Skip to main content

HIPAA Compliance Checklist for Medical Practices

September 22, 2016

HIPAA Compliance ChecklistAs you know, 2016 is a big year for HIPAA compliance audits. The Office of Civil Rights (OCR), mandated to conduct random audits under the HITECH Act, gave plenty of warning that this year’s random compliance audits would begin with a renewed focus on smaller practices (15 or fewer providers) and include Business Associates (BAs) in the audit protocols.

Because practices have been under HIPAA for years, it’s easy to get complacent, but HIPAA fines are nothing to take lightly. Last year, OCR issued a record number of fines for violations including $4.8 million for lack of a firewall (New York Presbyterian), $1.7 million for theft of unencrypted laptop (Concentra Health Services), and $800,000 for unsecured medical records (Parkview Health Systems). 

Here’s a checklist to help you prepare for HIPAA compliance this year. 

Technical Safeguards

  • Implement a system of access control including unique user names and PINs, plus protocols governing release of ePHI in the event of an emergency. 
  • Ensure a system is in place to authenticate all ePHI; make sure no information is altered or deleted in a way that violates HIPAA guidelines. 
  • Implement an encryption system for all information sent and received outside the organization’s internal firewall. 
  • Initiate and/or carry out a system of ePHI access control audits. 
  • Make sure an automatic log-out protocol is in place for all devices used to access ePHI. 

Physical Safeguards

  • Ensure procedures are in place to record anyone with physical access to areas where ePHI is stored (managed service providers, cleaners, engineers, etc.)
  • Implement safeguards for workstations and develop protocols for which functions may be performed on workstations in unrestricted areas. 
  • Develop protocols for ePHI use on mobile devices, including guidelines for removing information from devices no longer in use. 
  • Maintain accurate inventory of all hardware and devices. 

Administrative Safeguards

  • Conduct routine risk assessments and develop a risk management policy including sanctions for employees not in compliance. 
  • Implement HIPAA awareness training, including how to identify malicious attacks/malware; be sure to maintain documentation of training sessions. 
  • Develop and test a contingency plan to govern the integrity of ePHI when/if the entity operates in emergency mode. 
  • Implement policies to restrict third-party access and develop a reporting policy to identify breaches. 
  • Develop and document protocols to issue HIPAA breach notifications to affected patients and to the DHHS in the event the breach affects more than 500 individuals. 

Omnibus Considerations

The new Omnibus rules update HIPAA compliance standards, especially with regard to Business Associate Agreements (BAAs). Under the new guidelines, covered entities must now:

  • Update BAAs to include language making all BAs aware that they are bound by the same security and privacy rules governing covered entities, which means they must implement the same technical, physical, and administrative safeguards as covered entities, and are under the same reporting regime for breaches of ePHI. 
  • Issue updated BAAs to all business associates; a signed, HIPAA compliant BAA must be on file before the entity uses the BA’s services. 
  • Update privacy policies to reflect changes in disclosure pertaining to: deceased persons, Medicare, private insurers, immunization records, and the use of ePHI for marketing purposes. 
  • Issue updated Notice of Privacy Practices. 
  • Conduct staff training (with appropriate documentation) regarding the new Omnibus changes. 

It’s important to keep in mind exactly what’s at stake if you’re not in compliance with HIPAA safegaurds:

  • $100 to $50,000 fines per violation up to a maximum of $1.5 million for “did not know” violations. 
  • $1,000 to $50,000 per violation to a maximum of $1.5 million for “reasonable cause” violations.
  • $10,000 to $50,000 per violation up to $1.5 million for corrected “willful neglect” violations.
  • $50,000 per violation up to $1.5 million for uncorrected “willful neglect” violations. 

If you have any questions about your HIPAA updates and Business Associate Agreements, contact the health information management experts at M-Scribe today for a free consultation to help you minimize your liability and exposure. 


Get the Latest RCM News Delivered

Receive practical tips on medical billing and breaking news on RCM in your inbox.

Get in Touch