Applicable Federal Laws & Regulations: 45 C.F.R.
Parts 160 (General Provisions) &
164 (Security & Privacy)
HIPAA requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting e-PHI.
Specifically, covered entities must:
- Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit;
- Identify and protect against reasonably anticipated threats to the security or integrity of the information;
- Protect against reasonably anticipated, impermissible uses or disclosures; and
- Ensure compliance by their workforce. (45 C.F.R. § 164.306(a)).
The Administrative Safeguards provisions in the Security Rule require covered entities to perform a risk analysis as part of their security management processes. A risk analysis process includes, but is not limited to, the following activities:
- Evaluate the likelihood and impact of potential risks to e-PHI (45 C.F.R. § 164.306(b)(iv));
- Implement appropriate security measures to address the risks identified in the risk analysis (45 C.F.R. § 164.308(a)(1)(ii)(B));
- Document the chosen security measures and, where required, the rationale for adopting those measures (45 C.F.R. § 164.306(d)(3)(ii)(B)(1); 45 C.F.R. § 164.316(b)(1)); and, Maintain continuous, reasonable, and appropriate security protections ( 45 C.F.R. § 164.306(e)).
Risk analysis is an ongoing process, requiring regular review of records to track access to e-PHI and detect security incidents, periodic evaluation of the effectiveness of security measures, and regular reevaluation of potential risks to e-PHI (45 C.F.R. § 164.306(b)(2)(iv); 45 C.F.R. § 164.306(e)).
A covered entity must adopt reasonable and appropriate policies and procedures to comply with the provisions of the Security Rule. A covered entity must maintain, until six years after the later of the date of their creation or last effective date, written security policies and procedures and written records of required actions, activities or assessments (45 C.F.R. § 164.316). A covered entity must also periodically review and update its documentation in response to environmental or organizational changes that affect the security of electronic protected health information (e-PHI) (45 C.F.R. § 164.316(b)(2)(iii)).
*Additional federal and state laws and regulations may apply to specific instances of disclosure, including disclosures pursuant to a valid warrant, subpoena, or court order, mandated reporting requirements, and other disclosures as required or permitted by federal and state laws.
| Column1 | Column2 | Column3 | Column4 |
| Category | Questions | Responses | Documents/Additional Information |
| General Matters | |||
| 1. What form of PHI does your organization maintain, e.g. paper, electronic? | |||
| 2. Where does your organization's PHI reside? | |||
| 3. What EMR system does your organization use, if any? | |||
| 4. How does your organization receive PHI from outside entities, e.g. email, fax, U.S. Mail, Care Everywhere? | |||
| 5. Does your organization store PHI outside of the medical record, e.g. administrative or financial files? | |||
| 6. Who has access to PHI? | |||
| 7. Is access based on an individual's role and responsibilities or do all users have the same level of access? | |||
| 8. What is your organization's greatest weakness in terms of privacy and security? | |||
| Privacy & Security Compliance Program | |||
| 1. Who is responsible for ensuring your organization's compliance with federal and state privacy laws and regulations? | |||
| 2. Does your organization have a written privacy and security compliance program as required by 45 C.F.R. Parts 160 & 164? | |||
| 3. Does your organization have a program for monitoring and auditing compliance with federal and state privacy laws and regulations? | |||
| 4. Does your organization maintain records of monitoring and auditing activities? | |||
| 5. Does your organization have a training program to ensure compliance with federal and state privacy laws and regulations? | |||
| 6. If YES to #5, does your organization maintain records of compliance training? | |||
| 7. Does your organization have written procedures to ensure compliance with federal and state privacy laws and regulations? | |||
| Privacy Practices, Generally | |||
| 1. Does your organization have a policy governing privacy and security practices as required by 45 C.F.R. § 164.316? | |||
| 2. Does your organization have a written notice of privacy practices? | |||
| 3. Does your organization utilize a "Conditions of Admission/Treatment" form? | |||
| 4. Does your organization have a written authorization for disclosure of PHI? | |||
| 5. Does your organization have a workforce training program to ensure compliance with privacy and security practices? | |||
| 6. If YES to #5, does your organization maintain records of compliance training? | |||
| 7. Does your organization have written procedures for responding to patient requests for medical records? | |||
| 8. Does your organization have written procedures for responding to 3rd party requests for medical records? | |||
| 9. Does your organization maintain records of disclosures of PHI? | |||
| 10. Does your organization regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports, as required by 45 C.F.R. § 164.308(a)(1)(ii)(D) | |||
| 11. Does your organization have a process for responding to individual requests for restriction of uses and disclosures of PHI as required by 45 C.F.R. § 164.522? | |||
| Amendment 0f Phi | |||
| 1. Does your organization have a policy governing patient requests to amend PHI as required by 45 C.F.R. § 164.526? | |||
| 2. Does your organization utilize a form for patient requests to amend PHI? | |||
| 3. Does your organization have a process for evaluating and responding to patient requests to amend PHI? | |||
| 4. Does your organization have a process for responding to a patient's disagreement with denial of request to amend PHI? | |||
| 5. Does your organization have a process for allowing patient's to submit a statement of disagreement with a denial of request to amend PHI as required by 45 C.F.R. § 164.526(d)(ii)? | |||
| 6. Does your organization have a policy governing "late" entries to the medical record? | |||
| 7. Does your organization have a policy governing corrections of errors or clinician modifications to information contained in the medical record? | |||
| Business Associates | |||
| 1. Does your organization have a process in place for identifying those entities that qualify as a "Business Associate"? | |||
| 2. Does your organization utilize Business Associate Agreements (BAA) in compliance with 45 CFR 164.504(e)? | |||
| 3. Does your organization regularly review and update BAA's? | |||
| 4. Does your organization have a process in place for restricting access to PHI at the conclusion or termination of a BAA? | |||
| 5. Does your organization regularly monitor and audit vendor access to PHI? | |||
| Grievance Process | |||
| 1. Does your organization have an individual designated to receive and respond to privacy-related complaints? | |||
| 2. Does your organization have a policy governing privacy-related grievances as required by 45 C.F.R § 164.530(d)? | |||
| 3. Does your organization have a written procedure for responding to privacy complaints? | |||
| 4. Does your organization document the receipt and disposition of all privacy-related complaints as required by 45 C.F.R. § 164.530(j)? | |||
| Privacy Breaches | |||
| 1. Who is responsible for determining if a reportable breach occurred? | |||
| 2. Does your organization have a policy governing breach notification? | |||
| 3. Does your organization have a process for notifying affected individual(s) of a reportable breach as required by 45 C.F.R. § 164.404? | |||
| 4. Does your organization have a process for notifying the Secretary of a reportable breach as required by 45 C.F.R. § 164.408? | |||
| 5. Does your organization have a process for notifying the media of a reportable breach involving more than 500 individuals as required by 45 C.F.R. § 164.406? | |||
| 6. Does your professional liability insurance cover privacy breaches? | |||
| 7. If YES to #6, please specify any exclusions. | |||
| Technical/Physical/Cybersecurity | |||
| 1. Has your organization implemented technical policies and procedures to restrict access to PHI to authorized users as required by 164.312? | |||
| 2. Does your organization have policies and procedures regarding retention, modification, and destruction of PHI as required by 45 C.F.R. § 164.312©? | |||
| 3. Are workforce members trained on policies governing retention, modification, and destruction of PHI? | |||
| 4. Does your organization have policies and procedures requiring encryption of electronic devices used to access, create, store, or transmit PHI? | |||
| 5. Does your organization have a written policy governing communication of PHI via email, text, or other electronic means? | |||
| 6. Does your organization utilize encrypted email to transmit PHI? | |||
| 7. If YES to #6, does your organization have a BAA with your email service provider, i.e. Microsoft 365? | |||
| 8. Does your organization have policies governing removal of PHI, whether in paper or electronic form, from the premises? | |||
| 9. Do workforce members use personal electronic devices to access, create, store, or transmit PHI? | |||
| 10. Does your EMR have safeguards restricting late entries or modifications to the medical record? | |||
| 11. Does your organization have a dedicated IT professional who is qualified to ensure compliance with the Technical Safeguards of the Security Rules and the 2021 amendments to the HITECH Act? | |||
| 12. Does your organization have cyber liability insurance? | |||
| Workforce Matters | |||
| 1. Does your organization require annual and ongoing training of all individuals who have access to PHI to ensure compliance with privacy and security practices as required by 45 C.F.R. § 164? | |||
| 2. Does your organization have procedures for supervising workforce members who have access to PHI? | |||
| 3. Does your organization have procedures for terminating access to PHI when a workforce member separates from the organization? | |||
| 4. Does your organization apply appropriate sanctions to workforce members who fail to comply with privacy and security policies and procedures as required by 45 C.F.R. § 164.308(a)(1)(ii)(C)? | |||
| Warrants/subpoenas/requests from Law enforcement | |||
| 1. Does your organization have written policy, procedure or guideline on responding to warrants, subpoenas, or court orders for access to PHI? | |||
| 2. Does your organization have written policy, procedure, or guideline on responding to requests by law enforcement for access to PHI? | |||
| 3. Does your organization have a written policy, procedure, or guideline on disclosure of PHI pursuant to mandated reporting requirements? | |||
| 4. Who is responsible for reviewing warrants, subpoenas, or court orders to confirm validity and enforceability? | |||
| Social Media | |||
| 1. Does your organization have a written policy governing workforce members' use of social media, including prohibiting sharing PHI on social media platforms? | |||
| 2. Does your organization have an official organizational social media presence? | |||
| 3. If YES to #2, who is responsible for managing and monitoring the organization's social media account? | |||
| 4. If YES to #2, does your organization have a written policy regarding acceptable use and content of the organization's social media accounts? | |||