Does your healthcare team have any documentation for its HIPAA Compliance Program? The documentation can be paper or digital.
Clinic Nerds recommends that you maintain a HIPAA Notebook – because if it is not documented, then it did not happen.
Is there at least one person who is designated as the HIPAA Specialist (aka Privacy Officer)?
The job of a HIPAA Specialist is to document a risk assessment and maintain the compliance program.
Has your healthcare team adopted any rules for HIPAA?
An example rule: Employees are (or are not) allowed to use their personal devices (laptop, phone) for work purposes. If an employee can use their personal iPhone to check work email or patient schedules, then protected patient data is on a device that needs to be Nerd Secured.
Has your healthcare team conducted a risk assessment?
What are the risks to patient data? Are paper medical records locked in a cabinet? Is your medical practice next to a river that often floods? Is the garbage area open to dumpster divers? These sorts of questions, and many more, need to be asked and assessed.
Have you gone through all of your outsourcing partners and considered whether to get a signed Business Associate Agreement (BAA)?
In the course of conducting business, it will be necessary to (legally) share Patient Data. If a business partner is not a 'Covered Entity' and Patient Data is being shared, then it is required to have a signed BAA. Clinic Nerds has a free tool for creating a BAA.
Do all of your computer devices have encryption turned on?
Turning on encryption is the #1 recommendation of the HIPAA Police. All computers have support for encryption, but it is usually disabled by default. You have to turn it on.
| Criteria | Points | Answer | Points Earned | |
|---|---|---|---|---|
| 1. | HIPAA Notebook | 10 | ||
| 2. | HIPAA Specialist | 10 | ||
| 3. | HIPAA Rules | 10 | ||
| 4. | Risk Assessment | 10 | ||
| 5. | Business Associate Agreements | 10 | ||
| 6. | Encryption | 50 |