HIPAA Self Assessment

What is HIPAA compliant? Use this self assessment to determine if your medical practice (or any healthcare team) is HIPAA compliant.


1. HIPAA Notebook

Does your healthcare team have any documentation for its HIPAA Compliance Program? The documentation can be paper or digital.

Clinic Nerds recommends that you maintain a HIPAA Notebook – because if it is not documented, then it did not happen.

Answer:  



2. HIPAA Specialist

Is there at least one person who is designated as the HIPAA Specialist (aka Privacy Officer)?

The job of a HIPAA Specialist is to document a risk assessment and maintain the compliance program.

Answer:  



3. HIPAA Rules

Has your healthcare team adopted any rules for HIPAA?

An example rule: Employees are (or are not) allowed to use their personal devices (laptop, phone) for work purposes. If an employee can use their personal iPhone to check work email or patient schedules, then protected patient data is on a device that needs to be Nerd Secured.

Answer:  



4. Risk Assessment

Has your healthcare team conducted a risk assessment?

What are the risks to patient data? Are paper medical records locked in a cabinet? Is your medical practice next to a river that often floods? Is the garbage area open to dumpster divers? These sorts of questions, and many more, need to be asked and assessed.

Answer:  



5. Business Associate Agreements (BAA)

Have you gone through all of your outsourcing partners and considered whether to get a signed Business Associate Agreement (BAA)?

In the course of conducting business, it will be necessary to (legally) share Patient Data. If a business partner is not a 'Covered Entity' and Patient Data is being shared, then it is required to have a signed BAA. Clinic Nerds has a free tool for creating a BAA.

Answer:  



6. Encryption

Do all of your computer devices have encryption turned on?

Turning on encryption is the #1 recommendation of the HIPAA Police. All computers have support for encryption, but it is usually disabled by default. You have to turn it on.

Answer:  




Criteria Points Answer Points Earned
1. HIPAA Notebook 10
2. HIPAA Specialist 10
3. HIPAA Rules 10
4. Risk Assessment 10
5. Business Associate Agreements 10
6. Encryption 50

Your Score:    



If you score less than 100, consider upgrading your HIPAA Compliance Program with the HIPAA Notebook for just $10 per month.

Encryption gets the most points (50) because it is the #1 cause of HIPAA violations and the HIPAA Police have been shouting from the rooftops that all computer devices MUST use encryption. If the word encryption sounds scary, here are two YouTube videos that give an easy explanation .





Note that these are just the six big things needed in a HIPAA compliance program. This does not include other smaller to dos like monthly updates to the HIPAA Notebook. The basis for this defintion of "HIPAA Compliant" is based on:
  • The HIPAA rules in the Code of Federal Regulations
  • Case studies of the Resolution Agreements / Press Releases from HHS-OCR
  • HHS-OCR summary reports to Congress





Notes:
—'Healthcare Team' could be a medical practice, hospital, pharmacy, insurer ...
—'Privacy Officer' and 'Security Official' are other names for 'HIPAA Specialist'
—'Patient Data' is another way of saying 'Protected Health Information' or PHI
—Link to HHS Resolution Agreements
—'HIPAA Police' is a nickname for HHS-OCR