HIPAA Compliance Checklist: Policies and Procedures Needed for HIPAA Compliance
The following is a checklist of the resources needed (and policies and procedures that should be put in place) to ensure compliance with HIPAA regulations once you are determined to be a HIPAA-covered entity.
- SUNY Business Associate Agreement (as released by Counsel’s Office on 6-18-2012)
The SUNY Office of General Counsel each year releases a template of the approved Business Assocuate Agreement. The 2013 Business Associate Agreement Template is available here.
- SUNY Risk Assessment Tool (For Suspected Breaches)
This SUNY tool helps HIPAA-covered entities determine IF a breach has occurred.
- Summary of the HIPAA Privacy Rule from the U.S. Department of Health and Human Services website
- Summary of the HIPAA Security Rule from the U.S. Department of Health and Human Services website
- HITECH Enforcement Rule from the U.S. Department of Health and Human Services website
Also see below for more information on HITECH and its implications.
- Business Associates: Office of Civil Rights also reminded organizations that Business Associates are going to be subject to breach notification once the HIPAA rules finalize this summer, previously only HIPAA covered entities were subject to breach notification. This change came about with the passage of the HITECH Act of 2009. The government has issued a broader summary of implications of HITECH, available on the U.S. Department of Health and Human Services website.
- Standard Policies and Procedures you see at HIPAA covered entities:
a. Information Access and Security
b. Media Controls
c. Systems and Network Security
d. Notice of Privacy Practices
e. Right to Request Access and Amendment to Designated Record Set
f. Accounting for Disclosures
g. Request Restrictions or Confidential Communications
h. Reporting Incidents Involving the Security or Privacy of Protected Health Information; Breach Notification
i. Reporting Protected Health Information (PHI) Compliance Issues
j. Authorization Requirements for Use and Disclosure of Protected Health Information, Including Verification of Identification
k. Use and Disclosure of Protected Health Information for Research Purposes
l. Disclosure of PHI to Business Associates
m. Uses and Disclosures of PHI for Marketing
n. Uses and Disclosures of PHI for Fundraising
o. Transmission and Receipt of Protected Health Information via Fax
p. Minimum Necessary Uses, Disclosures, and Requests
q. Personal Representatives
r. Use and Disclosure of De-Identified Information and of Limited Data Sets
s. Electronic Protected Health Information (ePHI) Security Compliance: HIPAA Security Anchor Policy
t. Physical Security Policy
u. Electronic Communication of Health Related Information
v. Information System Activity Review
w. IT Security Incident Response Policy
8. OCR Audit Protocol Recommendations from the U.S. Department of Health and Human Services website
- The audit protocol covers Privacy Rule requirements for (1) notice of privacy practices for PHI, (2) rights to request privacy protection for PHI, (3) access of individuals to PHI, (4) administrative requirements, (5) uses and disclosures of PHI, (6) amendment of PHI, and (7) accounting of disclosures.
- The protocol covers Security Rule requirements for administrative, physical, and technical safeguards.
- The protocol covers requirements for the Breach Notification Rule.
HITECH Enforcement Rule
The American Recovery and Reinvestment Act (ARRA) and HIPAA (Source: Yale University)
The American Recovery and Reinvestment Act of 2009 includes legislation known as the Health Information Technology for Economic and Clinical Health (HITECH) Act which promotes the use of electronic health records (EHRs) by providing incentives to health care providers who convert their medical records from paper files to EHRs. Congress recognized the increased risk to the privacy and security of protected health information (PHI) with widespread adoption of EHRs and amended the HIPAA requirements to mitigate these risks. Some key changes are outlined below:
Effective February 17, 2009
- State attorneys general can enforce HIPAA
- Civil and monetary penalties increased to maximum of $1.5 million and minimal penalty of $100 per violation imposed except in very limited cases
- Funds collected from civil penalties distributed to the Department of Health and Human Services (DHHS) for enforcement activities and to patients harmed by the violation
- Individuals as well as covered entities can be held accountable for HIPAA violations
Effective September 23, 2009
- Patients and clinical research subjects, DHHS, and in some cases the media, must be notified in the case of a breach of protected health information (PHI).
Effective February 17, 2010
- Business Associates are directly accountable for HIPAA compliance in addition to contractual requirements.
- Patients may request restrictions to billing disclosures when they self-pay
- Limited Data Sets are considered the default standard for complying with HIPAA’s Minimum Necessary standard
- Patients may request electronic copies of their PHI when the data is held in an EHR and that their records be sent to others in an electronic format.
- Limitations and prohibitions on using PHI for marketing and fundraising are strengthened and sale of PHI is prohibited.
Phased in beginning 1/1/2011
- All disclosures of PHI from an EHR must be accounted for, including those for treatment, payment and healthcare operations
The information contained on the SUNY Compliance website is for general campus guidance only and is not intended, nor can be relied upon, as legal advice or the imposition on SUNY campuses of specific policies or requirements. The site is intended to be an informational-only clearinghouse for some of the laws, rules, and regulations that may impact the State University of New York’s campuses. Additionally, given the rapid, changing nature of laws, rules and regulations, there may be delays or omissions contained on this site which therefore cannot be relied upon as complete. For complete compliance information, consult your campus compliance officials or the SUNY Compliance Administrator. For legal advice, consult your lawyer.