HITECH & HIPAA

COMPLIANCE
CHECKLIST

1) Structure administrative safeguards which:

a. Implement policies and procedures to prevent, detect, contain, and correct security
violations;
b. Identify the security official who is responsible for the development and implementation
of the policies and procedures required by the Security Rule;
c. Implement policies and procedures to ensure all members of its workforce have
appropriate access to electronic PHI, and to prevent those workforce members who do
not have access from obtaining access to electronic PHI;
d. Implement policies and procedures for authorizing access to electronic PHI consistent
with the applicable requirements of the Privacy Rule;
e. Implement a security awareness and training program for all members of its workforce
(including management);
f. Implement policies and procedures to address security incidents;
g. Establish (and implement as needed) policies and procedures for responding to an
emergency or other occurrence (for example, fire, vandalism, system failure, natural
disaster) that damages systems containing electronic PHI;
h. Perform a periodic technical and nontechnical evaluation, based initially upon the
standards implemented under this rule and subsequently , in response to environmental
or operational changes affecting the security of electronic PHI, establishing the extent to
which security policies and procedures meet the requirements of the Security Rule; and
i. Create a process for individuals to lodge complaints relating to the plan's privacy policy
and procedures, a system for handling such complaints, and recording their resolution.

2) Structure physical safeguards which:

a. Implement policies and procedures to limit physical access to its electronic information
systems and the facility or facilities in which they are housed, while ensuring properly
authorized access is allowed;
b. Implement policies and procedures specifying the proper functions to be performed, the
manner in which those functions are to be performed, and the physical attributes of the
surroundings of a specific workstation or class of workstation that can access electronic
PHI;

25900 W. Eleven Mile Road, Suite 210  Southfield  Michigan  48034-8203

PHONE 248.355.9600  FAX 248.355.3145
www.jsclarkagency.com
© J.S. Clark Agency, Inc. All rights reserved
 c. Implement physical safeguards for all work stations with access to electronic PHI,
restrict access to authorized users; and
d. Implement policies and procedures governing the receipt and removal of hardware and
electronic media containing electronic PHI into and out of a facility, and the movement
of these items within the facility.

3) Structure technical safeguards which:

a. Implement technical policies and procedures for electronic information systems that
maintain electronic PHI to allow access only to those persons or software programs that
have been granted access rights;
b. Implement hardware, software, and/or procedural mechanisms to record and examine
information system activity that contain or use electronic PHI;
c. Implement policies and procedures to protect electronic PHI from improper alteration or
destruction;
d. Implement procedures to verify a person or entity seeking access to electronic PHI is
the one claimed; and
e. Implement technical security measures to guard against unauthorized access to
electronic PHI being transmitted over an electronic communications network.

4) Document how is PHI used in each business process – both paper and electronic:

a. Is staff trained in the secure handling of paper and electronic health records?
b. Do policies and procedures provide employees with adequate and up-to-date guidance?
c. Is technology secure, has a vulnerability assessment of the network been performed?

5) Update Notice of Privacy Practices

6) Mitigate, to the extent possible, any harmful effect known to the plan resulting from an
improper use or disclosure of PHI.

25900 W. Eleven Mile Road, Suite 210  Southfield  Michigan  48034-8203

PHONE 248.355.9600  FAX 248.355.3145
www.jsclarkagency.com
© J.S. Clark Agency, Inc. All rights reserved