THE HIPAA Privacy Checklist
REMEMBER – NEW REQUIREMENTS WERE PUBLISHED IN 2013. IF YOU DID NOT UPDATE YOUR POLICIES AND PROCEDURES MANUAL THEN YOU MUST DO IT NOW.
Federal HIPAA privacy regulations mandate that all covered entities MUST:
· Designate a privacy official responsible for developing/implementing HIPAA policies and procedures;
· Document policies and procedures with respect to PHI showing compliance with the HIPAA privacy regulations;
· Make reasonable efforts to limit the use and disclosure of PHI to the minimum necessary to accomplish the intended purpose of the use or disclosure;
· Provide a process for access to the individual’s health information;
· Develop a system for tracking disclosures of PHI, with some exceptions for payment, treatment, or health care operations related disclosures;
· Provide a process for individuals to amend their health records when appropriate;
· Develop business associate contracts/agreements that ensure business associates can comply with HIPAA;
· Mitigate, to the extent possible, any harmful effect that is known to the entity from the use or disclosure of private health information in violation of the entities’ policies and procedures;
· Develop procedures for verification of the person requesting PHI and the authority of that person to have access;
· Provide a process for individuals to request alternative means of communication, place restrictions on the use of their health information, and make complaints concerning the covered entity’s policies and procedures or compliance with such policies and procedures;
· Refrain from requiring individuals to waive the right to make a complaint to the covered entity or to the U.S. Department of Health and Human Services (DHHS) Office for Civil Rights as a condition of receiving treatment:
· Refrain from intimidating or retaliatory acts toward individuals exercising their rights granted under HIPAA privacy;
· Have in place appropriate administrative, technical, and physical safeguards to protect the privacy of PHI;
· Provide training for workforce members on the policies and procedures to protect health information;
· Apply appropriate safeguards against staff who fail to comply with the policies and procedures of the entity; and
· Develop and disseminate a privacy notice.