HITECH and HIPAA Compliance Checklist
Content
HITECH & HIPAA COMPLIANCE CHECKLIST
1) Structure administrative safeguards which: a. Implement policies and procedures to prevent, detect, contain, and correct security violations; b. Identify the security official who is responsible for the development and implementation of the policies and procedures required by the Security Rule; c. Implement policies and procedures to ensure all members of its workforce have appropriate access to electronic PHI, and to prevent those workforce members who do not have access from obtaining access to electronic PHI; d. Implement policies and procedures for authorizing access to electronic PHI consistent with the applicable requirements of the Privacy Rule; e. Implement a security awareness and training program for all members of its workforce (including management); f. Implement policies and procedures to address security incidents; g. Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, natural disaster) that damages systems containing electronic PHI; h. Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently , in response to environmental or operational changes affecting the security of electronic PHI, establishing the extent to which security policies and procedures meet the requirements of the Security Rule; and i. Create a process for individuals to lodge complaints relating to the plan's privacy policy and procedures, a system for handling such complaints, and recording their resolution. 2) Structure physical safeguards which: a. Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring properly authorized access is allowed; b. Implement policies and procedures specifying the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic PHI;
25900 W. Eleven Mile Road, Suite 210 Southfield Michigan 48034-8203 PHONE 248.355.9600 FAX 248.355.3145 www.jsclarkagency.com
© J.S. Clark Agency, Inc. All rights reserved
c. Implement physical safeguards for all work stations with access to electronic PHI, restrict access to authorized users; and d. Implement policies and procedures governing the receipt and removal of hardware and electronic media containing electronic PHI into and out of a facility, and the movement of these items within the facility. 3) Structure technical safeguards which: a. Implement technical policies and procedures for electronic information systems that maintain electronic PHI to allow access only to those persons or software programs that have been granted access rights; b. Implement hardware, software, and/or procedural mechanisms to record and examine information system activity that contain or use electronic PHI; c. Implement policies and procedures to protect electronic PHI from improper alteration or destruction; d. Implement procedures to verify a person or entity seeking access to electronic PHI is the one claimed; and e. Implement technical security measures to guard against unauthorized access to electronic PHI being transmitted over an electronic communications network. 4) Document how is PHI used in each business process – both paper and electronic: a. Is staff trained in the secure handling of paper and electronic health records? b. Do policies and procedures provide employees with adequate and up-to-date guidance? c. Is technology secure, has a vulnerability assessment of the network been performed? 5) Update Notice of Privacy Practices 6) Mitigate, to the extent possible, any harmful effect known to the plan resulting from an improper use or disclosure of PHI.
25900 W. Eleven Mile Road, Suite 210 Southfield Michigan 48034-8203 PHONE 248.355.9600 FAX 248.355.3145 www.jsclarkagency.com
© J.S. Clark Agency, Inc. All rights reserved
1) Structure administrative safeguards which: a. Implement policies and procedures to prevent, detect, contain, and correct security violations; b. Identify the security official who is responsible for the development and implementation of the policies and procedures required by the Security Rule; c. Implement policies and procedures to ensure all members of its workforce have appropriate access to electronic PHI, and to prevent those workforce members who do not have access from obtaining access to electronic PHI; d. Implement policies and procedures for authorizing access to electronic PHI consistent with the applicable requirements of the Privacy Rule; e. Implement a security awareness and training program for all members of its workforce (including management); f. Implement policies and procedures to address security incidents; g. Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, natural disaster) that damages systems containing electronic PHI; h. Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently , in response to environmental or operational changes affecting the security of electronic PHI, establishing the extent to which security policies and procedures meet the requirements of the Security Rule; and i. Create a process for individuals to lodge complaints relating to the plan's privacy policy and procedures, a system for handling such complaints, and recording their resolution. 2) Structure physical safeguards which: a. Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring properly authorized access is allowed; b. Implement policies and procedures specifying the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic PHI;
25900 W. Eleven Mile Road, Suite 210 Southfield Michigan 48034-8203 PHONE 248.355.9600 FAX 248.355.3145 www.jsclarkagency.com
© J.S. Clark Agency, Inc. All rights reserved
c. Implement physical safeguards for all work stations with access to electronic PHI, restrict access to authorized users; and d. Implement policies and procedures governing the receipt and removal of hardware and electronic media containing electronic PHI into and out of a facility, and the movement of these items within the facility. 3) Structure technical safeguards which: a. Implement technical policies and procedures for electronic information systems that maintain electronic PHI to allow access only to those persons or software programs that have been granted access rights; b. Implement hardware, software, and/or procedural mechanisms to record and examine information system activity that contain or use electronic PHI; c. Implement policies and procedures to protect electronic PHI from improper alteration or destruction; d. Implement procedures to verify a person or entity seeking access to electronic PHI is the one claimed; and e. Implement technical security measures to guard against unauthorized access to electronic PHI being transmitted over an electronic communications network. 4) Document how is PHI used in each business process – both paper and electronic: a. Is staff trained in the secure handling of paper and electronic health records? b. Do policies and procedures provide employees with adequate and up-to-date guidance? c. Is technology secure, has a vulnerability assessment of the network been performed? 5) Update Notice of Privacy Practices 6) Mitigate, to the extent possible, any harmful effect known to the plan resulting from an improper use or disclosure of PHI.
25900 W. Eleven Mile Road, Suite 210 Southfield Michigan 48034-8203 PHONE 248.355.9600 FAX 248.355.3145 www.jsclarkagency.com
© J.S. Clark Agency, Inc. All rights reserved
