The following HIPAA Privacy Rule checklist should be regarded as a starting point for any HIPAA compliance checklist that may be appropriate for your organization.
- Designate a HIPAA Privacy Officer responsible for the development, implementation, and enforcement of HIPAA compliant policies.
- Understand what PHI is, how it can be used and disclosed in compliance with HIPAA, and when an individual's authorization is required.
- Identify risks to the privacy of PHI and implement safeguards to minimize risks to a "reasonable and appropriate" level.
- Develop policies and procedures for using and disclosing PHI in compliance with HIPAA and for preventing HIPAA violations.
- Develop policies and procedures for obtaining authorizations and for giving individuals an opportunity to agree or object when required.
- Develop and distribute a Notice of Privacy Practices explaining how the organization uses and discloses PHI and outlining individuals´ rights.
- Develop policies and procedures for managing patient access requests (to their PHI), correction requests, and data transfer requests.
- Develop procedures for members of the workforce to report HIPAA violations and for the organization to fulfil its breach notification requirements.
- Train members of the workforce on the policies and procedures relevant to their roles and on general HIPAA compliance.
- Develop and distribute a sanctions policy outlining the sanctions for non-compliance with the organization´s HIPAA policies.
- Perform due diligence on Business Associates, review existing Business Associate Agreements, and revise as necessary.
- Develop and document a contingency plan for responding to an emergency that damages systems or physical locations in which PHI is maintained.