Year-End Checklist: HIPAA Compliance Tasks

As we enter the last quarter of the year, there are important considerations to make in reviewing your regulatory compliance program. Let’s look at HIPAA compliance tasks.

Schedule HIPAA-Cybersecurity Required Training

If you haven’t had your required HIPAA Training this year, now is the time to get that done.

Maintain Training Roster

Documentation of training is imperative. Once training is completed, have all those who participated sign the roster with the date of training listed. Keep the roster in the Training section of your HIPAA Manual.

Review and Update HIPAA Security Policies

Review and update HIPAA Security policies to align with best practices for cybersecurity. Look at the date of your policies. Are they recent? Do you have a plan for cybersecurity implemented in your practice that all staff are following? If not, contact us about getting your HIPAA policies up-to-date.

Audit Business Associate Agreements

Audit business associate agreements to ensure business associates are identified and agreements are on file. A business associate agreement needs to be in place for any outside or affiliated business from the practice that has access to patient records.

Examples of possible business associates:

• A third-party administrator that assists a health plan with claims processing.
• A CPA firm whose accounting services to a health care provider involve access to protected health information.
• An attorney whose legal services to a health plan involve access to protected health information.
• A consultant that accesses PHI.
• A health care clearinghouse that translates a claim from a non-standard format into a standard transaction on behalf of a health care provider and forwards the processed transaction to a payer.
• An independent medical transcriptionist that provides transcription services to a physician.
• A pharmacy benefits manager that manages a health plan’s pharmacist network.

Obtain an IT Scope of Duties

Reach out to your IT provider and clarify what services are being provided or not provided. Identify any gaps in services that must be implemented.

Obtain Confidentiality Agreements from Employees

Each employee of the practice needs to sign confidentiality agreements. Maintain these forms in the employee’s personnel file.

Update Hardware Inventory

Maintain a hardware inventory that details your technology assets, including computers in your practice. This is critical if there is a breach or other security issue, simplifying the steps for resolution.

Conduct a HIPAA Security Risk Assessment

Risk Assessments are required by OCR and must be documented in your practice. Contact us if you do not have a recent HIPAA Security Risk Assessment.

Create a Work Plan Based on Risk Assessment Results

Based on the HIPAA Risk Assessment, prepare a work plan to correct any areas you have identified.

Remind Employees to Guard Against Phishing Attacks

Regularly remind your team about phishing emails and show samples of what these emails look like. Read more about this topic here: Creating a Human Firewall in Your Practice.