Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification
Type of Policy and Procedure Comments Completed
Privacy Policy to Maintain and Update Notice of Privacy Practices
Notice of Privacy Practices Health plans are required to develop and distribute a notice that provides a clear explanation of privacy practices and an individual’s privacy rights. Develop policies and procedures.
Uses and disclosures consistent with Notice of Privacy Practices
Use and disclosure of PHI must be in a manner that is consistent with the health plan’s Notice of Privacy Practices. Uses and disclosures must be outlined in Notice of Privacy Practices.
Develop policies and procedures.
Privacy Policy for Documentation of Compliance Activity
Document retention Policy and procedures for document retention should be kept for a minimum of six years.
Develop policies and procedures.
Privacy Policy for Limitation on Access
Identification of “firewall” workforce members
A health plan must identify (by name or classification) the persons or classes of persons within its workforce who need access to PHI to carry out their duties. The health plan must also identify individuals who can access PHI, but may not necessarily do so as part of their job functions (e.g., CFO, IT personnel). The health plan must also identify the categories of PHI to which those persons or classes of persons need access in order to fulfill their job responsibilities, and should determine whether any appropriate limitations should be applied to that access. In addition, the health plan must take steps to ensure that only those persons or classes of persons identified as “firewall” workforce members have access to the PHI identified. Include list in policies and procedures.
Workforce member training A covered entity is required to train all members of its workforce on the health plan’s particular policies and procedures related to PHI under HIPAA, as necessary and appropriate
Type of Policy and Procedure Comments Completed
according to the function of each member’s position within the workforce. Develop policies, procedures, forms, and training.
Minimum Necessary Uses and Disclosures of PHI
The health plan and plan sponsor shall take reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose when using or disclosing PHI or seeking PHI from another covered entity. Develop policies and procedures.
Recurring or routine uses or disclosures of PHI
A health plan must have policies and procedures for disclosures of PHI that are routine and recurring to limit the PHI that it discloses to the minimum necessary for the intended purpose.
Develop policies and procedures.
Use and disclosure of PHI to plan sponsor Develop policies and procedures. Health plan must obtain required written certification from plan sponsor.
Privacy Policies for Handling Individual Rights
Confidential communications Individuals may request to receive PHI communications by alternative means or at alternative locations. Develop policies, procedures, and forms.
Right of individual to request restriction on use or disclosure of PHI
Individuals have a right to request restrictions on uses and disclosures of PHI about the individual to carry out treatment, payment, and health care operations, and disclosures made to family members or persons who are involved in the health care of the individual. Develop policies, procedures, and forms.
Right of individual to access own PHI Individuals have the right to review or obtain copies of their own PHI. Develop policies, procedures, and forms.
Termination of restriction on use or disclosure of PHI
Develop policies, procedures, and forms.
Right of individual to request an amendment PHI that is incomplete or incorrect
Individuals have the right to amend or correct their PHI if it is incomplete or incorrect, subject to some exceptions. Health plan is not required to amend PHI, but if not amended must include information about the request to amend if the PHI is transmitted to another entity. Develop policies, procedures, and forms.
Right to request an accounting of disclosures. Individuals have the right to request an accounting of disclosures that are other than
Type of Policy and Procedure Comments Completed
treatment, payment and health operations that are performed through an electronic health record. Develop policies, procedures, and forms.
Privacy Policies and Procedures for Using and Disclosing PHI
Uses and disclosures of PHI when individual is present
If the individual is present, the covered entity may use or disclose PHI if the covered entity obtains the individual’s consent, provides an opportunity to object, or determines there is no objection based on circumstances (e.g., with a translator). Develop policies and procedures.
Limitations on uses and disclosure of PHI when individual not present
If the individual is not present, the health plan may determine whether the disclosure is in the best interests of the individual and, if so, disclose only the PHI that is directly relevant to the person's involvement with the individual's care or payment related to the individual's healthcare or needed for notification purposes (e.g., individual is incapacitated). Develop policies and procedures.
Determination as to whether authorization is valid
Authorization is required to certain uses and disclosures of PHI. Develop policies and procedures for determining if the authorization provided is valid.
Verification of individuals who request PHI Develop policies and procedures for the verification of the identity of those requesting PHI.
Include policies and procedures for: employee, spouse, domestic partner, civil union partner, older children, parent seeking the PHI of a minor child, authorized personal representative, public officials, and person involved in individual’s care. Develop policies and procedures.
Personal Representatives Personal Representative may request PHI on individual’s behalf. Individual must provide written designation. Policy and procedure should exist for verification of the identity of the Personal Representative requesting the PHI. Develop policies, procedures, and forms.
Uses and disclosures of PHI to family members, relatives, close personal friends, or others authorized by individual (Personal Representatives)
Develop policies and procedures.
Terminating a restriction on the use or disclosure of PHI
Develop policies and procedures.
Uses and disclosures for underwriting and A plan that performs underwriting (including but not limited to setting a plan’s premium,
Type of Policy and Procedure Comments Completed
related purposes employee contributions or granting a premium reduction to an individual) may not use or disclose protected health information that is genetic information for underwriting purposes, except in the case of long term care coverage. Develop policies and procedures.
Limited data sets and data use agreements Ensure that data use agreements cover the use and disclosure of limited data sets. Although still PHI, a covered entity may use and disclose limited data sets. Develop policies and procedures.
De-identification of PHI De-identified Information is health information that does not identify an individual from which 18 specific identifiers have been removed and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual. Policies and procedures for de-identifying PHI should include an explanation of identifiers. Develop policies and procedures.
Re-identification of PHI Develop policies and procedures.
Permitted uses and disclosures Outline permitted uses and disclosures of PHI. Develop policies and procedures.
Uses and disclosures pursuant to an authorization
Outline permitted uses and disclosures of PHI by the health plan allowed pursuant to an authorization. Develop policies, procedures, and forms.
Deceased individuals Plan may disclose PHI of a deceased person to family or other individuals involved in the person’s care prior to their death unless doing so is “inconsistent with any prior expressed preference” of the deceased, if known, unless individual has been deceased for 50 or more years. Develop policies and procedures.
Privacy Policies and Procedures for Disclosure for Legal or Public Policy Reasons
Whistleblowers Whistleblowers are protected from disclosure of PHI to oversight authorities. Develop policies and procedures.
Disclosures by workforce members who are victims of a crime
Disclosure of PHI to law enforcement or government agencies in certain cases for victims of a crime. Develop policies and procedures.
Type of Policy and Procedure Comments Completed
Uses and disclosures of PHI for judicial and administrative proceedings
A health plan may disclose PHI for judicial and administrative proceedings with notice to the individual. Develop policies and procedures.
Uses and disclosures of PHI when required by law (e.g., disclosure to HHS when plan audited for compliance with HIPAA)
Develop policies and procedures.
Uses and disclosures of PHI for public health activities
Develop policies and procedures.
Disclosures of PHI about victims of abuse, neglect, or domestic violence
Develop policies and procedures.
Disclosures for health oversight activities Develop policies and procedures.
Disclosures for law enforcement purposes Develop policies and procedures.
Uses and disclosures for cadaveric organ, eye or tissue
Develop policies and procedures.
Disclosures for Armed Forces activities Develop policies and procedures.
Disclosures for workers’ compensation purposes
Develop policies and procedures.
Privacy “Mini-Security” Policies and Procedures
Reasonable safeguards to protect PHI from unintentional use or disclosure
Must have reasonable safeguards to protect PHI from unintentional use or disclosure of PHI.
Develop policies and procedures.
Miscellaneous Privacy Policies and Procedures
Prohibition on conditioning treatment, payment, or healthcare operations on provision of authorization
Develop policies and procedures.
Business Associate contracts Develop policies, procedures, and model agreements outlining the handling and use of PHI
Type of Policy and Procedure Comments Completed
by Business Associate. Obtain/update Business Associate Agreement (“BAA”) from each Business Associate.
Handling complaints Complaints should be sent to, investigated, and tracked by the Privacy Officer. Develop policies, procedures, and forms.
Sanctions for violations Must have sanctions against workforce members that violate privacy policies and procedures.
Develop policies, procedures, and forms.
Mitigation of harm Must, to extent practicable, mitigate any known harmful effect of a use or disclosure of PHI in violation of its own policies and procedures or the HIPAA regulations by its own workforce members or a business associate. Develop policies and procedures.
Refraining from intimidating or retaliatory acts
May not intimidate, threaten, coerce, discriminate against, or take any other retaliatory action against an individual who exercises a HIPAA right or participates in the filing of a complaint either under the covered entity’s own policies and procedures or with HHS. Develop policies and procedures. Include in training.
Security Administrative Safeguard Policies and Procedures
Security Management Process: Risk Management (Required)
Implement security measures to reduce the risk of security threats to ePHI. Develop procedures. Document compliance.
Security Management Process: Risk Analysis (Required)
Conduct an accurate assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. Develop procedures. Document compliance.
Security Management Process: Sanction Policy (Required)
Apply appropriate sanctions against workforce members who fail to comply with the plan’s Security policies and procedures. Develop policies and procedures.
Security Management Process: Information System Activity Review (Required)
Implement procedures to regularly review information system activity records, such as audit logs, access reports, and security-incident tracking reports. Develop procedure.
Assign Security Responsibility (Security Official) (Required)
Appoint a security official to be responsible for development and implementation of Security policies and procedures. Document compliance.
Workforce Security: Authorization and/or Maintain procedures to authorize and/or supervise workforce members who work with ePHI or in areas where ePHI might be accessed. Develop procedure or replace with reasonable,
Type of Policy and Procedure Comments Completed
Supervision (Addressable) appropriate, and equivalent alternative.
Workforce Security: Workforce Clearance Procedure (Addressable)
Provide procedures to determine whether a particular workforce member’s access to ePHI is appropriate. Develop procedure or replace with reasonable, appropriate, and equivalent alternative.
Workforce Security: Termination Procedures (Addressable)
Provide procedures to terminate access to ePHI when workforce member’s employment terminates or change in job duties necessitates change in necessary access to ePHI. Develop procedure or replace with reasonable, appropriate, and equivalent alternative.
Information Access Management: Access Authorization (Addressable)
Provide policies and procedures to permit access to ePHI (e.g., access to workstation, transaction, program, or process). Develop policy and procedure or replace with reasonable, appropriate, and equivalent alternative policy and procedure.
Information Access Management: Access Establishment and Modification
(Addressable)
Provide policies and procedures that are based upon health plan’s access authorization policies to establish, document, review, and modify a user’s right of access to a workstation, transaction, program, or process with PHI. Update policy and procedure or replace with reasonable, appropriate, and equivalent alternative policy and procedure.
Security Awareness and Training: Protection from Malicious Software (Addressable)
Provide procedures to guard against, detect, and report malicious software. Develop procedure or replace with reasonable, appropriate, and equivalent alternative procedure.
Security Awareness and Training: Log-in Monitoring (Addressable)
Provide procedures to monitor log-in attempts and to report discrepancies. Develop procedure or replace with reasonable, appropriate, and equivalent alternative procedure.
Security Awareness and Training: Security Reminders (Addressable)
Provide periodic information security reminders. Document compliance or document compliance with reasonable, appropriate, and equivalent alternative.
Note: While providing periodic Security reminders may be addressable, health plans are required to provide periodic training.
Security Awareness and Training: Password Management (Addressable)
Provide procedures for creating, changing, and safeguarding passwords. Develop procedure or replace with reasonable, appropriate, and equivalent alternative procedure.
Security Incident Procedures: Response and Reporting (Required)
Implement procedures to identify and respond to suspected or known security incidents, mitigate to the extent practicable, harmful effects of known security incidents, and document
Type of Policy and Procedure Comments Completed
incidents and their outcomes. Develop policy and procedure.
Contingency Plan: Data Backup Plan (Required)
Update and maintain procedures to create and maintain retrievable exact copies of ePHI. Develop procedure.
Contingency Plan: Disaster Recovery Plan (Required)
Establish (and implement, as needed) procedures to restore any loss of ePHI. Develop procedure.
Contingency Plan: Emergency Mode Operation (Required)
Establish (and implement, as needed) procedures to enable continuation of critical business processes and for protection of ePHI while operating in the emergency mode. Develop Procedure.
Contingency Plan: Testing and Revision Procedures (Addressable)
Provide procedures for periodic testing and revision of contingency plans. Develop procedure or replace with reasonable, appropriate, and equivalent alternative procedure.
Contingency Plan: Applications and Data Criticality Analysis (Addressable)
Assess the relative criticality of specific applications and data in support of other contingency plan components. Document compliance with procedure or with reasonable, appropriate, and equivalent alternative.
Business Associates (Required) Establish written contracts or other arrangements with Business Associates (“BAs”) (or subcontractors) that documents satisfactory assurances that the BA will appropriately safeguard the information. Document compliance.
Evaluation (Required) Establish a plan for periodic technical and non-technical evaluation of the standards under this rule in response to environmental or operational changes affecting the security of ePHI.
Document compliance.
Security Physical Safeguard Policies and Procedures
Facility Access Control: Contingency Operations (Addressable)
Provide procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency.
Develop procedure or replace with reasonable, appropriate, and equivalent alternative procedure.
Facility Access Control: Facility Security Plan (Addressable)
Provide policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft. Develop policy and procedure or replace
Type of Policy and Procedure Comments Completed
with reasonable, appropriate, and equivalent alternative policy and procedure.
Facility Access Control: Access Control and Validation Procedures (Addressable)
Provide procedures to control and validate a person’s access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision. Develop procedures or replace with reasonable, appropriate, and equivalent alternative procedure.
Facility Access Control: Maintenance Records (Addressable)
Provide policies and procedures to document repairs and modifications to the physical components of a facility, which are related to security (e.g., hardware, walls, doors, and locks). Develop policy and procedure or replace with reasonable, appropriate, and equivalent alternative policy and procedure.
Workstation Use: Function and Attributes (Required)
Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access. Develop policies and procedures.
Workstation Security: Function and Attributes (Required)
Implement physical safeguards for all workstations that access ePHI to restrict access to authorized users. Document compliance.
Device and Media Control: Disposal (Required)
Implement policies and procedures to address final disposition of ePHI, and/or hardware or electronic media on which it is stored. Develop policies and procedures.
Device and Media Control: Media Re-Use (Required)
Implement procedures for removal of ePHI from electronic media with PHI before the media are available for reuse. Develop procedures.
Device and Media Control: Accountability (Addressable)
Maintain a record of the movements of hardware and electronic media and the person responsible for its movement. Document compliance or document compliance with reasonable, appropriate, and equivalent alternative.
Device and Media Control: Data Backup and Storage (Addressable)
Create a retrievable, exact copy of EPHI, when needed, before movement of equipment.
Document compliance or document compliance with reasonable, appropriate, and equivalent alternative.
Type of Policy and Procedure Comments Completed Security Technical Safeguard Policies and Procedures
Access Control: Unique User Identification (Required)
Assign a unique name and/or number for identifying and tracking user identity. Document compliance.
Access Control: Encryption and Decryption (Addressable)
Provide mechanism to encrypt and decrypt ePHI that is stored. Document compliance or document replacement with reasonable, appropriate, and equivalent alternative.
Access Control: Emergency Access Procedure (Required)
Implement procedures for obtaining necessary ePHI during an emergency. Develop procedures.
Access Control: Automatic Logoff (Addressable)
Provide procedures that terminate an electronic session after a predetermined time of inactivity. Develop procedures or replace with reasonable, appropriate, and equivalent alternative procedures.
Person or Entity Authentication (Required) Implement procedures to verify that a person or entity seeking access to ePHI is the one claimed. Develop procedure.
Audit Controls: Activity Logs (Required) Implement Audit Controls, hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI. Document compliance.
Transmission Security: Integrity Controls (Addressable)
Provide policies and procedures to establish security measures to ensure that electronically transmitted ePHI is not improperly modified without detection. Develop policies and procedures or replace with reasonable, appropriate, and equivalent alternative procedures.
Transmission Security: Encryption (Addressable)
Provide mechanism to encrypt ePHI whenever deemed appropriate. Document compliance or compliance with reasonable, appropriate, and equivalent alternative.
Breach Notification
Risk assessment Must have policies and procedures in place to determine whether a breach exists. Develop policies, procedures, and forms.
Notice of Breach to individuals, OCR, and media (if required)
Should have model forms for tracking, investigating, and providing notification of Breach.
Develop model forms.
Type of Policy and Procedure Comments Completed
Timeliness of Notification of Breach Should have process to provide timely notification including appropriate timing and process to obtain information from BA if BA experiences a breach. Develop policies and procedures.
Notification of Breach methodology Documents providing methods for notifying individuals and OCR (and the media if required) Develop policies and procedures, including means to notify affected individuals or personal representatives and how to follow up if contact information is insufficient.
Notification Content Notices must have specific content. Develop standard templates or forms.
Note: This checklist is designed for use by employers sponsoring health plans. Additional requirements apply to other types of covered entities such as healthcare providers.
