10 Top HIPAA Policies and Procedures Templates to Manage Compliance
Blog: The Process Street Blog
There’s no way of getting around HIPAA rules.
If you are a healthcare provider that comes into contact with Protected Health Information (PHI), HIPAA compliance is not voluntary. You simply have no option but to comply with HIPAA policies and procedures.
This can feel daunting, especially if you consider the continuous rise in data breaches experienced by the healthcare industry, particularly in the US.
“Figures from the Department of Health and Human Services’ Office for Civil Rights breach portal show a major increase in healthcare data breaches in 2019. Last year, 510 healthcare data breaches of 500 or more records were reported, which represents a 196% increase from 2018.” – Steve Alder, 2019 Healthcare Data Breach Report
It gets worse.
If your organization violates HIPAA regulations, you can face a jaw-dropping fine. Take, for example, the 2014 case in which the New York Presbyterian Hospital accidentally disclosed the records of 6,800 patients, making them available online and fully Google-able.
“The enactment of the Final Omnibus Rule in 2013 doubled the maximum fine for a single violation of HIPAA from $25,000 to $50,000 per compromised patient record. This meant that when the New York-Presbyterian Hospital inadvertently disclosed the unsecured records of 6,800 patients on the Internet, the potential fine for the violation of HIPAA could have been as much as $340 million. Fortunately (for the New York-Presbyterian Hospital) the breach of PHI was settled for $3.3 million.” – Marc Ladin, The Importance of HIPAA Compliance: 7 Things You Should Know
Here are some other examples of HIPAA violations:
- The University of California Los Angeles Health System was fined $865,000 for failing to restrict access to medical records.
- North Memorial Health Care of Minnesota had to pay $1.55 million in a settlement, for failing to enter into a Business Associate Agreement with a major contractor.
- The Memorial Healthcare System received a $5,500,000 penalty for insufficient ePHI access controls.
- The Memorial Hermann Health System had to pay $2.4 million in a settlement for disclosing a patient’s PHI in a press release.
If you think these are one-off cases, you are sorely mistaken.
A report by the Ponemon Institute found that 90% of surveyed healthcare institutions had at least one data breach within the past two years. What’s even more concerning is the continuous rise in the costs incurred by healthcare organizations facing a breach.
The researchers found for the ninth consecutive year, the healthcare sector is still the hardest hit financially by data breaches.
“Over the past five years, the average cost of a data breach has increased by 12%. The global average cost of a data breach has increased to $3.92 million. The average breach size is 25,575 records and the cost per breached record is now $150; up from $148 last year. Data breach costs are the highest in the United States, where the average cost of a data breach is $8.19 million – or $242 per record. The average cost of a healthcare data breach in the United States is $15 million.” Steve Alder, 2019 Cost of A Data Breach Study Reveals Increase in U.S. Healthcare Data Breach Costs
All things considered, I think it’s clear why HIPAA compliance is so essential for not only protecting sensitive patient information, but also for minimizing the risk of a data breach that could result in a huge fine, not to mention lasting damage to the organization’s reputation.
Process Street’s HIPAA policies and procedures templates
Not to worry though. With the correct processes in place, you can maintain compliance without having to deal with any unwelcome surprises. It’s also not expensive to set up an effective solution.
The costs involved in implementing a secure messaging solution, conducting risk assessments and training employees to use the solution are much less than commonly believed. – Marc Ladin, The Importance of HIPAA Compliance: 7 Things You Should Know
By integrating these checklists into your HIPAA management efforts, you will increase accountability, transparency, and provide your team with the tools they need to execute important workflows.
In this post, we will be covering:
- HIPAA Compliance Checklist
- HIPAA Compliance Checklist for HR
- HIPAA Privacy Risk Assessment Checklist
- HIPAA Security Breach Reporting Checklist
- HIPAA Data Backup Plan Checklist
- HIPAA Omnibus Rule Checklist
- HIPAA Business Associate Agreement Checklist
- Patient Intake Checklist for a Medical Clinic
- Patient Intake Checklist for a Dental Clinic
- Patient Satisfaction Survey Checklist
- Process Street is here to help you minimize the risk of ever facing a HIPAA violation
- Other useful resources for healthcare professionals
Our 10 checklists to help you stay compliant with HIPAA policies and procedures
HIPAA Compliance Checklist
The primary purpose of HIPAA is simply to keep people’s healthcare data private. If your healthcare organization is an entity that uses and has access to PHI, then you are classified as a Covered Entity (CE) and need to make sure you are compliant with HIPAA regulations.
There are three critical components to PHI security:
- Technical safeguards
- Physical safeguards
- Administrative safeguards
Each part is equally important and must be satisfied to ensure HIPAA compliance.
This is a general compliance checklist that guides you through satisfying the requirements for each of the three safeguards.
While going through the checklist, bear in mind that the requirements of HIPAA are intentionally vague so that it can be applied equally to different types of covered entities that come into contact with PHI.
It should also be noted that this checklist is a self-evaluation tool. Successfully completing it does not guarantee you are HIPAA compliant. To be sure, you should always consult a HIPAA compliance expert.
HIPAA Compliance Checklist for HR
As HIPAA has been amended over the years, it has adapted to the digital world by introducing strict measures to address the threat of cyber crime. This has placed much of the responsibility that comes with HIPAA compliance on IT departments.
Nevertheless, HIPAA obligations stretch far beyond IT security, as the healthcare industry is ultimately dependent on human interaction, and HIPAA security is dependent on proper employee training.
HR departments should not assume that the IT department is solely responsible for HIPAA compliance. There are important steps that need to be taken during employee onboarding in order to comply with the privacy rule.
For example, employees enrolled in a self-insured group health plan must be given a Privacy Practice Notice informing them of their HIPAA-related rights. This is very straight-forward and rarely overlooked, but some HR departments forget to send updates when privacy practices are revised, or a reminder at least every three years.
These are the little things that can prove costly down the line if not quickly identified and addressed.
This checklist will take you through the process of conducting a security risk audit, performing HIPAA training, assessing PHI security, and evaluating relationships with business associates.
HIPAA Privacy Risk Assessment Checklist
The requirement for covered entities to conduct a HIPAA risk assessment was introduced in 2003 with the original HIPAA Privacy Rule.
Conducting periodic risk assessments is not only required by law, but will also help you avoid potential violations that can be incredibly costly.
“More recently, the majority of fines have been under the “Willful Neglect” HIPAA violation category, where organizations knew – or should have known – they had a responsibility to safeguard their patients´ personal information. Many of the largest fines – including the record $5.5 million fine issued against the Advocate Health Care Network – are attributable to organizations failing to identify where risks to the integrity of PHI existed.” – HIPAA Journal, HIPAA Risk Assessment
Facing a sudden data breach by a group of skilled cyber-crime attackers would be a lot more damaging if an investigation showed that the breach could have been avoided, and was largely due to a failure to identify and safeguard risks.
This checklist is designed to guide you through a comprehensive evaluation of your compliance with the HIPAA Privacy Rule, and to identify areas that need to be addressed to improve PHI security.
The template is split up into the following sections:
- Check-in procedures (patient identity verification, insurance, etc.)
- Clinical areas (ensuring no PHI is visible/accessible)
- Medical records (staff access, physical security, patient authorization)
- General security (computer monitors, paper records)
- Personnel policies (employee training, documentation)
Once the checklist is complete, you will have an accurate understanding of how well your organization is protecting PHI. You will also identify areas that need to be addressed and set out clear action items to optimize security measures.
HIPAA Security Breach Reporting Checklist
Security breaches in the healthcare industry are, unfortunately, all too common.
“Between 2009 and 2019 there have been 3,054 healthcare data breaches involving more than 500 records. Those breaches have resulted in the loss, theft, exposure, or impermissible disclosure of 230,954,151 healthcare records. That equates to more than 69.78% of the population of the United States. In 2019, healthcare data breaches were reported at a rate of 1.4 per day.” – HIPAA Journal, Healthcare Data Breach Statistics
With the risk of a breach being so high, it’s imperative that both covered entities and business associates take the appropriate measures to identify and report breaches as early as possible.
Currently, the figures suggest that not enough is being done.
“What’s worse is that it took the breached US organizations an average of 245 days to identify and contain a breach. However, the report tied breach response directly to cost saving. Organizations that detected and contained the breach in less than 200 days spent $1.2 million less on total breach costs.” – Jessica Davis, Data Breaches Cost Healthcare $6.5M, or $429 Per Patient Record
This checklist template has been built to help you identify and report data breaches as efficiently as possible. Our dynamic due dates feature will ensure that you file a notice to the secretary of the HHS within 60 days, while conditional logic will automatically customize the checklist depending on whether you are the covered entity or a business associate, and whether the breach affected more or less than 500 individuals.
HIPAA Data Backup Plan Checklist
Backing up data is important for everybody, whether it be personal data or data belonging to an organization. When it comes to ePHI managed by a healthcare institution, the level of importance could not be higher.
It is also a mandatory component of HIPAA compliance.
In order to meet these requirements, most healthcare organizations choose to outsource critical IT services to a third party i.e. an MSP. Whether or not you outsource data backup services, measures must be taken to ensure that you do not lose sensitive patient data, as the consequences can be devastating.
“The data backup plan is a required stage of compliance and must form part of a contingency plan that meets HIPAA standards. Losing data has huge consequences, even-more-so for healthcare organizations who routinely handle sensitive and private data. If access to critical pharmacy systems, lab systems or EHR systems was severed, a healthcare practice would struggle to continue business operations. This risks damaging reputation and ultimately could risk patient lives.” – Marty Puranik, What Is Your HIPAA Data Backup Plan
This process will help you establish a solid data backup plan that satisfies HIPAA requirements and clearly shows your patients that you have appropriate safeguards in place to protect their data.
From identifying the databases that contain ePHI, determining which solution will be used, testing the restore process, and formally documenting the backup policy, this checklist will help you set up the data backup plan end-to-end, hopefully relieving your security team of stress in the process!
HIPAA Omnibus Rule Checklist
The Omnibus Rule was introduced in 2013 as a way to amend the HIPAA privacy and security rules requirements, including changes to the obligations of business associates regarding the management of PHI.
The rule merges the following four separate rule makings:
- Amendments to HIPAA Privacy and Security rules requirements
- HIPAA and HIPAA HITECH under one rule now
- Further requirements for data breach notifications and penalty enforcement
- Approving the regulations in regards to the HITECH Act’s breach notification rule
The Omnibus rule includes regulations that will:
- Manage the use of patient information in marketing
- Includes a provision that requires healthcare providers to report data breaches that are deemed not harmful
- Makes certain that business associates and subcontractors are liable for their own breaches and requires Business Associates to comply with HIPAA
Although all healthcare institutions had to make changes and adhere to the Omnibus Rule when it was implemented, this checklist provides you with an easy way to evaluate compliance on a periodic basis.
HIPAA Business Associate Agreement Checklist
A Business Associate Agreement (BAA), is a written arrangement that specifies each party’s responsibilities when it comes to PHI.
The HIPAA Privacy Rule requires all covered entities (CEs) to have a signed BAA with any Business Associate (BA) they hire that may come in contact with PHI.
According to HHS, a BAA must include the following information:
- Description of the permitted and required use of PHI by the BA.
- Provide specific requirements regarding how and when the BA will not use or further disclose PHI.
- Outline requirements for the BA to use appropriate safeguards to prevent inappropriate PHI use or disclosure.
This checklist will guide you through the process of creating and implementing a BAA.
As a covered entity, you will need to work in tandem with the BA to complete the agreement. This need for collaboration has been taken into account as the approval tasks require approval from both the CE and BA.
This means that you can efficiently move through the process knowing that there will not be any disagreements or disruptions when it comes time to confirm and implement the agreement.
Patient Intake Checklist for a Medical Clinic
How you manage the patient intake process will set the tone for the rest of your relationship, in addition to establishing the infrastructure for paperwork and data storage which is a critical aspect of HIPAA compliance.
There are three main elements that make up a good patient intake process:
- Proper handling of patient’s time, data, and privacy
- Making the process as convenient as possible for the patient
- Making sure all communication is clear and overstated
The patient intake process gives you an opportunity to get everything you need to properly assess and start working with the patient. Compliance plays a big part in this, with HIPAA documents and needing to be signed both before patients enter into your system of care, and updated at the beginning of each fiscal year.
This checklist template is designed to make the patient intake process as efficient as possible for you and your new patients.
Patient Intake Checklist for a Dental Clinic
When a new patient walks through the door of your dental clinic, you don’t want to have to force them to manually complete important documents.
Not only does it require more time and effort than digital alternatives, but it also leaves your patients feeling more stressed, which can negatively impact long-term patient retention.
This checklist automates much of your patient intake process and allows your patients the freedom to cooperate with you to complete the tasks digitally. With a reduction of manual entry, time spent on administrative processing is greatly reduced.
By using this checklist template you can rest assured that the patient intake process at your dental clinic is optimized, so you won’t have to worry about losing time to slow patients filling their forms in on the day of their appointment.
Patient Satisfaction Survey Checklist
It is becoming increasingly apparent in the healthcare industry that the patient experience and overall patient satisfaction is an important metric that directly impacts patient recovery and provides significant opportunities to optimize internal processes.
“High patient satisfaction scores usually result in higher reimbursement payments from the Centers for Medicare & Medicaid Services (CMS), better patient retention rates, and the assurance for hospital staff that they fostered a positive experience for patients.” – Sara Heath, How Hospitals Can Raise Patient Satisfaction, CAHPS Scores
In fact, a report from Vocera showed that patient satisfaction is the top-ranked priority at healthcare organizations, and that 64 percent of organizations value patient experience leaders the same as they value patient safety and clinical workflow leaders.
By completing the checklist, you will gain actionable insight into how patients are feeling about their treatment, and what can be done to deliver a more satisfying experience in the future.
It’s all about continuously optimizing processes to deliver the best care possible!
Process Street is here to help you minimize the risk of ever facing a HIPAA violation
Process Street is a simple workflow management tool that was built to help businesses create, execute, and optimize their workflows.
Our mission is to make recurring work fun, fast, and faultless for teams everywhere.
By documenting your workflows in digital checklists, you are instantly creating an actionable workflow in which tasks can be assigned to team members, automated, and monitored in real-time to ensure they are being executed as intended, each and every time.
The point is to minimize human error, increase accountability, and provide employees with all of the tools and information necessary to complete their tasks as effectively as possible.
Check out this video for a quick introduction:
Each task included in the checklist can contain various details in the form of text, a variety of form fields including sub-checklists, and rich media so each individual working on the process knows exactly what is required and has access to relevant information.
If you need to make a change at some point to refine the workflow, Process Street’s template editing system allows quick and seamless edits on-the-fly, without disrupting existing workflows.
Our extensive integration capabilities allow you to connect with over 1000 other apps, so you can create automation rules between Process Street and the tools you already use to extend the capabilities of your tech stack.
Process Street has a range of workflow features which help to maximize the efficiency of your processes:
- Stop tasks
- Conditional logic
- Dynamic due dates
- Task permissions
- Task assignments
- Role assignments
- Embed widget
If you aren’t yet a Process Street customer, you can sign up here for free.
Other useful resources for healthcare professionals
Below is a list of useful articles that contain actionable insight into the world of healthcare, including COVID-19 checklists and workplace processes.
- 16 COVID-19 Procedures for Hospitals (According to Clinical Experience from FAHZU)
- Coronavirus Workplace Processes: 8 Checklists From Top World Health Experts
- 9 Checklists to Help Hospitals Deliver and Optimize Superb Patient Experiences
- SOAP Note: How to Write Spotless Healthcare Notes (Free Template!)
- ISO 13485: Basics and How to Get Started (QMS for Medical Devices)
- 14 Client Onboarding Process Checklists for Finance, IT, Medical, SaaS, Real Estate…
- Process Improvements: Your Ultimate Toolkit With 17 Free Templates
What do you think of these templates? Do you have any suggestions of checklists that could help you improve how you manage HIPAA compliance and the overall patient experience at your healthcare institution? Comment below and let us know!