Compliance CheckCompliance Check Has everyone in your office received HIPAA training within the past 12 months? * Yes No164.308(5)(i) Standard: Security awareness and training. Implement a security awareness and training program for all members of its workforce (including management). ---Is there documentation to prove when they were trained? Yes NoImportant to have in the case of an audit. ---Do you have a designated compliance/security officer? Yes No164.308(a)(2) Standard: Assigned security responsibility. Identify the security official who is responsible for the development and implementation of the policies and procedures required by this subpart for the covered entity or business associate. Have you performed a Security Risk Analysis in the last 12 months? Yes No164.308(A) Risk analysis Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate. ---Required Assessments performed Security Risk Privacy Administrative ---Are your deficiencies documented? * Yes No ---Have you created a remediation plan including scheduled completion dates? Yes No Do you have Policies and Procedures in place for HIPAA, Breach notification and Security? Yes No164.308(1)(i) Standard: Security management process. Implement policies and procedures to prevent, detect, contain, and correct security violations. ---Have you documented that your employees read and attested to the Policies and Procedures? Yes No ---Have you reviewed these procedures in the last 12 months? Yes NoMake sure it is documented! Do you know who your Business Associates are? Yes No164.308(b)(1) Business associate contracts and other arrangements. A covered entity may permit a business associate to create, receive, maintain, or transmit electronic protected health information on the covered entity's behalf only if the covered entity obtains satisfactory assurances, in accordance with § 164.314(a), that the business associate will appropriately safeguard the information. A covered entity is not required to obtain such satisfactory assurances from a business associate that is a subcontractor. ---Do you have BA Agreements in place which have been reviewed in the last 12 months? Yes No Do you have a procedure for HIPAA violations and Breaches? Yes No164.308(C) Sanction policy (Required). Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity or business associate. (6)(i) Standard: Security incident procedures. Implement policies and procedures to address security incidents. (ii) Implementation specification: Response and reporting. Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity or business associate; and document security incidents and their outcomes. ---Can you provide the following? Incident tracking and reporting A way to show due diligence during your investigation Anonymous reporting abilities Do you have Disaster Recovery policies and procedures in place? Yes No164.308(a)(B) Disaster recovery plan. Establish (and implement as needed) procedures to restore any loss of data. --Do your DR policies and procedures include: Data Backup Disaster Recovery Plan Emergency Mode Operation Plan164.308(7)(A) Data backup plan (Required). Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information. (C) Emergency mode operation plan. Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode. Name * Phone Email * Submit