive,
maintain, or transmit EPHI on
the covered entity’s behalf only
if the CE obtains satisfactory
assurances, in accordance with
Sec. 164.314(a) that the
Complete
Not Complete
In Progress
Unknown
N/A
Complete
Not Complete
In Progress
Unknown
N/A
Complete
Not Complete
In Progress
Unknown
N/A
P a g e | 10
DUE
DATE
Date Started:
Dated Completed:
HIPAA/HITECH
REFERENCE
164.308(b)(4)
HIPAA PRIVACY RULE /
HIPAA SECURITY RULE
HITECH ACT
business associate
appropriately safeguard the
information.
Have you established written
contracts or other arrangements
with your trading partners that
documents satisfactory
assurances that the BA will
appropriately safeguard the
information? (R)
STATUS
N/A, COMPLETE,
IN PROGRESS, NOT
COMPLETE,
UNKNOWN
POLICY/
PROCEDURE
RISK
SCORE
RESPONSIBLE
PARTY
Name and/or number
Complete
Not Complete
In Progress
Unknown
N/A
HIPAA SECURITY RULE - PHYSICAL SAFEGUARDS
(R) = REQUIRED, (A) = ADDRESSABLE
164.310(a)(1)
164.310(a)(2)(i)
164.310(a)(2)(ii)
P&S Checklist v2.3
Facility Access Controls:
Implement policies and
procedures to limit physical
access to its electronic
information systems and the
facility or facilities in which
they are housed, while
ensuring that properly
authorized access is allowed.
Have you established (and
implemented as needed)
procedures that allow facility
access in support of restoration
of lost data under the disaster
recovery plan and emergency
mode operations plan in the
event of an emergency? (A)
Have you implemented policies
and procedures to safeguard the
facility and the equipment
therein from unauthorized
Complete
Not Complete
In Progress
Unknown
N/A
Complete
Not Complete
In Progress
P a g e | 11
DUE
DATE
Date Started:
Dated Completed:
HIPAA/HITECH
REFERENCE
HIPAA PRIVACY RULE /
HIPAA SECURITY RULE
HITECH ACT
physical access, tampering, and
theft? (A)
164.310(a)(2)(iii)
164.310(a)(2)(iv)
164.310(b)
164.310(c)
P&S Checklist v2.3
Have you implemented
procedures to control and
validate a person’s access to
facilities based on their role or
function, including visitor
control, and control of access to
software programs for testing
and revision? (A)
Have you implemented policies
and procedures to document
repairs and modifications to the
physical components of a
facility, which are related to
security (for example, hardware,
walls, doors, and locks)? (A)
Have you implemented policies
and procedures that specify the
proper functions to be
performed, the manner in which
those functions are to be
performed, and the physical
attributes of the surroundings of
a specific workstation or class of
workstation that can access
EPHI? (R)
Have you implemented physical
safeguards for all workstations
STATUS
N/A, COMPLETE,
IN PROGRESS, NOT
COMPLETE,
UNKNOWN
POLICY/
PROCEDURE
RISK
SCORE
RESPONSIBLE
PARTY
Name and/or number
Unknown
N/A
Complete
Not Complete
In Progress
Unknown
N/A
Complete
Not Complete
In Progress
Unknown
N/A
Complete
Not Complete
In Progress
Unknown
N/A
Complete
P a g e | 12
DUE
DATE
Date Started:
Dated Completed:
HIPAA/HITECH
REFERENCE
HIPAA PRIVACY RULE /
HIPAA SECURITY RULE
HITECH ACT
that access EPHI to restrict
access to authorized users? (R)
164.310(d)(1)
164.310(d)(2)(i)
164.310(d)(2)(ii)
164.310(d)(2)(iii)
164.310(d)(2)(iv)
P&S Checklist v2.3
Device and Media Controls:
Implement policies and
procedures that govern the
receipt and removal of
hardware and electronic media
that contain EPHI into and out
of a facility, and the movement
of these items within the
facility.
Have you implemented policies
and procedures to address final
disposition of EPHI, and/or
hardware or electronic media on
which it is stored? (R)
Have you implemented
procedures for removal of EPHI
from electronic media before the
media are available for reuse?
(R)
Do you maintain a record of the
movements of hardware and
electronic media and the person
responsible for its movement?
(A)
Do you create a retrievable,
exact copy of EPHI, when
STATUS
N/A, COMPLETE,
IN PROGRESS, NOT
COMPLETE,
UNKNOWN
POLICY/
PROCEDURE
RISK
SCORE
RESPONSIBLE
PARTY
Name and/or number
Not Complete
In Progress
Unknown
N/A
Complete
Not Complete
In Progress
Unknown
N/A
Complete
Not Complete
In Progress
Unknown
N/A
Complete
Not Complete
In Progress
Unknown
N/A
Complete
P a g e | 13
DUE
DATE
Date Started:
Dated Completed:
HIPAA/HITECH
REFERENCE
HIPAA PRIVACY RULE /
HIPAA SECURITY RULE
HITECH ACT
needed, before movement of
equipment? (A)
STATUS
N/A, COMPLETE,
IN PROGRESS, NOT
COMPLETE,
UNKNOWN
POLICY/
PROCEDURE
RISK
SCORE
RESPONSIBLE
PARTY
Name and/or number
Not Complete
In Progress
Unknown
N/A
HIPAA SECURITY RULE - TECHNICAL SAFEGUARDS
(R) = REQUIRED, (A) = ADDRESSABLE
164.312(a)(1)
164.312(a)(2)(i)
164.312(a)(2)(ii)
164.312(a)(2)(iii)
P&S Checklist v2.3
Access Controls: Implement
technical policies and
procedures for electronic
information systems that
maintain EPHI to allow access
only to those persons or
software programs that have
been granted access rights as
specified in Sec. 164.308(a)(4).
Have you assigned a unique
name and/or number for
identifying and tracking user
identity? (R)
Have you established (and
implemented as needed)
procedures for obtaining
necessary EPHI during an
emergency? (R)
Have you implemented
procedures that terminate an
electronic session after a
predetermined time of inactivity?
(A)
Complete
Not Complete
In Progress
Unknown
N/A
Complete
Not Complete
In Progress
Unknown
N/A
Complete
Not Complete
In Progress
Unknown
N/A
P a g e | 14
DUE
DATE
Date Started:
Dated Completed:
HIPAA/HITECH
REFERENCE
HIPAA PRIVACY RULE /
HIPAA SECURITY RULE
HITECH ACT
164.312(a)(2)(iv)
Have you implemented a
mechanism to encrypt and
decrypt EPHI? (A)
164.312(b)
Have you implemented Audit
Controls, hardware, software,
and/or procedural mechanisms
that record and examine activity
in information systems that
contain or use EPHI? (R)
Integrity: Implement policies
and procedures to protect
EPHI from improper
alteration or destruction.
Have you implemented
electronic mechanisms to
corroborate that EPHI has not
been altered or destroyed in an
unauthorized manner? (A)
Have you implemented Person
or Entity Authentication
procedures to verify that a
person or entity seeking access
to EPHI is the one claimed? (R)
164.312(c)(1)
164.312(c)(2)
164.312(d)
164.312(e)(1)
P&S Checklist v2.3
Transmission Security:
Implement technical security
measures to guard against
unauthorized access to EPHI
that is being transmitted over
an electronic communications
network.
STATUS
N/A, COMPLETE,
IN PROGRESS, NOT
COMPLETE,
UNKNOWN
POLICY/
PROCEDURE
RISK
SCORE
RESPONSIBLE
PARTY
Name and/or number
Complete
Not Complete
In Progress
Unknown
N/A
Complete
Not Complete
In Progress
Unknown
N/A
Complete
Not Complete
In Progress
Unknown
N/A
Complete
Not Complete
In Progress
Unknown
N/A
Complete
Not Complete
In Progress
Unknown
N/A
P a g e | 15
DUE
DATE
Date Started:
Dated Completed:
HIPAA/HITECH
REFERENCE
164.312(e)(2)(i)
164.312(e)(2)(ii)
HIPAA PRIVACY RULE /
HIPAA SECURITY RULE
HITECH ACT
Have you implemented security
measures to ensure that
electronically transmitted EPHI
is not improperly modified
without detection until disposed
of? (A)
Have you implemented a
mechanism to encrypt EPHI
whenever deemed appropriate?
(A)
STATUS
N/A, COMPLETE,
IN PROGRESS, NOT
COMPLETE,
UNKNOWN
POLICY/
PROCEDURE
RISK
SCORE
RESPONSIBLE
PARTY
Name and/or number
Complete
Not Complete
In Progress
Unknown
N/A
Complete
Not Complete
In Progress
Unknown
N/A
HIPAA SECURITY RULE - ORGANIZATIONAL SAFEGUARDS
(R) = REQUIRED, (A) = ADDRESSABLE
164.316(b)(1)
Documentation: Maintain the
policies and procedures
implemented to comply with
this subpart in written (which
may be electronic) form; and
(ii) if an action, activity or
assessment is required by this
subpart to be documented,
maintain a written (which may
be electronic) record of the
action, activity, or
assessment.”
164.316(b)(2)(i)
Time Limit:
Retain the documentation
required by paragraph (b)(1) of
this section for 6 years from the
date of its creation or the date
when it last was in effect,
P&S Checklist v2.3
Complete
Not Complete
In Progress
Unknown
N/A
P a g e | 16
DUE
DATE
Date Started:
Dated Completed:
HIPAA/HITECH
REFERENCE
HIPAA PRIVACY RULE /
HIPAA SECURITY RULE
HITECH ACT
STATUS
N/A, COMPLETE,
IN PROGRESS, NOT
COMPLETE,
UNKNOWN
POLICY/
PROCEDURE
RISK
SCORE
RESPONSIBLE
PARTY
Name and/or number
whichever is later.
164.316(b)(2)(ii)
Availability:
Make documentation available to
those persons responsible for
implementing the procedures to
which the documentation
pertains.
Complete
Not Complete
In Progress
Unknown
N/A
164.316(b)(2)(iii)
Updates:
Review documentation
periodically, and update as
needed, in response to
environmental or operational
changes affecting the security of
the electronic protected health
information
Complete
Not Complete
In Progress
Unknown
N/A
Omnibus Rule 2013
Business Associates
Update the Business Associate
Policy and Procedure to include
the new definition of business
associate.
Evaluate current vendors,
consultants, or any other third
party organizations that maybe a
business associate to your
organization and work to get the
proper business associate
agreement in place.
P&S Checklist v2.3
Complete
Not Complete
In Progress
Unknown
N/A
P a g e | 17
DUE
DATE
Date Started:
Dated Completed:
HIPAA/HITECH
REFERENCE
HIPAA PRIVACY RULE /
HIPAA SECURITY RULE
HITECH ACT
Assure documentation exists on
the changes to the Omnibus Rule
and requirements of the Business
Associates (including
Subcontractor requirements)
Update and have Business
Associate Agreement Resigned
by Compliance Deadlines:
A. If BAAs comply with preOmnibus rule, parties
have 1 additional year to
bring their BAAs into
compliance September
22, 2014
STATUS
N/A, COMPLETE,
IN PROGRESS, NOT
COMPLETE,
UNKNOWN
POLICY/
PROCEDURE
RISK
SCORE
RESPONSIBLE
PARTY
Name and/or number
Complete
Not Complete
In Progress
Unknown
N/A
B. If BAAs do not comply
with pre-Omnibus rule
(or no BAA exists), must
enter into BAAs that
comply September 23,
2013
C. Any new BAAs after
1/25/13 should use the
Omnibus Rule 2013
Compliant BAA
Breach Investigation and
Notification Process
Identified and written policy and
procedure for the process of
P&S Checklist v2.3
Complete
Not Complete
P a g e | 18
DUE
DATE
Date Started:
Dated Completed:
HIPAA/HITECH
REFERENCE
HIPAA PRIVACY RULE /
HIPAA SECURITY RULE
HITECH ACT
Breach Investigations. At a
minimum, policy should include:
1) Internal Notification Process –
including definition of date of
discovery and date of
investigation
STATUS
N/A, COMPLETE,
IN PROGRESS, NOT
COMPLETE,
UNKNOWN
POLICY/
PROCEDURE
RISK
SCORE
RESPONSIBLE
PARTY
Name and/or number
In Progress
Unknown
N/A
2) Breach Investigation Process,
including risk analysis of four
(4) objectives:
A. The nature and extent
of PHI involved – types
& likelihood of reidentification
B. The unauthorized
person(s) who use the
PHI or whom it was
disclosed to
C. If the PHI was
acquired, viewed or
disclosed (re-disclosed)
D. The extent to which
the risk to the PHI has
been mitigated
3) Notification and timeliness,
including methods of notification
to:
P&S Checklist v2.3
P a g e | 19
DUE
DATE
Date Started:
Dated Completed:
HIPAA/HITECH
REFERENCE
HIPAA PRIVACY RULE /
HIPAA SECURITY RULE
HITECH ACT
STATUS
N/A, COMPLETE,
IN PROGRESS, NOT
COMPLETE,
UNKNOWN
POLICY/
PROCEDURE
RISK
SCORE
RESPONSIBLE
PARTY
Name and/or number
A. Individuals impacted
B. Secretary of
Department of Health
and Human Resources
C. The Media (if greater
than 500).
4) Delay of Law Enforcement
5) Contents and Methods of
Notification, including
information on Timeliness
6) Process for maintenance and
document of breach log
7) Business Associate and
Breach Investigation and
Notification Process
Restrictions on certain
disclosures and sales of health
information; accounting of
certain protected health
information disclosures; access
to certain information in
electronic format.
Right to Restrict Information
to a Health Plan if:
A) the disclosure is for the
purpose of payment of
P&S Checklist v2.3
Complete
Not Complete
In Progress
Unknown
P a g e | 20
DUE
DATE
Date Started:
Dated Completed:
HIPAA/HITECH
REFERENCE
HIPAA PRIVACY RULE /
HIPAA SECURITY RULE
HITECH ACT
healthcare operations and is
not otherwise requirement
by law
B) the requested restriction
is for PHI that pertains to
healthcare item(s) or
service(s) that have been
paid in full by requestor or
representative
Disclosures of Student
Immunizations to Schools
Create a policy and procedure
regarding the ability to
provide immunization to
schools when mandated by
state law with an oral
authorization rather than
written. The agreement to
release immunization records
should be document, but
doesn’t need an authorization
signature.
The policy and procedure
should include the process for
receiving and documenting
the process.
Protected Health Information
about a Decedents
Information regarding a
P&S Checklist v2.3
STATUS
N/A, COMPLETE,
IN PROGRESS, NOT
COMPLETE,
UNKNOWN
POLICY/
PROCEDURE
RISK
SCORE
RESPONSIBLE
PARTY
Name and/or number
N/A
Complete
Not Complete
In Progress
Unknown
N/A
Complete
Not Complete
In Progress
Unknown
P a g e | 21
DUE
DATE
Date Started:
Dated Completed:
HIPAA/HITECH
REFERENCE
HIPAA PRIVACY RULE /
HIPAA SECURITY RULE
HITECH ACT
patient is no longer protected
until the Privacy Rule 50
years post the individual
death.
STATUS
N/A, COMPLETE,
IN PROGRESS, NOT
COMPLETE,
UNKNOWN
POLICY/
PROCEDURE
RISK
SCORE
RESPONSIBLE
PARTY
Name and/or number
N/A
Information may be disclosed
regarding a decedent to the
family members and others
involved in care or payment
for care, unless it was an
expressed wish prior to death
and it is allow by state law.
The policy and procedure
should define the process and
response to each of the above
scenarios.
Fundraising and PHI
4 New categories added to
fundraising: Department of
Service, treating physician,
outcome information, and
health insurance status
Complete
Not Complete
In Progress
Unknown
N/A
Provide the recipient of any
fundraising communication
the opportunity to opt out of
fundraising communication –
must be treated like a
revocation of an
authorization. May not
condition treatment or
P&S Checklist v2.3
P a g e | 22
DUE
DATE
Date Started:
Dated Completed:
HIPAA/HITECH
REFERENCE
HIPAA PRIVACY RULE /
HIPAA SECURITY RULE
HITECH ACT
STATUS
N/A, COMPLETE,
IN PROGRESS, NOT
COMPLETE,
UNKNOWN
POLICY/
PROCEDURE
RISK
SCORE
RESPONSIBLE
PARTY
Name and/or number
payment if a patient selects to
opt out. Method for opt-out
must be easy and no cause
undue burden.
Statement must be included in
Notice of Privacy Practices
that they may be contacted
regarding fundraising
Access to PHI Electronically
Covered Entities must procedure
an electronic copy of PHI if
request by the patient that is:
1) maintained electronically
2)located in one or more
designated record sets and
3) in the form and format
request
Complete
Not Complete
In Progress
Unknown
N/A
The information must be
machine readable (digital);
however, a CE doesn’t have
to purchase new software to
comply with the request. In
addition, the CE doesn’t have
to accept external portable
media.
If a portion of the paper still
is maintained in the legal
format on paper, a CE is not
P&S Checklist v2.3
P a g e | 23
DUE
DATE
Date Started:
Dated Completed:
HIPAA/HITECH
REFERENCE
HIPAA PRIVACY RULE /
HIPAA SECURITY RULE
HITECH ACT
STATUS
N/A, COMPLETE,
IN PROGRESS, NOT
COMPLETE,
UNKNOWN
POLICY/
PROCEDURE
RISK
SCORE
RESPONSIBLE
PARTY
Name and/or number
required to produce it
electronically
Unencrypted e-mail may be
sent if the individual requests
that media and is advised and
understand the risks
associated with it.
Requests must be responded
to with 30, with one 30 day
extension (must provide a
written notice to the patient
on the delay, reason for the
delay, and expected
completion time. It can take
no more than 60 days.
Marketing and PHI
New Definition for Marketing –
“making a communication about
a product or service that
encourages recipients of the
communication to purchase or
use the product or service.”
Complete
Not Complete
In Progress
Unknown
N/A
If remuneration is received by
the CE for marketing a product
or service, a valid authorization
must be obtained from the
individual prior to the
communication and MUST
include information that the CE
is receiving financial
P&S Checklist v2.3
P a g e | 24
DUE
DATE
Date Started:
Dated Completed:
HIPAA/HITECH
REFERENCE
HIPAA PRIVACY RULE /
HIPAA SECURITY RULE
HITECH ACT
STATUS
N/A, COMPLETE,
IN PROGRESS, NOT
COMPLETE,
UNKNOWN
POLICY/
PROCEDURE
RISK
SCORE
RESPONSIBLE
PARTY
Name and/or number
remuneration from a third party.
Exceptions include cost based
fees for
 Refill Reminders
 Treatment of an individual
 Health-related product or
services that
 Case Management, care
coordination
Sale of PHI
The same of PHI definition:
“disclosure of protected health
information by a CE or BA,
where the CE or BA directly or
indirectly receives remuneration
from or on behalf of the recipient
of the PHI in exchange for the
PHI.”
Complete
Not Complete
In Progress
Unknown
N/A
Sale of PHI doesn’t include:




P&S Checklist v2.3
For public health
For research where
remuneration was reasonable
cost-based fees
For treatment or payment
purposes
For sale, transfer, merger, or
consolidation related to due
diligence
P a g e | 25
DUE
DATE
Date Started:
Dated Completed:
HIPAA/HITECH
REFERENCE
HIPAA PRIVACY RULE /
HIPAA SECURITY RULE
HITECH ACT




STATUS
N/A, COMPLETE,
IN PROGRESS, NOT
COMPLETE,
UNKNOWN
POLICY/
PROCEDURE
RISK
SCORE
RESPONSIBLE
PARTY
Name and/or number
To a BA for work on behalf
of a CE
To an individual who has
requested PHI
As required by law
Any other case where costbased fee to cover costs for
preparation and transmitting
of information is covered
Cost based fees cover labor,
materials, and time.
Notice of Privacy Practices
The Notice of Privacy Practices
needs to be updated and
redistributed to patients. No
changes to the past information
included. The NPP Should be
updated with:





P&S Checklist v2.3
Complete
Not Complete
In Progress
Unknown
N/A
Prohibition on sale of
PHI
Duty to notify affected
individuals of a breach
of unsecured PHI
Right to opt out of
fundraising (if
applicable)
Right to restrict
disclosure of PHI when
paid out of pocket
Limit on use of genetic
P a g e | 26
DUE
DATE
Date Started:
Dated Completed:
HIPAA/HITECH
REFERENCE
HIPAA PRIVACY RULE /
HIPAA SECURITY RULE
HITECH ACT

STATUS
N/A, COMPLETE,
IN PROGRESS, NOT
COMPLETE,
UNKNOWN
POLICY/
PROCEDURE
RISK
SCORE
RESPONSIBLE
PARTY
Name and/or number
information (certain
health plans only)
A statement on uses and
disclosures with
marketing
Research and PHI
Compound authorizations are
now allow (conditioned and
unconditioned) if:
Complete
Not Complete
In Progress
Unknown
N/A
 The authorization clearly
differentiates between the two
research activities
 Clearly allow individual to
opt out of unconditioned
research activities – having a
separate signature line is
recommended
Excludes the ability to combine
authorizations when
psychotherapy notes are included
in the research study.
In addition, future research can
be included in the authorization
it is adequately described what
the participant will expect and
what potential PHI may be
disclosed.
P&S Checklist v2.3
P a g e | 27
DUE
DATE
Date Started:
Dated Completed:
This checklist is used to assist healthcare providers in HIPAA/HITECH awareness. It is the responsibility of each provider to assess and comply
with HIPAA and HITECH as is appropriate.
REACH is not responsible for providers becoming HIPAA and HITECH compliant.
References:

e-Box – Available on Basecamp for all REACH clients. Contact your REACH HIT Consultant for directions.

2013 Omnibus Rule – REACH website, Educational Center, Webinar Recordings, “The New Privacy and Security Rules:
Understanding the 2013 Omnibus Rule” http://www.khareach.org/education

Health and Human Services (HHS) – Health Information Privacy main page, http://www.hhs.gov/ocr/privacy/index.html

Health and Human Services (HHS) – HIPAA Covered Entities and BA page,
http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/index.html

HealthIT.Gov – Privacy and Security page http://www.healthit.gov/providers-professionals/ehr-privacy-security
P&S Checklist v2.3
P a g e | 28
Related documents
“You have the Right”
“You have the Right”
Presentation Slides
Presentation Slides
the HIPAA quiz
the HIPAA quiz
Risk Assessment
Risk Assessment
HIPAA Factsheet
HIPAA Factsheet
Understanding HIPAA Compliance
Understanding HIPAA Compliance
HIPAA Steering Committee - East Carolina University
HIPAA Steering Committee - East Carolina University
Download
advertisement