INSTRUCTIONS

This assessment tool is designed for small physician's offices. The questions are all written in plain language, and are easy to answer. The correct answer for each question is yes, so to measure compliance, just count up the yes answers and divide by 0.70 to get the percentage of "in compliance."

There is no exact answer to the question, "Is this entity in compliance?" It depends on what kind and size of entity it is, what policies are in place, what business associations the entity has, and so forth. The figure you get from this assessment tool is, however, a good rough idea of the entity's level of compliance, at least for small physician's offices.

ASSESSMENT

• Has your organization undergone a Risk Assessment by a qualified person?

CONSENT

• Are your patients signing a HIPAA compliant authorization form?
• Do you treat patients only with a signed authorization?
• Do you document and retain all signed authorizations?
• do you provide the individual with a copy of signed authorization?
• Do you provide your patients with a list of persons responsible for receiving requests for amendments to protected health information?
• Do you provide a list of "designated record sets" for your patients upon request?

PRIVACY NOTICE

• Do you provide the individual with a copy of signed authorization?
• Are giving your patients a Privacy Notice (or Notice of Privacy Practices)?
• Are your patients signing a receipt for the Privacy Notice?
• Are you putting the signed receipt in the patient's file?
• Do you provide your patients with the name and address of the person in your organization to whom complaints may be directed?
• Do you provide your patients with the address of the DHHS for filing complaints?
• If you have a web site, is the Privacy Notice available there?
• Do you have copies of the Privacy Notice in your waiting room?
• Do you have a trained person designated as the Privacy Officer in your organization?
• Is the name and title of the Privacy Officer documented in your policies and procedures?

BUSINESS ASSOCIATES

• Have you obtained signed HIPAA compliant business associate agreements with all business associates?
• Have you obtained satisfactory assurance that the business associate will appropriately safeguard the information?
• Do you have a policy in place to sanction business associates who wrongfully disclose information?

OTHER COVERED ENTITIES

• Do you follow the minimum necessary rule when giving out protected health information to other covered entities?

DEIDENTIFICATION

• Is protected health information deidentified before using it in research?

DECEASED INDIVIDUALS

• Do you protect deceased individuals protected health information?

UNEMANCIPATED MINORS

• Do you treat minors without a parent, guardian, or other person acting in loco parentis giving an authorization, as long as the minor gives authorization?

DISCLOSURE OF PHI

• Do you disclose only name and address; date and place of birth; social security number; ABO blood type and RH factor; type of injury; date and time of treatment; date and time of death, if applicable; and a description of distinguishing physical characteristics, including height, weight, gender, race, hair and eye color, presence or absence of facial hair (beard or moustache), scars, and tattoos to law enforcement officers?
• Do you have written policies that define the types of disclosures and requirements for making those disclosures?
• Are the written policies easily available to all employees?
• If you disclose to authorized agencies and authorities, do you keep a detailed record of the disclosure in the patient's file?
• Do you deny requests for entire medical records, except when the entire medical record is specifically justified as the amount that is reasonably necessary to accomplish the purpose of the disclosure?
• When you receive an oral request for disclosure, do you document it?
• Do you provide individual access to protected health information, with at least one copy per year for free?
• Do you require individual access requests to be in writing, and do you document oral requests?
• Are all computer accesses to data sets logged in accordance to HIPAA requirements?
• Are all accesses to paper files logged according to HIPAA requirements?
• Are all records maintained for a minimum of six years? (Beginning on April 14, 2003).

TRAINING

• Has each person in your organization, including physicians, been trained in HIPAA policies and procedures?
• Has each person's performance been measured through summative evaluations?
• Has each person's training been documented?

POLICIES AND PROCEDURES

• Do you maintain Policies and Procedures in either written or electronic form?
• Have policies been developed to minimize unintended and incidental disclosures?

COMPUTER SYSTEMS

• Do you document every attempted intrusion and what action was taken as a result?
• Do you provide for sanctions when employees violate security rules?
• Are all users authenticated?
• Do all users have individual logons with strong passwords?
• Is role-based information access implemented and in operation?
• Is the role-based access documented?
• Is your computer equipment secured when not in use (at night, for example)?
• If you use a network, is any network server in a locked and protected area?

SAFEGUARDS

• Has all equipment been tagged and inventoried?
• Have procedures been developed to prevent protected health information from leaving the premises?
• Has the physical security of the hardware been documented?
• Are controls in place and documented to protect backup media?
• Has a disaster recovery plan been developed and documented?
• Has computer security been documented?
• Have policies been developed for workstation use?
• If the system is connected to the Internet, are firewalls installed?
• Have Windows machines been upgraded to the latest version of Windows?
• Have all available patches been installed?
• Are recordable CDs and removable disks (other than floppies) only available on protected machines?
• Has anti-virus software been installed on Windows machines?
• Are automatic logoffs implemented on all machines?
• Have all guest logons been removed from all equipment?
• Is protected health information sent by e-mail encrypted?

ADMINISTRATIVE SIMPLIFICATION (BILLING SOFTWARE)

• Does the software retain all original code sets for up to the maximum time protected health information is stored? (Minimum six years.)
• Does the software implement role-based access?
• Does each workforce member have his/her own logon and assign his/her own password?
• Have all common logons/passwords such as logon "frontdesk", password "frontdesk" been removed from the system?
• Does the software keep a log of all accesses to protected health information?
• Does the software comply with the A12N X4010 electronic standards?
• Is the software CMS certified (by Palmetto GBS in California)?

HUMAN RESOURCES

• Is role-based access policy a part of job descriptions?

Compliance date for the Privacy Rule was April 14, 2003.