HIPAA Compliance Strategies

Privacy Recordkeeping: The Paper Trails You Need to Document Compliance

Reprinted from the June 2005 issue of REPORT ON PATIENT PRIVACY, the industry's most practical source of news on HIPAA patient privacy provisions.

This checklist was prepared by Donald E. Koenig, Jr., vice president for corporate responsibility for Catholic Healthcare Partners in Cincinnati. Recordkeeping requirements listed below are required under HIPAA unless they are designated with an "O," which means they are optional (recommended by Koenig). Please note that this checklist pertains only to HIPAA privacy requirements and does not address security, TCS or other HIPAA issues.

Preparatory Paper Trails (maintain for six years).

a. Appointment of key staff

• Privacy officer
• Privacy steering committee/work groups (O)

b. Risk assessments/gap analyses (O)
c. Action plans/accountabilities (O)
d. HIPAA-related policies/procedures
e. Business associates

• Those with BA agreements (BAs) completed by 4-14-03
• Those where BAAs will be completed by 4-14-04

f. Education and training

• All present work force trained by 4-14-03
• All new work force trained within a "reasonable" time of start date
• All work force affected by a material change in policies/procedures trained within "reasonable" time.

g. Complaint process

• Process, roles and responsibilities
• Log

h. Readiness audits or surveys (O)

Ongoing HIPAA Compliance Paper Trails (to begin to build on April 14, 2003; maintain for six years).

a. Staff appointments

• Privacy officer
• Contact person for information or complaints
• Person to receive/process PHI access/copy requests
• Person to receive/process PHI amendment requests
• Person to receive/process accounting requests
• Person to approve release of "de-identified" info
• Person(s) to approve the validity and completeness of documents prior to release of PHI

b. Covered entity designations

• Hybrid entities
• Affiliated covered entities
• OHCA (not required)

c. Education and training
d. Complaints

• "Log of every complaint and its disposition"

e. Sanctions applied to any violator
f. Administrative, technical and physical safeguards
g. Policies and procedures
h. Notice of privacy practices, and all revisions
i. Patient acknowledgements

• Copy of those received
• Document reasonable efforts for those not received

j. Authorizations
u Revocations of authorizations
k. PHI access

• Designated record set to which access will be granted
• Access request extension responses
• Denial of access requests

l. Agreements to restrict use or disclosure of PHI
u Termination or modifications of agreements
m. Requests to amend PHI
n. Response to extension notice for delay

• Acceptance of amendment request
• Denial of amendment request
• Accounting for disclosures of PHI
• Record entries of disclosures made that must be tracked and accounted for
• Delay in responding notice
• Copies of accountings provided

o. Written statements from law enforcement why an accounting of the disclosure to law enforcement would impede the agency's activities
p. Documentation to support disclosure of PHI where authorization was not required

• Verification of identity of requestor
• Satisfactory assurances from court or administrative tribunal for disclosures without a subpoena or order
• Research-related disclosures
• Public health reporting to an employer — notice to the individual

  q. Business associate agreements
  r. Data use agreements for limited data sets
  s. Compliance reviews/investigations by OCR

Advertise With AIS

Privacy

Site Map