Date Started: Dated Completed: HIPAA/OMNIBUS PRIVACY & SECURITY CHECKLIST ASSESSMENT INSTRUCTIONS Below you will find some acronyms that are shown throughout the checklist as well as some brief instructions for completing the assessment. Acronyms NIST FIPS PHI EPHI BA National Institute of Standards and Technology Federal Information Process Standards Protected Health Information Electronic Protected Health Information Business Associate CE EHR HHS IS Covered Entity Electronic Health Record Health and Human Services Information System Instructions HIPAA SECURITY RULE - ADMINISTRATIVE SAFEGUARDS 1 164.308(a)(1)(i) 2 164.308(a)(1)(ii)(A) (R) = REQUIRED, (A) = ADDRESSABLE Security Management Process: Implement policies and procedures to prevent, detect, contain, and correct security violations. 4 3 Has a Risk Analysis been completed in accordance with NIST Guidelines? (R) 5 1 - The HIPAA Security Rule specifies a list of required or addressable safeguards. If an (R) is shown after the safeguard then implementation of that safeguard is required. If an (A) is shown then the safeguard must be assessed to determine whether or not it is a reasonable and appropriate safeguard in your environment. If not implemented, then it’s required to document the reason why and also implement an equivalent alternative safeguard if reasonable and appropriate. 2 – The reference refers to the C.F.R. (Code of Federal Regulations) that maps to the requirement or safeguard to the specific regulation. 3 – This field is the requirement of the safeguard that is being evaluated. If shown in bold, then specifying a status for that particular safeguard is not necessary because it’s an overview of the following rows to be evaluated. 4 – For any of the highlighted fields, a status is not required since that row is just an overview of the following rows to be evaluated. 5 – This field is to specify the status of the requirement or safeguard. Please specify the following: N/A, Complete, In Progress, Not Complete, or Unknown. Please feel free to add any additional comments to the field or on a separate sheet of paper. P&S Checklist v2.3 Page |1 Date Started: Dated Completed: HIPAA/HITECH PRIVACY & SECURITY ASSESSMENT ANALYSIS HIPAA/HITECH REFERENCE HIPAA PRIVACY RULE / HIPAA SECURITY RULE HITECH ACT STATUS N/A, COMPLETE, IN PROGRESS, NOT COMPLETE, UNKNOWN POLICY/ PROCEDURE RISK SCORE RESPONSIBLE PARTY Name and/or number HIPAA PRIVACY RULE §164.502 §164.514 Develop "minimum necessary" policies for: - Uses - Routine disclosures - Non-routine disclosures - Limit request to minimum necessary - Ability to rely on request for minimum necessary §164.504 Develop polices for business associate (BA) relationships and amend business associate contracts or agreements: - Obtain satisfactory assurances in contract - Document sanctions for noncompliance §164.502 §164.504 §164.506 §164.508 §164.510 §164.512 P&S Checklist v2.3 Limit disclosures to those that are authorized by the client, or that are required or allowed by the privacy regulations and state law. Complete Not Complete In Progress Unknown N/A Complete Not Complete In Progress Unknown N/A Complete Not Complete In Progress Unknown N/A Page |2 DUE DATE Date Started: Dated Completed: HIPAA/HITECH REFERENCE §164.520 §164.522 §164.524 HIPAA PRIVACY RULE / HIPAA SECURITY RULE HITECH ACT Develop and disseminate notice of privacy practice. Develop policies for alternative means of communication requests. Develop policies for access to designated record sets: - Providing access - Denying access §164.526 Develop policies for amendment requests: - Accepting an amendment - Denying an amendment - Actions on notice of an amendment - Documentation STATUS N/A, COMPLETE, IN PROGRESS, NOT COMPLETE, UNKNOWN POLICY/ PROCEDURE RISK SCORE RESPONSIBLE PARTY Name and/or number Complete Not Complete In Progress Unknown N/A Complete Not Complete In Progress Unknown N/A Complete Not Complete In Progress Unknown N/A Complete Not Complete In Progress Unknown N/A Standard communication templates Storage of requests P&S Checklist v2.3 Page |3 DUE DATE Date Started: Dated Completed: HIPAA/HITECH REFERENCE §164.528 §164.530 HIPAA PRIVACY RULE / HIPAA SECURITY RULE HITECH ACT Develop policies for accounting of disclosures. Implementation of Privacy Rule Administrative requirements, including: - Appoint of a HIPAA privacy officer. - Training of workforce & ongoing training plan - Sanctions for non-compliance - Develop compliance policies. - Develop anti-retaliation policies. - Policies and Procedures STATUS N/A, COMPLETE, IN PROGRESS, NOT COMPLETE, UNKNOWN POLICY/ PROCEDURE RISK SCORE RESPONSIBLE PARTY Name and/or number Complete Not Complete In Progress Unknown N/A Complete Not Complete In Progress Unknown N/A HIPAA SECURITY RULE - ADMINISTRATIVE SAFEGUARDS (R) = REQUIRED, (A) = ADDRESSABLE 164.308(a)(1)(i) 164.308(a)(1)(ii)(A) P&S Checklist v2.3 Security Management Process: Implement policies and procedures to prevent, detect, contain, and correct security violations. Has a Risk Analysis been completed in accordance with NIST Guidelines? (R) Complete Not Complete In Progress Unknown N/A Page |4 DUE DATE Date Started: Dated Completed: HIPAA/HITECH REFERENCE 164.308(a)(1)(ii)(B) 164.308(a)(1)(ii)(C) 164.308(a)(1)(ii)(D) 164.308(a)(2) P&S Checklist v2.3 HIPAA PRIVACY RULE / HIPAA SECURITY RULE HITECH ACT Has the Risk Management process been completed in accordance with NIST Guidelines? (R) Do you have formal sanctions against employees who fail to comply with security policies and procedures? Do you have a documented policy and procedure regarding this (R) STATUS N/A, COMPLETE, IN PROGRESS, NOT COMPLETE, UNKNOWN POLICY/ PROCEDURE RISK SCORE RESPONSIBLE PARTY Name and/or number Complete Not Complete In Progress Unknown N/A Complete Not Complete In Progress Unknown N/A Have you implemented procedures to regularly review records of IS activity such as audit logs, access reports, and security incident tracking? Do you have a policy and procedure for “pro-active monitoring?” (R) Complete Not Complete In Progress Unknown N/A Assigned Security Responsibility: Identify the security official who is responsible for the development and implementation of the policies and procedures required by this subpart for the entity. (R) Complete Not Complete In Progress Unknown N/A Page |5 DUE DATE Date Started: Dated Completed: HIPAA/HITECH REFERENCE 164.308(a)(3)(i) 164.308(a)(3)(ii)(A) 164.308(a)(3)(ii)(B) 164.308(a)(3)(ii)(C) P&S Checklist v2.3 HIPAA PRIVACY RULE / HIPAA SECURITY RULE HITECH ACT Workforce Security: Implement policies and procedures to ensure that all members of its workforce have appropriate access to EPHI, as provided under paragraph (a)(4) of this section, and to prevent those workforce members who do not have access under paragraph (a)(4) of this section from obtaining access to electronic protected health information (EPHI). Have you implemented procedures for the authorization and/or supervision of employees who work with EPHI or in locations where it might be accessed? (A) Have you implemented procedures to determine that the access of an employee to EPHI is appropriate? (A) Have you implemented procedures for terminating access to EPHI when an employee leaves your STATUS N/A, COMPLETE, IN PROGRESS, NOT COMPLETE, UNKNOWN POLICY/ PROCEDURE RISK SCORE RESPONSIBLE PARTY Name and/or number Complete Not Complete In Progress Unknown N/A Complete Not Complete In Progress Unknown N/A Complete Not Complete In Progress Page |6 DUE DATE Date Started: Dated Completed: HIPAA/HITECH REFERENCE HIPAA PRIVACY RULE / HIPAA SECURITY RULE HITECH ACT organization? (A) 164.308(a)(4)(i) 164.308(a)(4)(ii)(A) 164.308(a)(4)(ii)(B) 164.308(a)(4)(ii)(C) 164.308(a)(5)(i) P&S Checklist v2.3 Information Access Management: Implement policies and procedures for authorizing access to EPHI that are consistent with the applicable requirements of subpart E of this part. If you are a clearinghouse that is part of a larger organization, have you implemented policies and procedures to protect EPHI from the larger organization? (A) Have you implemented policies and procedures for granting access to EPHI, for example, through access to a workstation, transaction, program, or process? (A) Have you implemented policies and procedures that are based upon your access authorization policies to establish, document, review, and modify a user’s right of access to a workstation, transaction, program, or process? (A) Security Awareness and Training: Implement a security awareness and STATUS N/A, COMPLETE, IN PROGRESS, NOT COMPLETE, UNKNOWN POLICY/ PROCEDURE RISK SCORE RESPONSIBLE PARTY Name and/or number Unknown N/A Complete Not Complete In Progress Unknown N/A Complete Not Complete In Progress Unknown N/A Complete Not Complete In Progress Unknown N/A Page |7 DUE DATE Date Started: Dated Completed: HIPAA/HITECH REFERENCE 164.308(a)(5)(ii)(A) 164.308(a)(5)(ii)(B) 164.308(a)(5)(ii)(C) 164.308(a)(5)(ii)(D) 164.308(a)(6)(i) 164.308(a)(6)(ii) P&S Checklist v2.3 HIPAA PRIVACY RULE / HIPAA SECURITY RULE HITECH ACT training program for all members of its workforce (including management). Do you provide periodic information security reminders? Do you provide periodic training sessions? (A) Do you have policies and procedures for guarding against, detecting, and reporting malicious software? (A) Do you have procedures for monitoring login attempts and reporting discrepancies? (A) Do you have procedures for creating, changing, and safeguarding passwords? (A) Security Incident Procedures: Implement policies and procedures to address security incidents. Do you have procedures to identify and respond to suspected or known security STATUS N/A, COMPLETE, IN PROGRESS, NOT COMPLETE, UNKNOWN POLICY/ PROCEDURE RISK SCORE RESPONSIBLE PARTY Name and/or number Complete Not Complete In Progress Unknown N/A Complete Not Complete In Progress Unknown N/A Complete Not Complete In Progress Unknown N/A Complete Not Complete In Progress Unknown N/A Complete Not Complete Page |8 DUE DATE Date Started: Dated Completed: HIPAA/HITECH REFERENCE 164.308(a)(7)(i) 164.308(a)(7)(ii)(A) 164.308(a)(7)(ii)(B) 164.308(a)(7)(ii)(C) P&S Checklist v2.3 HIPAA PRIVACY RULE / HIPAA SECURITY RULE HITECH ACT incidents; mitigate to the extent practicable, harmful effects of known security incidents; and document incidents and their outcomes? (R) Contingency Plan: Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain EPHI. Have you established and implemented procedures to create and maintain retrievable exact copies of EPHI? (R) Have you established (and implemented as needed) procedures to restore any loss of EPHI data that is stored electronically? (R) Have you established (and implemented as needed) procedures to enable continuation of critical business processes and for protection of EPHI while operating in the STATUS N/A, COMPLETE, IN PROGRESS, NOT COMPLETE, UNKNOWN POLICY/ PROCEDURE RISK SCORE RESPONSIBLE PARTY Name and/or number In Progress Unknown N/A Complete Not Complete In Progress Unknown N/A Complete Not Complete In Progress Unknown N/A Complete Not Complete In Progress Unknown N/A Page |9 DUE DATE Date Started: Dated Completed: HIPAA/HITECH REFERENCE HIPAA PRIVACY RULE / HIPAA SECURITY RULE HITECH ACT STATUS N/A, COMPLETE, IN PROGRESS, NOT COMPLETE, UNKNOWN POLICY/ PROCEDURE RISK SCORE RESPONSIBLE PARTY Name and/or number emergency mode? (R) 164.308(a)(7)(ii)(D) 164.308(a)(7)(ii)(E) 164.308(a)(8) 164.308(b)(1) P&S Checklist v2.3 Have you implemented procedures for periodic testing and revision of contingency plans? (A) Have you assessed the relative criticality of specific applications and data in support of other contingency plan components? (A) Have you established a plan for periodic technical and non technical evaluation of the standards under this rule in response to environmental or operational changes affecting the security of EPHI? (R) Business Associate Contracts and Other Arrangements: A covered Entity (CE), in accordance with Sec. 164.306, may permit a business associate to create, receive, maintain, or transmit EPHI on the covered entity’s behalf only if the CE obtains satisfactory assurances, in accordance with Sec. 164.314(a) that the Complete Not Complete In Progress Unknown N/A Complete Not Complete In Progress Unknown N/A Complete Not Complete In Progress Unknown N/A P a g e | 10 DUE DATE Date Started: Dated Completed: HIPAA/HITECH REFERENCE 164.308(b)(4) HIPAA PRIVACY RULE / HIPAA SECURITY RULE HITECH ACT business associate appropriately safeguard the information. Have you established written contracts or other arrangements with your trading partners that documents satisfactory assurances that the BA will appropriately safeguard the information? (R) STATUS N/A, COMPLETE, IN PROGRESS, NOT COMPLETE, UNKNOWN POLICY/ PROCEDURE RISK SCORE RESPONSIBLE PARTY Name and/or number Complete Not Complete In Progress Unknown N/A HIPAA SECURITY RULE - PHYSICAL SAFEGUARDS (R) = REQUIRED, (A) = ADDRESSABLE 164.310(a)(1) 164.310(a)(2)(i) 164.310(a)(2)(ii) P&S Checklist v2.3 Facility Access Controls: Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed. Have you established (and implemented as needed) procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency? (A) Have you implemented policies and procedures to safeguard the facility and the equipment therein from unauthorized Complete Not Complete In Progress Unknown N/A Complete Not Complete In Progress P a g e | 11 DUE DATE Date Started: Dated Completed: HIPAA/HITECH REFERENCE HIPAA PRIVACY RULE / HIPAA SECURITY RULE HITECH ACT physical access, tampering, and theft? (A) 164.310(a)(2)(iii) 164.310(a)(2)(iv) 164.310(b) 164.310(c) P&S Checklist v2.3 Have you implemented procedures to control and validate a person’s access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision? (A) Have you implemented policies and procedures to document repairs and modifications to the physical components of a facility, which are related to security (for example, hardware, walls, doors, and locks)? (A) Have you implemented policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access EPHI? (R) Have you implemented physical safeguards for all workstations STATUS N/A, COMPLETE, IN PROGRESS, NOT COMPLETE, UNKNOWN POLICY/ PROCEDURE RISK SCORE RESPONSIBLE PARTY Name and/or number Unknown N/A Complete Not Complete In Progress Unknown N/A Complete Not Complete In Progress Unknown N/A Complete Not Complete In Progress Unknown N/A Complete P a g e | 12 DUE DATE Date Started: Dated Completed: HIPAA/HITECH REFERENCE HIPAA PRIVACY RULE / HIPAA SECURITY RULE HITECH ACT that access EPHI to restrict access to authorized users? (R) 164.310(d)(1) 164.310(d)(2)(i) 164.310(d)(2)(ii) 164.310(d)(2)(iii) 164.310(d)(2)(iv) P&S Checklist v2.3 Device and Media Controls: Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain EPHI into and out of a facility, and the movement of these items within the facility. Have you implemented policies and procedures to address final disposition of EPHI, and/or hardware or electronic media on which it is stored? (R) Have you implemented procedures for removal of EPHI from electronic media before the media are available for reuse? (R) Do you maintain a record of the movements of hardware and electronic media and the person responsible for its movement? (A) Do you create a retrievable, exact copy of EPHI, when STATUS N/A, COMPLETE, IN PROGRESS, NOT COMPLETE, UNKNOWN POLICY/ PROCEDURE RISK SCORE RESPONSIBLE PARTY Name and/or number Not Complete In Progress Unknown N/A Complete Not Complete In Progress Unknown N/A Complete Not Complete In Progress Unknown N/A Complete Not Complete In Progress Unknown N/A Complete P a g e | 13 DUE DATE Date Started: Dated Completed: HIPAA/HITECH REFERENCE HIPAA PRIVACY RULE / HIPAA SECURITY RULE HITECH ACT needed, before movement of equipment? (A) STATUS N/A, COMPLETE, IN PROGRESS, NOT COMPLETE, UNKNOWN POLICY/ PROCEDURE RISK SCORE RESPONSIBLE PARTY Name and/or number Not Complete In Progress Unknown N/A HIPAA SECURITY RULE - TECHNICAL SAFEGUARDS (R) = REQUIRED, (A) = ADDRESSABLE 164.312(a)(1) 164.312(a)(2)(i) 164.312(a)(2)(ii) 164.312(a)(2)(iii) P&S Checklist v2.3 Access Controls: Implement technical policies and procedures for electronic information systems that maintain EPHI to allow access only to those persons or software programs that have been granted access rights as specified in Sec. 164.308(a)(4). Have you assigned a unique name and/or number for identifying and tracking user identity? (R) Have you established (and implemented as needed) procedures for obtaining necessary EPHI during an emergency? (R) Have you implemented procedures that terminate an electronic session after a predetermined time of inactivity? (A) Complete Not Complete In Progress Unknown N/A Complete Not Complete In Progress Unknown N/A Complete Not Complete In Progress Unknown N/A P a g e | 14 DUE DATE Date Started: Dated Completed: HIPAA/HITECH REFERENCE HIPAA PRIVACY RULE / HIPAA SECURITY RULE HITECH ACT 164.312(a)(2)(iv) Have you implemented a mechanism to encrypt and decrypt EPHI? (A) 164.312(b) Have you implemented Audit Controls, hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use EPHI? (R) Integrity: Implement policies and procedures to protect EPHI from improper alteration or destruction. Have you implemented electronic mechanisms to corroborate that EPHI has not been altered or destroyed in an unauthorized manner? (A) Have you implemented Person or Entity Authentication procedures to verify that a person or entity seeking access to EPHI is the one claimed? (R) 164.312(c)(1) 164.312(c)(2) 164.312(d) 164.312(e)(1) P&S Checklist v2.3 Transmission Security: Implement technical security measures to guard against unauthorized access to EPHI that is being transmitted over an electronic communications network. STATUS N/A, COMPLETE, IN PROGRESS, NOT COMPLETE, UNKNOWN POLICY/ PROCEDURE RISK SCORE RESPONSIBLE PARTY Name and/or number Complete Not Complete In Progress Unknown N/A Complete Not Complete In Progress Unknown N/A Complete Not Complete In Progress Unknown N/A Complete Not Complete In Progress Unknown N/A Complete Not Complete In Progress Unknown N/A P a g e | 15 DUE DATE Date Started: Dated Completed: HIPAA/HITECH REFERENCE 164.312(e)(2)(i) 164.312(e)(2)(ii) HIPAA PRIVACY RULE / HIPAA SECURITY RULE HITECH ACT Have you implemented security measures to ensure that electronically transmitted EPHI is not improperly modified without detection until disposed of? (A) Have you implemented a mechanism to encrypt EPHI whenever deemed appropriate? (A) STATUS N/A, COMPLETE, IN PROGRESS, NOT COMPLETE, UNKNOWN POLICY/ PROCEDURE RISK SCORE RESPONSIBLE PARTY Name and/or number Complete Not Complete In Progress Unknown N/A Complete Not Complete In Progress Unknown N/A HIPAA SECURITY RULE - ORGANIZATIONAL SAFEGUARDS (R) = REQUIRED, (A) = ADDRESSABLE 164.316(b)(1) Documentation: Maintain the policies and procedures implemented to comply with this subpart in written (which may be electronic) form; and (ii) if an action, activity or assessment is required by this subpart to be documented, maintain a written (which may be electronic) record of the action, activity, or assessment.” 164.316(b)(2)(i) Time Limit: Retain the documentation required by paragraph (b)(1) of this section for 6 years from the date of its creation or the date when it last was in effect, P&S Checklist v2.3 Complete Not Complete In Progress Unknown N/A P a g e | 16 DUE DATE Date Started: Dated Completed: HIPAA/HITECH REFERENCE HIPAA PRIVACY RULE / HIPAA SECURITY RULE HITECH ACT STATUS N/A, COMPLETE, IN PROGRESS, NOT COMPLETE, UNKNOWN POLICY/ PROCEDURE RISK SCORE RESPONSIBLE PARTY Name and/or number whichever is later. 164.316(b)(2)(ii) Availability: Make documentation available to those persons responsible for implementing the procedures to which the documentation pertains. Complete Not Complete In Progress Unknown N/A 164.316(b)(2)(iii) Updates: Review documentation periodically, and update as needed, in response to environmental or operational changes affecting the security of the electronic protected health information Complete Not Complete In Progress Unknown N/A Omnibus Rule 2013 Business Associates Update the Business Associate Policy and Procedure to include the new definition of business associate. Evaluate current vendors, consultants, or any other third party organizations that maybe a business associate to your organization and work to get the proper business associate agreement in place. P&S Checklist v2.3 Complete Not Complete In Progress Unknown N/A P a g e | 17 DUE DATE Date Started: Dated Completed: HIPAA/HITECH REFERENCE HIPAA PRIVACY RULE / HIPAA SECURITY RULE HITECH ACT Assure documentation exists on the changes to the Omnibus Rule and requirements of the Business Associates (including Subcontractor requirements) Update and have Business Associate Agreement Resigned by Compliance Deadlines: A. If BAAs comply with preOmnibus rule, parties have 1 additional year to bring their BAAs into compliance September 22, 2014 STATUS N/A, COMPLETE, IN PROGRESS, NOT COMPLETE, UNKNOWN POLICY/ PROCEDURE RISK SCORE RESPONSIBLE PARTY Name and/or number Complete Not Complete In Progress Unknown N/A B. If BAAs do not comply with pre-Omnibus rule (or no BAA exists), must enter into BAAs that comply September 23, 2013 C. Any new BAAs after 1/25/13 should use the Omnibus Rule 2013 Compliant BAA Breach Investigation and Notification Process Identified and written policy and procedure for the process of P&S Checklist v2.3 Complete Not Complete P a g e | 18 DUE DATE Date Started: Dated Completed: HIPAA/HITECH REFERENCE HIPAA PRIVACY RULE / HIPAA SECURITY RULE HITECH ACT Breach Investigations. At a minimum, policy should include: 1) Internal Notification Process – including definition of date of discovery and date of investigation STATUS N/A, COMPLETE, IN PROGRESS, NOT COMPLETE, UNKNOWN POLICY/ PROCEDURE RISK SCORE RESPONSIBLE PARTY Name and/or number In Progress Unknown N/A 2) Breach Investigation Process, including risk analysis of four (4) objectives: A. The nature and extent of PHI involved – types & likelihood of reidentification B. The unauthorized person(s) who use the PHI or whom it was disclosed to C. If the PHI was acquired, viewed or disclosed (re-disclosed) D. The extent to which the risk to the PHI has been mitigated 3) Notification and timeliness, including methods of notification to: P&S Checklist v2.3 P a g e | 19 DUE DATE Date Started: Dated Completed: HIPAA/HITECH REFERENCE HIPAA PRIVACY RULE / HIPAA SECURITY RULE HITECH ACT STATUS N/A, COMPLETE, IN PROGRESS, NOT COMPLETE, UNKNOWN POLICY/ PROCEDURE RISK SCORE RESPONSIBLE PARTY Name and/or number A. Individuals impacted B. Secretary of Department of Health and Human Resources C. The Media (if greater than 500). 4) Delay of Law Enforcement 5) Contents and Methods of Notification, including information on Timeliness 6) Process for maintenance and document of breach log 7) Business Associate and Breach Investigation and Notification Process Restrictions on certain disclosures and sales of health information; accounting of certain protected health information disclosures; access to certain information in electronic format. Right to Restrict Information to a Health Plan if: A) the disclosure is for the purpose of payment of P&S Checklist v2.3 Complete Not Complete In Progress Unknown P a g e | 20 DUE DATE Date Started: Dated Completed: HIPAA/HITECH REFERENCE HIPAA PRIVACY RULE / HIPAA SECURITY RULE HITECH ACT healthcare operations and is not otherwise requirement by law B) the requested restriction is for PHI that pertains to healthcare item(s) or service(s) that have been paid in full by requestor or representative Disclosures of Student Immunizations to Schools Create a policy and procedure regarding the ability to provide immunization to schools when mandated by state law with an oral authorization rather than written. The agreement to release immunization records should be document, but doesn’t need an authorization signature. The policy and procedure should include the process for receiving and documenting the process. Protected Health Information about a Decedents Information regarding a P&S Checklist v2.3 STATUS N/A, COMPLETE, IN PROGRESS, NOT COMPLETE, UNKNOWN POLICY/ PROCEDURE RISK SCORE RESPONSIBLE PARTY Name and/or number N/A Complete Not Complete In Progress Unknown N/A Complete Not Complete In Progress Unknown P a g e | 21 DUE DATE Date Started: Dated Completed: HIPAA/HITECH REFERENCE HIPAA PRIVACY RULE / HIPAA SECURITY RULE HITECH ACT patient is no longer protected until the Privacy Rule 50 years post the individual death. STATUS N/A, COMPLETE, IN PROGRESS, NOT COMPLETE, UNKNOWN POLICY/ PROCEDURE RISK SCORE RESPONSIBLE PARTY Name and/or number N/A Information may be disclosed regarding a decedent to the family members and others involved in care or payment for care, unless it was an expressed wish prior to death and it is allow by state law. The policy and procedure should define the process and response to each of the above scenarios. Fundraising and PHI 4 New categories added to fundraising: Department of Service, treating physician, outcome information, and health insurance status Complete Not Complete In Progress Unknown N/A Provide the recipient of any fundraising communication the opportunity to opt out of fundraising communication – must be treated like a revocation of an authorization. May not condition treatment or P&S Checklist v2.3 P a g e | 22 DUE DATE Date Started: Dated Completed: HIPAA/HITECH REFERENCE HIPAA PRIVACY RULE / HIPAA SECURITY RULE HITECH ACT STATUS N/A, COMPLETE, IN PROGRESS, NOT COMPLETE, UNKNOWN POLICY/ PROCEDURE RISK SCORE RESPONSIBLE PARTY Name and/or number payment if a patient selects to opt out. Method for opt-out must be easy and no cause undue burden. Statement must be included in Notice of Privacy Practices that they may be contacted regarding fundraising Access to PHI Electronically Covered Entities must procedure an electronic copy of PHI if request by the patient that is: 1) maintained electronically 2)located in one or more designated record sets and 3) in the form and format request Complete Not Complete In Progress Unknown N/A The information must be machine readable (digital); however, a CE doesn’t have to purchase new software to comply with the request. In addition, the CE doesn’t have to accept external portable media. If a portion of the paper still is maintained in the legal format on paper, a CE is not P&S Checklist v2.3 P a g e | 23 DUE DATE Date Started: Dated Completed: HIPAA/HITECH REFERENCE HIPAA PRIVACY RULE / HIPAA SECURITY RULE HITECH ACT STATUS N/A, COMPLETE, IN PROGRESS, NOT COMPLETE, UNKNOWN POLICY/ PROCEDURE RISK SCORE RESPONSIBLE PARTY Name and/or number required to produce it electronically Unencrypted e-mail may be sent if the individual requests that media and is advised and understand the risks associated with it. Requests must be responded to with 30, with one 30 day extension (must provide a written notice to the patient on the delay, reason for the delay, and expected completion time. It can take no more than 60 days. Marketing and PHI New Definition for Marketing – “making a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.” Complete Not Complete In Progress Unknown N/A If remuneration is received by the CE for marketing a product or service, a valid authorization must be obtained from the individual prior to the communication and MUST include information that the CE is receiving financial P&S Checklist v2.3 P a g e | 24 DUE DATE Date Started: Dated Completed: HIPAA/HITECH REFERENCE HIPAA PRIVACY RULE / HIPAA SECURITY RULE HITECH ACT STATUS N/A, COMPLETE, IN PROGRESS, NOT COMPLETE, UNKNOWN POLICY/ PROCEDURE RISK SCORE RESPONSIBLE PARTY Name and/or number remuneration from a third party. Exceptions include cost based fees for Refill Reminders Treatment of an individual Health-related product or services that Case Management, care coordination Sale of PHI The same of PHI definition: “disclosure of protected health information by a CE or BA, where the CE or BA directly or indirectly receives remuneration from or on behalf of the recipient of the PHI in exchange for the PHI.” Complete Not Complete In Progress Unknown N/A Sale of PHI doesn’t include: P&S Checklist v2.3 For public health For research where remuneration was reasonable cost-based fees For treatment or payment purposes For sale, transfer, merger, or consolidation related to due diligence P a g e | 25 DUE DATE Date Started: Dated Completed: HIPAA/HITECH REFERENCE HIPAA PRIVACY RULE / HIPAA SECURITY RULE HITECH ACT STATUS N/A, COMPLETE, IN PROGRESS, NOT COMPLETE, UNKNOWN POLICY/ PROCEDURE RISK SCORE RESPONSIBLE PARTY Name and/or number To a BA for work on behalf of a CE To an individual who has requested PHI As required by law Any other case where costbased fee to cover costs for preparation and transmitting of information is covered Cost based fees cover labor, materials, and time. Notice of Privacy Practices The Notice of Privacy Practices needs to be updated and redistributed to patients. No changes to the past information included. The NPP Should be updated with: P&S Checklist v2.3 Complete Not Complete In Progress Unknown N/A Prohibition on sale of PHI Duty to notify affected individuals of a breach of unsecured PHI Right to opt out of fundraising (if applicable) Right to restrict disclosure of PHI when paid out of pocket Limit on use of genetic P a g e | 26 DUE DATE Date Started: Dated Completed: HIPAA/HITECH REFERENCE HIPAA PRIVACY RULE / HIPAA SECURITY RULE HITECH ACT STATUS N/A, COMPLETE, IN PROGRESS, NOT COMPLETE, UNKNOWN POLICY/ PROCEDURE RISK SCORE RESPONSIBLE PARTY Name and/or number information (certain health plans only) A statement on uses and disclosures with marketing Research and PHI Compound authorizations are now allow (conditioned and unconditioned) if: Complete Not Complete In Progress Unknown N/A The authorization clearly differentiates between the two research activities Clearly allow individual to opt out of unconditioned research activities – having a separate signature line is recommended Excludes the ability to combine authorizations when psychotherapy notes are included in the research study. In addition, future research can be included in the authorization it is adequately described what the participant will expect and what potential PHI may be disclosed. P&S Checklist v2.3 P a g e | 27 DUE DATE Date Started: Dated Completed: This checklist is used to assist healthcare providers in HIPAA/HITECH awareness. It is the responsibility of each provider to assess and comply with HIPAA and HITECH as is appropriate. REACH is not responsible for providers becoming HIPAA and HITECH compliant. References: e-Box – Available on Basecamp for all REACH clients. Contact your REACH HIT Consultant for directions. 2013 Omnibus Rule – REACH website, Educational Center, Webinar Recordings, “The New Privacy and Security Rules: Understanding the 2013 Omnibus Rule” http://www.khareach.org/education Health and Human Services (HHS) – Health Information Privacy main page, http://www.hhs.gov/ocr/privacy/index.html Health and Human Services (HHS) – HIPAA Covered Entities and BA page, http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/index.html HealthIT.Gov – Privacy and Security page http://www.healthit.gov/providers-professionals/ehr-privacy-security P&S Checklist v2.3 P a g e | 28