1. 2010 HIPAA Checklist for Covered Entities
STEP DESCRIPTION COMPLETED
1. Contact existing BA’s and verify readiness to comply with new and heightened
Business HIPAA guidelines
Associate Contact partners expected to obtain BA status as a result of the HITECH ACT
Review expanded definition for BA’s (vendors and service providers
Update BA agreement to include new privacy and security expectations for BA’s
Execute updated BA agreements with all relevant parties
2. Assemble organizational plan to address breach notification guidelines or
Breach prepare to meet safe harbor standards for PHI
Notification or Update HIPAA policies and procedures to manage breach events for your
Safe Harbor organization and BA partners
Create breach notification template letter
Train staff on new procedures and new “notice” materials
3. Revise policies and procedures to support PHI disclosure restriction requests
PHI Restrictions Ensure systems can flag data affected by these requests
Train staff
4. Revise policies and procedures to support requests to obtain a copy of
EHR Records information contained in an individual’s EHR
Request Train staff
5. Marketing Amend policies and procedures to address updated HIPAA marketing guidelines
Activities Train staff on new expectations
“Minimum Revise and execute new “minimum necessary” policies
Necessary” Train staff
Standards
6. Revise policies and procedures to address individual requests for an accounting
Accounting of of PHI disclosures
Disclosures Ensure systems can track disclosures, including remote access
7. Revise privacy notice to address: breach notification
Privacy Notice • PHI restrictions
• EHR record requests
• Marketing changes
• “Minimum necessary” guidelines
• Sale of PHI
Distribute and post updated policy as required and share with all BA’s