Have we completed a HIPAA Risk Assessment within the past year?
HIPAA requires each Business Associate and Covered Entity to complete a Risk Assessment every year. This is actually stated in the law. You may see other names for this like Gap Analysis, Security Risk Assessment or HIPAA Internal Audit, but the importance of looking at HIPAA requirements and what you are doing to meet them each year and documenting the results is clear. It’s one of the first things the HIPAA Auditors from HHS look for if they come into your office for a HIPAA audit.

Do we conduct HIPAA training as soon as we hire staff?
HIPAA law requires initial HIPAA training for all staff. Most healthcare organizations that are HIPAA savvy incorporate the HIPAA training into orientation.

Do we conduct annual HIPAA training for all staff?
The HIPAA law requires on-going training, as well. While this is also not specified by law, best practice is to train on HIPAA annually.

Do we document disclosures as they occur so we can produce a summary of uses and disclosures if requested?
HIPAA requires you to produce a summary of disclosures to patients if they want to know where their health data has been. Your practice management system may have this capability or you may have to do it manually. Either way, you must have a way to record the uses and disclosures of each patient’s PHI.

Do we have signed Business Associate Agreements with all our partners?
Business Associates are non-employees that work with your practice or business. Your IT Managed Services vendor or your billing company would be good examples.

If you answered YES to all these questions — Congratulations!!
While there are other HIPAA requirements, these are the most important so you are well on your way to HIPAA compliance.

If you answered NO to any of these questions, you may need to find a better way to comply with HIPAA. We’re here to help you with that!