HIPAA 2013 Compliance Checklist for [this office] 1. 2. 3. 4. 5. 6. Privacy Officer: __________________ Privacy Office Phone: _____________ Privacy Officer e-mail: _______________________ Privacy Officer Hours: ______________________________ Security Officer: ________________________ This practice [has] [does not have] a web site. [The address is www.xxx.xxx]. [The HIPAA 2013 Notice of Privacy Practices is posted on the site] 7. Privacy Policy finalized and incorporated in our procedure manual 8. Privacy training delivered by: [PMG] or [name of entity/person delivering training] List of Providers and Staff attached 9. HIPAA 2013 Notice of Privacy Practices, started distributing on:[ September 23, 2013] 10. Designated Record Set: Medical Records – Maintained by: [Practice or name of firm] 11. Designated Record Set: Billing Records – Maintained by: [Practice or name of firm] 12. Destruction of PHI: [define methods On-Site Shredder or name of Service] ___/____/20__ 13. Fax machines secured from public access: 14. Facility HIPAA Ready Date: [April 1, 2003] 15. HIPAA 2013 Business Associates: Name Agreement Executed _________________________ ____/___/201_ _________________________ ____/___/201_ _________________________ ____/___/201_ _________________________ ____/___/201_ _________________________ ____/___/201_ _________________________ ____/___/201_ _________________________ ____/___/201_ _________________________ ____/___/201_ _________________________ ____/___/201_ _________________________ ____/___/201_ 16. Sign-in sheet in conformance – [We DO NOT HAVE THIS] No last name or reason for visit 17. HIPAA 2013 NPP publicly posted in patient area 18. Computer screens turned away from general public viewing 19. Computers / Applications secured with user id and strong password* 20. Computers set to lock when unattended: [automatically after x minutes] or [locked by user] * * These items covered in greater detail in the Security Risk Assessment Checklist provided as is for free by Santa Cruz Health Information Exchange. Always seek the advice of a lawyer for legal matters. Please notify us of any enhancements you make to this checklist bbeighe@pmgscc.com 21. Virus protection – All computers are protected by anti-virus software* 22. Security Risk Analysis Completed: ___/____/20___ 23. Laptop Security – We never store PHI on any laptop unless it is encrypted* 24. Media Security – We never write PHI to a removable device or to a CD/DVD unless it is encrypted* 25. Off-Site Storage of Data – We have a process in place to securely transport and store our practice data containing PHI off-site so that it can be restored in event of a disaster.* 26. Business class Firewall installed and regularly maintained by competent IT service provider.* 27. Wireless Security – We secure our wireless with WPA and strong passwords and do not allow patients or guests to use our production network. We do not support WEP.* 28. E-mail Security – We never send PHI via e-mail either in the body of the mail or as an attachment (unless it is encrypted)* 29. We never donate or give away or sell a device that once contained/stored patient data, includes PC’s, Servers, Laptops, Tablets, or hard disks in or out of warranty. In these circumstances we only use secure services that certify that the data gets destroyed. 30. We never return equipment to a leasing company such as a server, copier, multi-function machine (many or which have hard drives that contain images of what was scanned, printed or copied). In these circumstances we destroy the hard drive or we get a letter that the leasing company takes full responsibility for data breach resulting from losing control of the patient data. * These items covered in greater detail in the Security Risk Assessment Checklist provided as is for free by Santa Cruz Health Information Exchange. Always seek the advice of a lawyer for legal matters. Please notify us of any enhancements you make to this checklist bbeighe@pmgscc.com HIPAA 2013 Training Log for Providers and Staff Use this log, or in a system such as Human Resources or Payroll Name _________________________ _________________________ _________________________ _________________________ _________________________ _________________________ _________________________ _________________________ _________________________ _________________________ _________________________ _________________________ _________________________ _________________________ _________________________ _________________________ _________________________ _________________________ _________________________ _________________________ Training Completed ____/___/201_ ____/___/201_ ____/___/201_ ____/___/201_ ____/___/201_ ____/___/201_ ____/___/201_ ____/___/201_ ____/___/201_ ____/___/201_ ____/___/201_ ____/___/201_ ____/___/201_ ____/___/201_ ____/___/201_ ____/___/201_ ____/___/201_ ____/___/201_ ____/___/201_ ____/___/201_ * These items covered in greater detail in the Security Risk Assessment Checklist provided as is for free by Santa Cruz Health Information Exchange. Always seek the advice of a lawyer for legal matters. Please notify us of any enhancements you make to this checklist bbeighe@pmgscc.com