Practice Management Alert

Use this checklist to get all of your documents lined up.

Sure, HIPAA auditors will want you to show them a heaping mountain of documents to prove that you’re complying with the Privacy and Security rules. Instead of scrambling to amass all these documents at the last minute, prepare ahead of time with a helpful checklist. Here’s the specific documentation that auditors can ask for, according to an issue brief by Susan A. Miller, JD of Malvern, PA-based Malvern Group Incorporated.

HIPAA Security

• Security Officer contact information (name, email, phone, address, and admin contact info)
• Administrative Safeguards:
• Entity-Level Risk Assessment
• Organization Chart
• Information Security Policies, specifically those documenting security management practices and processes such as:

o Access control

o  Data protection

o Acceptable use

o  Workstation security

o  Workforce/HR security

o Sanction procedures

• Security Incident Management Plan
• Business Continuity/Disaster Recovery Plan
• Data backup and recovery procedures
• Physical security policies and procedures
• Data destruction and media reuse procedures

Technical Safeguards:

• Encryption policies and procedures
• Management’s internal control/internal audit policies and procedures relative to monitoring IT safeguards
• System-generated user access listing of all individuals with access to systems housing ePHI
• System-generated listing of all New Hires within the past year
• User authentication policies and procedures

HIPAA Privacy

Privacy Officer contact information (name, email, phone, address, and admin contact info)

Privacy Policy and Notice of Privacy Practices

Privacy practices documentation including:

o  Use and Disclosure

o  Rights to Request Privacy Information

o  Right to Request Privacy Protection of PHI

o  Access of Individuals to PHI

o  Denial of Access to PHI procedures

o  Amendment of PHI

o  Accounting of Disclosures of PHI

o  Administrative Requirements

o  Transition Provisions

• Training documentation for employees over Privacy Practices and organization training policies
• Policies and procedures in place over administrative, technical and physical safeguards over all forms of PHI
• Complaint handling policies and procedures
• Population of complaints over Privacy Practices made within the past year (Complaint Log)
• Sanction and disciplinary policies and procedures over privacy violations
• Mitigation and disciplinary policies and procedures for when a breach occurs
• Anti-intimidation/anti-retaliation policies and procedures
• Policies and procedures over Uses and Disclosures of PHI, including:

o Deceased individuals

o Personal representatives

o Confidential communication

o Business associate contract requirements

o Health Plan documentation requirements

o Treatment, payment, and/or operation

o Consent and authorization requirements

o Judicial or administrative proceeding requirements

o Research requirements

o Approval or waiver requirements

o De-identification/re-identification of PHI procedures

o  Restriction of PHI

o Minimum necessary requirements

o Limited information provided for fundraising purposes

o  Healthcare underwriting requirements

o Identity verification procedures of individuals requesting PHI.

HITECH

• Breach notification processes and capabilities
• Entity-level risk assessment documentation

Source: Susan A. Miller, JD, Malvern Group: “Issue Brief: OCR Audit Documentation Requests — What We Know Now.” www.malverngroup.com/uploads/OCR_Audit_Document_Request_Brief_20120424_v_2.pdf.