HIPAA 2013 Compliance Checklist

advertisement
HIPAA 2013 Compliance Checklist for [this office]
1.
2.
3.
4.
5.
6.
Privacy Officer: __________________
Privacy Office Phone: _____________
Privacy Officer e-mail: _______________________
Privacy Officer Hours: ______________________________
Security Officer: ________________________
This practice [has] [does not have] a web site. [The address is
www.xxx.xxx]. [The HIPAA 2013 Notice of Privacy Practices is posted on
the site]
7. Privacy Policy finalized and incorporated in our procedure manual
8. Privacy training delivered by: [PMG] or [name of entity/person delivering
training] List of Providers and Staff attached
9. HIPAA 2013 Notice of Privacy Practices, started distributing on:[
September 23, 2013]
10. Designated Record Set: Medical Records – Maintained by: [Practice or
name of firm]
11. Designated Record Set: Billing Records – Maintained by: [Practice or
name of firm]
12. Destruction of PHI: [define methods On-Site Shredder or name of
Service] ___/____/20__
13. Fax machines secured from public access:
14. Facility HIPAA Ready Date: [April 1, 2003]
15. HIPAA 2013 Business Associates:
Name
Agreement Executed
_________________________ ____/___/201_
_________________________ ____/___/201_
_________________________ ____/___/201_
_________________________ ____/___/201_
_________________________ ____/___/201_
_________________________ ____/___/201_
_________________________ ____/___/201_
_________________________ ____/___/201_
_________________________ ____/___/201_
_________________________ ____/___/201_
16. Sign-in sheet in conformance – [We DO NOT HAVE THIS] No last name
or reason for visit
17. HIPAA 2013 NPP publicly posted in patient area
18. Computer screens turned away from general public viewing
19. Computers / Applications secured with user id and strong password*
20. Computers set to lock when unattended: [automatically after x minutes] or
[locked by user] *
* These items covered in greater detail in the Security Risk Assessment
Checklist provided as is for free by Santa Cruz Health Information Exchange. Always
seek the advice of a lawyer for legal matters. Please notify us of any enhancements
you make to this checklist bbeighe@pmgscc.com
21. Virus protection – All computers are protected by anti-virus software*
22. Security Risk Analysis Completed: ___/____/20___
23. Laptop Security – We never store PHI on any laptop unless it is
encrypted*
24. Media Security – We never write PHI to a removable device or to a
CD/DVD unless it is encrypted*
25. Off-Site Storage of Data – We have a process in place to securely
transport and store our practice data containing PHI off-site so that it can
be restored in event of a disaster.*
26. Business class Firewall installed and regularly maintained by competent IT
service provider.*
27. Wireless Security – We secure our wireless with WPA and strong
passwords and do not allow patients or guests to use our production
network. We do not support WEP.*
28. E-mail Security – We never send PHI via e-mail either in the body of the
mail or as an attachment (unless it is encrypted)*
29. We never donate or give away or sell a device that once contained/stored
patient data, includes PC’s, Servers, Laptops, Tablets, or hard disks in or
out of warranty. In these circumstances we only use secure services that
certify that the data gets destroyed.
30. We never return equipment to a leasing company such as a server,
copier, multi-function machine (many or which have hard drives that
contain images of what was scanned, printed or copied). In these
circumstances we destroy the hard drive or we get a letter that the leasing
company takes full responsibility for data breach resulting from losing
control of the patient data.
* These items covered in greater detail in the Security Risk Assessment
Checklist provided as is for free by Santa Cruz Health Information Exchange. Always
seek the advice of a lawyer for legal matters. Please notify us of any enhancements
you make to this checklist bbeighe@pmgscc.com
HIPAA 2013 Training Log for Providers and Staff
Use this log, or in a system such as Human Resources or Payroll
Name
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
Training Completed
____/___/201_
____/___/201_
____/___/201_
____/___/201_
____/___/201_
____/___/201_
____/___/201_
____/___/201_
____/___/201_
____/___/201_
____/___/201_
____/___/201_
____/___/201_
____/___/201_
____/___/201_
____/___/201_
____/___/201_
____/___/201_
____/___/201_
____/___/201_
* These items covered in greater detail in the Security Risk Assessment
Checklist provided as is for free by Santa Cruz Health Information Exchange. Always
seek the advice of a lawyer for legal matters. Please notify us of any enhancements
you make to this checklist bbeighe@pmgscc.com
Download