Scribd
Upload
354 views4 pages

Hipaa Audit Checklist: General Information

This document is a checklist for an audit of an organization's compliance with HIPAA Privacy and Security Rules. It requests documents related to general information, security policies and procedures, privacy policies and procedures, and the organization's breach notification process and risk assessment. The checklist covers areas such as the security management practices, risk assessments, access controls, encryption, training, complaints handling, and uses and disclosures of protected health information.

Uploaded by

Subrata Patra
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
354 views4 pages

Hipaa Audit Checklist: General Information

This document is a checklist for an audit of an organization's compliance with HIPAA Privacy and Security Rules. It requests documents related to general information, security policies and procedures, privacy policies and procedures, and the organization's breach notification process and risk assessment. The checklist covers areas such as the security management practices, risk assessments, access controls, encryption, training, complaints handling, and uses and disclosures of protected health information.

Uploaded by

Subrata Patra
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 4

HIPAA AUDIT CHECKLIST

Checklist Category Document Name/Description Received Document/File Name(s)


Y/N
General Information
General Information Complete the enclosed “HIPAA
Privacy and Security
Performance Audit Survey”
General Information Any previous audit reports,
evaluations or assessments of
HIPAA Privacy and Security
Rules and Breach Notification
Rule
General Information Please confirm whether your
organization uses or discloses
PHI in:
 Fundraising activities; or
 Research activities

HIPAA Security
General Governance – Identify any applicable industry
HIPAA Security guidance (e.g., studies, practices,
regulations, etc…) or other
reference material used to
develop any of the policies and
procedures requested below (NO
NEED TO PROVIDE THIS
DCUMENTATION - SIMPLY
IDENTIFY)
General Governance – Security Officer contact
HIPAA Security information (name, email, phone,
address and admin contact info)

Administrative Entity-Level Risk Assessment


Safeguards
Administrative Risk assessments for systems
Safeguards that house ePHI
Administrative Risk Management Policy
Safeguards
Administrative Organizational Chart
Safeguards
Administrative Information Security Policies,
Safeguards specifically those documenting
security management practices
and processes, such as:
 Access Control
 Data Protection
 Acceptable Use
 Workstation Security
 Workforce/HR Security
 Sanction Procedures

Page 1 of 4
Checklist Category Document Name/Description Received Document/File Name(s)
Y/N
HIPAA Security Cont’d
Administrative Security Incident Management
Safeguards Plan
Administrative Business Continuity/Disaster
Safeguards Recovery Plan
Administrative Most recent Disaster Recovery
Safeguards Exercise Documentation
Administrative Data backup and recovery
Safeguards procedures
Physical Safeguards Physical Security Policies and
Procedures
Physical Safeguards Data Destruction and Media
Reuse Procedure
Physical Safeguards List of roles based access - job
level and level of PHI access
needed for function; log of
employees based on their PHI
access type
Technical Safeguards Encryption Policies and
Procedures
Technical Safeguards Management’s internal
control/internal audit policies and
procedures related to monitoring
IT safeguards
Technical Safeguards System-generated user access
listing of all individuals with
access to systems housing PHI
Technical Safeguards System-generated listing of all
new hires within the past year
Technical Safeguards User Authentication Policies and
Procedures
HIPAA Privacy
General Governance – Identify any applicable industry
HIPAA Privacy guidance (e.g., studies, practices,
regulations, etc…) or other
reference materials used to
develop any of the policies and
procedures requested below (NO
NEED TO PROIVDE THIS
DOCUMENTATION – SIMPLY
IDENTIFY)
General Governance – Compliance/Privacy Officer
HIPAA Privacy contact information (name, email,
phone, address and admin
contact info)
HIPAA Privacy Privacy Policy(ies) and Notice of
Privacy Practices

Page 2 of 4
Checklist Category Document Name/Description Received Document/File
Y/N Name(s)
HIPAA Privacy Cont’d
HIPAA Privacy Privacy practices documentation
including:
 Use and disclosure
 Right to request privacy
information
 Right to request privacy
protection of PHI
 Individual access to PHI
 Denial access to PHI
procedures
 Amendment of PHI
 Accounting of
disclosures of PHI
 Administrative
requirements
HIPAA Privacy Training documentation of
employees over privacy
practices and organization
training policy(ies)
HIPAA Privacy Policies and procedures in place
over administrative, technical
and physical safeguards
covering all forms of PHI
HIPAA Privacy Complaints handling policies
and procedures
HIPAA Privacy Population of complaints over
privacy practices made with the
last year (complaint log)
HIPAA Privacy Sanction and disciplinary
policies and procedures over
privacy violations
HIPAA Privacy Mitigation and disciplinary
policies and procedures when a
breach occurs
HIPAA Privacy Anti-intimidation/anti-retaliation
policies and procedures

Page 3 of 4
Checklist Category Document Name/Description Received Document/File
Y/N Name(s)
HIPAA Privacy Cont’d
HIPAA Privacy Policies and procedures over
uses and disclosures of PHI,
including:
 Deceased individuals
 Personal representatives
 Confidential
communication
 Business associate
contract requirements
 Health plan
documentation
requirements
 Treatment, payment,
and/or operations
 Consent and
authorization
requirements
 Judicial or administrative
proceeding requirements
 Research requirements
 Approval and waiver
requirements
 De-identification/Re-
identification of PHI
procedures
 PHI procedures
 Restriction of PHI
 Minimum necessary
requirements
 Limited information
provided for fundraising
purposes
 Health care underwriting
 Identity verification
procedures of individuals
requesting PHI
HITECH Organizational Process-Based Capabilities
HITECH Breach notification process,
entity-level risk assessment
documentation and capabilities

Page 4 of 4

You might also like