HIPAA Auditing Tool. Department: Site Location: Visit Date:



Similar documents
8.03 Health Insurance Portability and Accountability Act (HIPAA)

HIPAA CHECKLISTS DEVELOPING YOUR HIPAA DOCUMENTS PRACTICAL TOOLS AND RESOURCES. MASSACHUSETTS MEDICAL SOCIETY Getting Ready for

HIPAA Policy, Protection, and Pitfalls ARTHUR J. GALLAGHER & CO. BUSINESS WITHOUT BARRIERS

Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification

PATIENT RECORDS PRIVACY POLICIES AND PROCEDURES FOR HIPAA COMPLIANCE (4/03)

ELKIN & ASSOCIATES, LLC. HIPAA Privacy Policy and Procedures INTRODUCTION

HIPAA Training for Hospice Staff and Volunteers

INDIVIDUAL HIPAA RIGHTS (Health Insurance Portability and Accountability Act)

Annual Compliance Training. HITECH/HIPAA Refresher

RUTGERS POLICY. Policy Name: Standards for Privacy of Individually Identifiable Health Information

HIPAA PRIVACY AND EDI RULES

HIPAA PRIVACY AND SECURITY AWARENESS

HIPAA Privacy & Security Rules

2014 Core Training 1

HIPAA Privacy & Security Training for Clinicians

SCDA and SCDA Member Benefits Group

ACRONYMS: HIPAA: Health Insurance Portability and Accountability Act PHI: Protected Health Information

Patient Privacy and HIPAA/HITECH

HIPAA Information Security Overview

Gaston County HIPAA Manual

Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Standards. and. Privacy Policies and Procedures. for. Birkam Health Center

The Practical Guide to HIPAA Privacy and Security Compliance

HIPAA Training for Staff and Volunteers

HIPAA Notice of Privacy Practices

ADMINISTRATIVE REGULATION EFFECTIVE DATE: 1/1/2016

NORTH CAROLINA COMMUNITY CARE INC. Privacy Policy Manual

HIPAA 101: Privacy and Security Basics

HIPAA Employee Training Guide. Revision Date: April 11, 2015

Statement of Policy. Reason for Policy

Department of Health and Human Services Policy ADMN 004, Attachment A

HIPAA Employee Compliance Program TRAINING MANUAL

Donna S. Sheperis, PhD, LPC, NCC, CCMHC, ACS Sue Sadik, PhD, LPC, NCC, BC-HSP Carl Sheperis, PhD, LPC, NCC, MAC, ACS

HIPAA Basic Training for Privacy & Information Security

HIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS

HIPAA Privacy Summary for Fully-insured Employer Groups

Louisiana Department of Health and Hospitals Basic HIPAA Privacy Training: Policies and Procedures

C.T. Hellmuth & Associates, Inc.

SECURITY RISK ASSESSMENT SUMMARY

HIPAA Compliance Annual Mandatory Education

MONTSERRAT COLLEGE OF ART WRITTEN INFORMATION SECURITY POLICY (WISP)

HIPAA Awareness Training

SAFEGUARDING PROTECTED HEALTH INFORMATION (PHI): FOCUS POINTS FOR OFFSITE TRANSCRIPTIONISTS

PRIVACY POLICIES AND FORMS FOR BUSINESS ASSOCIATES

HIPAA ephi Security Guidance for Researchers

CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy

HIPAA (Health Insurance Portability and Accountability Act) Awareness Training for Volunteers and Interns

The Basics of HIPAA Privacy and Security and HITECH

HIPAA Privacy and Security. Rochelle Steimel, HIPAA Privacy Official Judy Smith, Staff Development January 2012

HIPAA TRAINING. A training course for Shiawassee County Community Mental Health Authority Employees

HIPAA Policies and Procedures

Page 1. NAOP HIPAA and Privacy Risks 3/11/2014. Privacy means being able to have control over how your information is collected, used, or shared;

Written Information Security Plan (WISP) for. HR Knowledge, Inc. This document has been approved for general distribution.

HIPAA and You The Basics

New HIPAA Breach Notification Rule: Know Your Responsibilities. Loudoun Medical Group Spring 2010

PHI- Protected Health Information

HIPAA MANUAL. Most health plans and health care providers that are covered by the new Rule must comply with the new requirements by April 14, 2003.

HIPAA Privacy Summary for Self-insured Employer Groups

When HHS Calls, Will Your Plan Be HIPAA Compliant?

Protecting Patient Privacy It s Everyone s Responsibility

HIPAA Orientation. Health Insurance Portability and Accountability Act

INTERNAL CONTROL QUESTIONNAIRE OFFICE OF INTERNAL AUDIT UNIVERSITY OF THE VIRGIN ISLANDS

SCHOOL DISTRICT OF BLACK RIVER FALLS HIPAA PRIVACY AND SECURITY POLICY

DEALERSHIP IDENTITY THEFT RED FLAGS AND NOTICES OF ADDRESS DISCREPANCY POLICY

Transcription:

HIPAA Auditing Tool Department: Site Location: Visit Date: Auditor: Staff Interviewed: Notice of Privacy Practice 164.520(c) A covered entity must make the notice required by this section available on request to any person A covered health care provider that has a direct treatment relationship with an individual must provide the notice no later than the date of the first service delivery If a covered health care provider maintains a physical service delivery site, the notice must be posted in a clear and prominent location and be available by request for individuals to take with them. Department Efforts Compliant (yes or no) Findings/Recommendations NPP prominently posted NPP current version supply on site Acknowledgement supply on site Acknowledgement in client s chart Staff Interview confirms understanding of NPP distribution requirement Staff Interview confirms understanding of NPP content Administrative, Physical and Technical Safeguards County P & Ps on site Designated Departmental Privacy Officer or HIPAA contact person Record of employee training available County & Dept. training material Business Associate Agreements are used when necessary PF 35 revised 2/1/05 1

Administrative, Physical and Technical Safeguards Client sign-in sheets and schedules contain only limited information Documents containing PHI are in closed folders or turned face down on desks, counters Sufficient locking file cabinets available Client charts or reports are locked in drawer or cabinet at end of work day Documents containing PHI are shredded prior to disposal Voices are low when discussing PHI Doors are closed when speaking on the telephone Private rooms are used when possible Clients /unauthorized personnel are escorted to and from reception area Restricted areas clearly identified Staff mail boxes are not readily accessible to clients / or visitors Only authorized staff have access to confidential client information and they access and use only the minimum amount necessary to accomplish their duties There are departmental procedures for storage and check out of client charts and sufficient documentation to locate checked-out charts PF 35 revised 2/1/05 2

Administrative, Physical and Technical Safeguards Staff do not discuss confidential client information among themselves in public areas or within earshot of clients, visitors or unauthorized staff Staff interviews confirm understanding of minimum necessary rule Client information redacted from invoices before claim submitted to auditor Computer monitors are turned away from view of public or unauthorized personnel Printers, copiers and faxes are located in secure areas Fax numbers are confirmed prior to sending Computers are locked from unauthorized access when unattended Passwords are changed regularly and kept confidential awareness of appropriate physical safeguards awareness of appropriate technical safeguards PF 35 revised 2/1/05 3

HIPAA Forms and Documentation: Authorization 164.508(c)(1)&(2) Minimum Necessary 164.502(b) & 164.514(d) Accounting of Disclosures 164.528 A covered entity may not use or disclose protected health information except as permitted or required and in compliance with an authorization that complies with 164.508 When using, disclosing, or requesting protected health information, a covered entity must make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure or request An individual has a right to receive an accounting of disclosures of protected health information made by a covered entity Department Efforts Compliant (yes or no) Findings/Recommendations Staff using HIPAA valid authorization Authorization form in clients charts Department has clearly defined minimum necessary standards for each job category Department has P & P addressing routine and non-routine uses and disclosures understanding of minimum necessary standard Disclosure log in client s chart understanding of what disclosures need to be tracked / logged PF 35 revised 2/1/05 4

Complaint Process 164.530(d) Refraining from Intimidating or Retaliatory Acts 164.503(g) A covered entity must provide a process for individuals to make complaints concerning the covered entity s policies and procedures a covered entity must document all complaints received, and their disposition, if any. A covered entity must not intimidate, threaten, coerce, discriminate against or take other retaliatory actions against any individual who exercises their right to complain testifies, assists or participates in an investigation or opposes any act or practice made unlawful by this Department has a process for handling issues before they are complaints Staff know where to get Complaint forms Documentation exists supporting Department efforts to resolve client issues understanding of individual s right to complain understanding of the non-retaliation policy Reminder: Please return all pages to County Privacy Officer when complete. Please print legibly. PF 35 revised 2/1/05 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information