HIPAA compliance is scary and difficult, and for small practices it can seem unreasonably burdensome. For those businesses, we offer one of the most comprehensive HIPAA Compliance services in the industry. Find out more about it here.
For those still in the research phase, we would like to offer you this HIPAA Compliance Self-Assessment. This is by no means comprehensive, but it will point you in the right direction in your research. Read on to learn what you can do to become HIPAA complaint.
Security Policies and Procedures
Establish policies in order to handle and manage all security violations
Are your employees aware of the penalties that ensue from security violations?
Are internal penalties in place for employees who violate security procedures?
Do all your users know what to do in the event of security incidents or issues?
Is there a process in place to document, track, and address security issues or incidents?
Have you hired someone to track all security logs, reports, and records?
Do you have a security official in charge of a password and smart security policy?
Have you ever undertaken a risk analysis?
In the event of an audit, you will need to prove your compliance.
Have you written down your security policies and procedures for your records?
Do you have documentation proving you’ve trained all your employees?
Do you have documentation proving you performed security risk assessments (SRA’s)?
Where the SRA shows shortcomings, do you have a remediation plan written down?
Do you have copies of all Business Associate Agreements (BAA’s)?
Do you have an incident management plan to show the auditors?
Is all of your documentation updated regularly and do you keep old versions to show progress?
Restrict access to ePHI to those who have permission to access it.
Do you have measures in place to authorize or supervise access to ePHI?
Are there processes for determining the validity of access to ePHI?
In the event of employee termination, is their access to ePHI blocked?
Security Awareness Training
Establish a security awareness training program for all staff.
Are employees regularly reminded about security concerns?
Do you hold meetings about the importance of password, software, and IT security?
Are your employees aware of the process surrounding malicious software?
Do you have procedures for regular review of login attempts?
Do those procedures check for any discrepancies or issues?
Have you established procedures to monitor, manage, and protect passwords?
The Worst Case Scenario
Implement a plan for the protection and use of ePHI in the event of an emergency or disaster.
Are there tested and revised plans in place for an emergency?
Have you analyzed the applications and data needed for these emergency plans?
In the event of a disaster (I.T.E.O.A.D.), can you make or retrieve copies of ePHI?
I.T.E.O.A.D… Can you restore or recover all ePHI?
I.T.E.O.A.D… Will your ePHI be protected?
I.T.E.O.A.D… Can critical ePHI related business functions be completed?
I would like to thank Harrison Depner for this HIPAA Compliance Self-Assessment, first published at Kaseya’s blog.