Hippa phi audit tools

This enables them to streamline workflows and allocate their resources more productively in a wide range of scenarios. The plan is also to identify best practices and discover if any new risks and vulnerabilities have been discovered.

A HIPAA audit checklist is the ideal tool to identify any risks or vulnerabilities in your healthcare organization or associated business. You never know when the OCR may be paying you a visit! The covered entities selected for a compliance audit have now been notified by email.

In most cases, an organization selected for a desk audit will not be selected for a physical audit unless there is a lack of cooperation by the organization during the desk audit. This will depend on the current audit protocol. Prior to each round of audits, HHS releases a list of what areas of compliance it will focusing on. Note: you must send only the documents requested. OCR auditors will not search through compendiums of policies to find those requested.

When using online forums, be careful not to divulge personal identifiable information PII and be conscious that some contributors offer their advice with the sole motive of directing you towards a specific product. If anybody asks you about a specific HIPAA compliance tool you are using at present, simply describe its function s rather than using a brand name. Sales-motivated contributors will use any information you provide them to drive you towards their product.

Both the checklist and the guide are independently compiled with no commercial motives, and contain links to sources of other information you may find of value. Click here to view a sample email letter. Every covered entity and business associate is eligible for an audit. These include covered individual and organizational providers of health services; health plans of all sizes and functions; health care clearinghouses; and a range of business associates of these entities. We expect covered entities and business associates to provide the auditors their full cooperation and support.

For this phase of the audit program, OCR is identifying pools of covered entities and business associates that represent a wide range of health care providers, health plans, health care clearinghouses and business associates. By looking at a broad spectrum of audit candidates, OCR can better assess HIPAA compliance across the industry — factoring in size, types and operations of potential auditees. Sampling criteria for auditee selection will include size of the entity, affiliation with other healthcare organizations, the type of entity and its relationship to individuals, whether an organization is public or private, geographic factors, and present enforcement activity with OCR.

OCR will not audit entities with an open complaint investigation or that are currently undergoing a compliance review. Once entity contact information is obtained, a questionnaire designed to gather data about the size, type, and operations of potential auditees will be sent to covered entities and business associates.

This data will be used with other information to develop pools of potential auditees for the purpose of making audit subject selections. Click here to view the audit pre-screening questionnaire. OCR will be asking covered entity auditees to identify their business associates. We encourage covered entities to prepare a list of each business associate with contact information so that they are able to respond to this request. OCR will choose auditees through random sampling of the audit pool.

Selected auditees will then be notified of their participation. Click here to view a sample template entities may use to develop their list of business associates. Use of this template is optional. If a covered entity or business associate fails to respond to information requests, OCR will use publically available information about the entity to create its audit pool. An entity that does not respond to OCR may still be selected for an audit or subject to a compliance review. OCR plans to conduct desk and onsite audits for both covered entities and their business associates.

The first set of audits will be desk audits of covered entities followed by a second round of desk audits of business associates. A covered entity that makes a disclosure permitted by paragraph c 1 of this section must promptly inform the individual that such a report has been or will be made, except if: i The covered entity, in the exercise of professional judgment, believes informing the individual would place the individual at risk of serious harm; or ii The covered entity would be informing a personal representative, and the covered entity reasonably believes the personal representative is responsible for the abuse, neglect, or other injury, and that informing such person would not be in the best interests of the individual as determined by the covered entity, in the exercise of professional judgment.

How does the covered entity determine whether and how to make disclosures about victims of abuse, neglect, or domestic violence consistent with this standard? Obtain and review policies and procedures. When and in what instances will the individual be notified that a disclosure has been or will be made?

A covered entity may disclose protected health information to a health oversight agency for oversight activities authorized by law, including audits; civil, administrative, or criminal investigations; inspections; licensure or disciplinary actions; civil, administrative, or criminal proceedings or actions; or other activities necessary for appropriate oversight of: i The health care system; ii Government benefit programs for which health information is relevant to beneficiary eligibility; iii Entities subject to government regulatory programs for which health information is necessary for determining compliance with program standards; or iv Entities subject to civil rights laws for which health information is necessary for determining compliance.

For the purpose of the disclosures permitted by paragraph d 1 of this section, a health oversight activity does not include an investigation or other activity in which the individual is the subject of the investigation or activity and such investigation or other activity does not arise out of and is not directly related to: i The receipts of health care; ii A claim for public benefits related to health; or iii Qualification for, or receipt of, public benefits or services when a patient's health is integral to the claim for public benefits or services.

Notwithstanding paragraph d 2 of this section, if a health oversight activity or investigation is conducted in conjunction with an oversight activity or investigation relating to a claim for public benefits not related to health, the joint activity or investigation is considered a health oversight activity for purposes of paragraph d of this section.

If a covered entity also is a health oversight agency, the covered entity may use protected health information for health oversight activities as permitted by paragraph d of this section. Is PHI used or disclosed for health oversight activities consistent with the established performance criterion? Obtain and review policies and procedures for using or disclosing PHI for health oversight activities.

Obtain a sample of disclosures made for this purpose and verify that the established performance criterion have been met. If so, is PHI used for health oversight activities conducted by the covered entity? If yes, obtain and review policies and procedures for using PHI for health oversight activities conducted by the covered entity and determine whether they are consistent with the requirements of the established performance criterion.

Obtain a sample of uses made for this purpose and verify that the established performance criterion have been met. The provisions of this paragraph do not supersede other provisions of this section that otherwise permit or restrict uses or disclosures of protected health information. Do policies and procedures exist related to making disclosures in the course of any judicial or administrative proceeding to limit such disclosures to those permitted by the established performance criterion?

Obtain and review policies and procedures related to disclosures of PHI made pursuant to judicial and administrative proceedings. Obtain and review a sample of disclosures and the corresponding court orders, subpoenas, or discovery requests for judicial and administrative proceedings.

Elements to consider include, but are not limited to, whether the disclosure of PHI: -Is in response to an order of a court or administrative tribunal -Is in response to a subpoena, discovery request, or other lawful process. Verify disclosure of PHI in the course of any judicial or administrative proceeding is appropriate. Elements to consider should consist of the established performance criterion and include, but are not limited to: -A court order requesting a response -A subpoena.

A covered entity may disclose protected health information for a law enforcement purpose to a law enforcement official if the conditions in paragraphs f 1 through f 6 of this section are met, as applicable. A covered entity may disclose protected health information: i As required by law including laws that require the reporting of certain types of wounds or other physical injuries, except for laws subject to paragraph b 1 ii or c 1 i of this section; or ii In compliance with and as limited by the relevant requirements of: A A court order or court-ordered warrant, or a subpoena or summons issued by a judicial officer; B A grand jury subpoena; or C An administrative request, including an administrative subpoena or summons, a civil or an authorized investigative demands, or similar process authorized under law, provided that: 1 The information sought is relevant and material to a legitimate law enforcement inquiry; 2 The request is specific and limited in scope to the extent reasonably practicable in light of the purpose for which the information is sought; and 3 De-identified information could not reasonably be used.

Have disclosures made by the covered entity for law enforcement purposes been consistent with the performance criterion? Obtain and review policies and procedures related to disclosures of PHI for law enforcement purposes against the established performance criterion.

Obtain and review a sample, as available, of disclosures and the corresponding court orders, subpoenas, discovery requests, etc. Except for disclosures required by law as permitted by paragraph f 1 of this section, a covered entity may disclose protected health information in response to a law enforcement official's request for such information for the purpose of identifying or locating a suspect, fugitive, material witness, or missing person, provided that: i The covered entity may disclose only the following information: A Name and address; B Date and place of birth; C Social security number; D ABO blood type and rh factor; E Type of injury; F Date and time of treatment; G Date and time of death, if applicable; and H A description of distinguishing physical characteristics, including height, weight, gender, race, hair and eye color, presence or absence of facial hair beard or moustache , scars, and tattoos.

Are disclosures made to law enforcement for identification and location purposes by the covered entity consistent with the limitations listed in the established performance criterion? Obtain and review policies and procedures related to disclosures of PHI to law enforcement officials for identification and location purposes.

Obtain and review a sample of responses to law enforcement officials request for PHI for identification and location purposes and assess whether the disclosures were consistent with the established performance criterion. Are policies and procedures consistent with the established performance criterion regarding the conditions in which the covered entity may disclose PHI of a possible victim of a crime in response to a law enforcement official's request?

Obtain and review policies and procedures related to such disclosures of PHI to law enforcement. If any, obtain and review a sample of responses to a law enforcement official's request to determine whether disclosure was made consistent with the established performance criterion. A covered entity may disclose protected health information about an individual who has died to a law enforcement official for the purpose of alerting law enforcement of the death of the individual if the covered entity has a suspicious that such death may have resulted from criminal conduct.

Are policies and procedures in place to determine when it is permitted to disclose PHI to law enforcement about an individual who has died as a result of suspected criminal conduct? Obtain and review policies and procedures related to disclosures of PHI to law enforcement officials that address the requirement. Obtain and review documentation of such a disclosure, if available. Elements to consider include, but are not limited to, documentation of: -Whether the entity exercised professional judgment -Whether the entity believes in good faith that there was evidence of criminal conduct.

A covered entity may disclose to a law enforcement official protected health information that the covered entity believes in good faith constitutes evidence of criminal conduct that occurred on the premises of the covered entity. Are policies and procedures in place to determine when it is permitted to disclose PHI about an individual who may have committed a crime on the premises? Determine whether policies and procedures related to disclosures of PHI to law enforcement officials address the established performance criterion.

Obtain and review a disclosure, if available. Elements to consider include, but are not limited to, documentation of: -Whether the entity exercised professional judgment -Whether the entity believes in good faith that there was evidence of criminal conduct that occurred on its premises. Are policies and procedures in place to determine what information about a medical emergency is necessary to disclose to alert law enforcement? Obtain and review a sample of such disclosures.

Elements to consider include, but are not limited to, whether the disclosure: -Indicates the commission and nature of the crime -Includes the location of the crime or the victim s of the crime -Includes the identity, description, and location of the perpetrator of the crime. A covered entity may disclose protected health information to a coroner or medical examiner for the purpose of identifying a deceased person, determining a cause of death, or other duties as authorized by law.

A covered entity that also performs the duties of a coroner or medical examiner may use protected health information for the purposes described in this paragraph. A covered entity may disclose protected health information to funeral directors, consistent with applicable law, as necessary to carry out their duties with respect to the decedent.

If necessary for funeral directors to carry out their duties, the covered entity may disclose the protected health information prior to, and in reasonable anticipation of, the individual's death. Are policies and procedures consistent with the established performance criterion for disclosing PHI to 1 a coroner or medical examiner; and 2 a funeral director?

Obtain and review policies and procedures related to disclosures of PHI to coroners and medical examiners and funeral directors. Elements to consider include, but are not limited to, whether the purpose of disclosure is: -To identify a deceased person -To determine the cause of death.

Information elements to consider include, but are not limited to, whether the information disclosed is limited to: -Name of deceased person -Cause of death -Compliance with such law. A covered entity may use or disclose protected health information to organ procurement organizations or other entities engaged in the procurement, banking, or transplantation of cadaveric organs, eyes, or tissue for the purpose of facilitating organ, eye or tissue donation and transplantation.

Obtain and review policies and procedures related to disclosures of PHI for purposes of cadaveric organ, eye, or tissue donation. Obtain and review a sample of disclosures of PHI to organ procurement organizations to determine whether such disclosures are consistent with the policies and procedures and the established performance criterion.

A covered entity may use or disclose protected health information for research, regardless of the source of funding of the research, provided that: i Board approval of a waiver of authorization. The covered entity obtains from the researcher representations that: A Uses or disclosures is sought solely to review protected health information as necessary to prepare a research protocol or for similar purposes preparatory to research; B No protected health information is to be removed from the covered entity by the researcher in the course of the review; and C The protected health information for which use or access is sought is necessary for the research purposes.

The covered entity obtains from the researchers: A Representation that the use or disclosure sought is solely for research on the protected health information or decedents; B Documentation, at the request of the covered entity, of the death of such individuals; and C Representation that the protected health information for which use or disclosure is sought is necessary for the research purposes.

Does the covered entity use or disclose PHI for research purposes? For entities that conduct research using or disclosing PHI, obtain and review related policies and procedures. Elements to consider include, but are not limited to, how the entity: -Obtains documentation that an alteration to a required authorization, or waiver of the authorization, has been approved by an IRB or appropriately configured privacy board -Obtains from the researchers the required representations regarding reviews preparatory to research on decedents.

Elements to consider include, but are not limited to: -Board approval of a waiver of authorization - Whether the use or disclosure is solely to review PHI as necessary to prepare a research protocol -Representation that the use or disclosure is solely for research on the PHI of decedents.

If the privacy board elects to use an expedited review procedure, the review and approval of the alteration or waiver of authorization may be carried out by the chair of the privacy board, or by one or more members of the privacy board as designated by the chair; and v Required signature - The documentation of the alteration or waiver of authorization must be signed by the chair or other member, as designated by the chair, of the institutional review board or the privacy board, as applicable.

Do policies and procedures exist to determine what documentation of approval or waiver is needed to permit a use or disclosure and to apply that determination? Obtain and review policies and procedures against established performance criterion.

Is the entity using or disclosing PHI consistent with requirements for documentation of a waiver approval? Verify that the documentation of any approval or waiver contains all the information necessary to permit a use or disclosure. Elements to consider include, but are not limited to: -A statement identifying IRB and the date on which the alteration or waiver of authorization was approved -Whether IRB determined that the alteration or waiver satisfied the criteria listed in the standard, including determination of no more than minimal risk to privacy, adequate plan to protect identifiers, adequate plan to destroy identifiers, etc.

A covered entity may use or disclose the protected health information of individuals who are Armed Forces personnel for activities deemed necessary by appropriate military command authorities to assure the proper execution of the military mission, if the appropriate military authority has published by notice in the Federal Register the following information: A Appropriate military command authorities; and B The purposes for which the protected health information may be used or disclosed.

A covered entity that is a component of the Department of Veterans Affairs may use and disclose protected health information to components of the Department that determine eligibility for or entitlement to, or that provide, benefits under the laws administered by the Secretary of Veterans Affairs.

A covered entity may use or disclose the protected health information of individuals who are foreign military personnel to their appropriate foreign military authority for the same purposes for which uses and disclosures are permitted for Armed Forces personnel under the notice published in the Federal Register pursuant to paragraph k 1 i of this section.

Does the covered entity disclose PHI of individuals for military and veterans activities consistent with the established performance criterion? Obtain and review a list of uses and disclosures for military and veterans activities. Elements to consider are, 1 whether the entity is a component of the DoD, HSA; or VA; and 2 include whether the disclosure relates to: - Armed force personnel - Separated or discharged military service personnel - A veteran - Foreign military personnel.

Elements to consider include, but are not limited to: -Whether the activities deemed necessary by appropriate military command authorities -Whether the purpose is to determine the individual's eligibility for or entitlement to benefits under laws.

A covered entity may disclose protected health information to authorized federal officials for the conduct of lawful intelligence, counter-intelligence, and other national security activities authorized by the National Security Act 50 U. How would the covered entity respond to a request for PHI from Federal officials for intelligence and other national security activities? Obtain and review policies and procedures related to disclosures of PHI for national security purposes. A covered entity may disclose protected health information to authorized Federal officials for the provision of protective services to the President or other persons authorized by 18 U.

How would the covered entity respond to a request for PHI from Federal officials for the provision of protective services or the conduct of certain investigations? Obtain and review policies and procedures related to disclosures of PHI for protective services. Is the covered entity a component of the Department of State? If yes, does the covered entity have policies and procedures consistent with the established performance criterion to use and disclose PHI for the purposes described in the established performance criterion?

Obtain and review such policies and procedures for consistency with the established performance criterion. A covered entity may disclose to a correctional institution or a law enforcement official having lawful custody of an inmate or other individual protected health information about such inmate or individual, if the correctional institution or such law enforcement official represents that such protected health information is necessary for: A The provision of health care to such individuals; B The health and safety of such individual or other inmates; C The health and safety of the officers or employees of or others at the correctional institution; D The health and safety of such individuals and officers or other persons responsible for the transporting of inmates or their transfer from one institution, facility, or setting to another; E Law enforcement on the premises of the correctional institution; or F The administration and maintenance of the safety, security, and good order of the correctional institution.

A covered entity that is a correctional institution may use protected health information of individuals who are inmates for any purpose for which such protected health information may be disclosed. For the purposes of this provision, an individual is no longer an inmate when released on parole, probation, supervised release, or otherwise is no longer in lawful custody.

How does the covered entity determine whether to disclose PHI to a correctional institution or a law enforcement official with custody of an individual? Are policies and procedures in place to determine whether a use or disclosure of PHI to a correctional institution or law enforcement official is permitted? Obtain and review policies and procedures related to disclosures of PHI to correctional institutions or other law enforcement custodial situations for consistency with the established performance criterion.

Obtain and review a sample of documentation of disclosures to a correctional institution or law enforcement official; elements to consider include, but are not limited to, whether the disclosure is necessary for: -The provision of health care to such individuals -The health and safety of such individual or other inmates -The health and safety of the officers or employees of or at the correctional institution -The health and safety of such individuals and officers or other persons responsible for the transporting of inmates or their transfer from one institution, facility, or setting to another -Law enforcement on the premises of the correctional institution -The administration and maintenance of the safety, security, and good order of the correctional institution.

Is the covered entity a health plan that is a government program providing public benefits, or is it a government agency administering a government program providing public benefits?

If yes. Obtain and review the policies and procedures. A covered entity may disclose protected health information as authorized by and to the extent necessary to comply with laws relating to workers' compensation or other similar programs, established by law, that provide benefits for work-related injuries or illness without regard to fault. Are policies and procedures in place regarding disclosure of PHI for the purpose of workers' compensation, that are consistent with the established performance criterion?

Obtain and review a sample of documentation of disclosures for the purpose of workers' compensation; elements to consider include, but are not limited to, whether the disclosure is authorized by and to the extent necessary to comply with laws relating to workers' compensation or other similar programs, established by law, that provide benefits for work-related injuries or illness without regard to fault.

A covered entity may assign a code or other means of record identification to allow information de-identified under this section to be re-identified by the covered entity, provided that: 1 The code or other means of record identification is not derived from or related to information about the individual and is not otherwise capable of being translated so as to identify the individual; and 2 Security. The covered entity does not use or disclose the code or other means of record identification for any other purpose, and does not disclose the mechanism for re-identification.

A covered entity may be , but is not required, to de-identify PHI. Does the covered entity de-identify PHI consistent with the established performance criterion? Obtain and review policies and procedures to determine whether they comply with the established performance criterion. When using or disclosing protected health information or when requesting protected health information from another covered entity or business associate, a covered entity or business associate must make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.

Has the covered entity implemented policies and procedures consistent with the requirements of the established performance criterion to identify need for and limit use of PHI? Obtain and review policies and procedures for limiting access to PHI.

Obtain and review the access of a sample of workforce members with access to PHI for their corresponding job title and description to determine whether the access is consistent with the policies and procedures.

Are policies and procedures in place to limit the PHI disclosed to the amount reasonably necessary to achieve the purpose of the disclosure?

Obtain and review policies and procedures related to minimum necessary disclosures and evaluate the content relative to the established performance criterion. Obtain and review a sample of protocols for disclosures made on a routine and recurring basis and determine if such protocols limit to the PHI to what is reasonably necessary to achieve the purpose of the disclosure, as required by d 3.

Are policies and procedures in place to limit the PHI requested by the entity being audited to the amount minimally necessary to achieve the purpose of the disclosure? Obtain and review policies and procedures related to minimum necessary requests and evaluate the content relative to the specified criteria.

For all uses, disclosures, or requests to which the requirements in paragraph d of this section apply, a covered entity may not use, disclose or request an entire medical record, except when the entire medical record is specifically justified as the amount that is reasonably necessary to accomplish the purpose of the use, disclosure, or request.

Are policies and procedures in place to address uses, disclosures, or requests for an entire medical record? Obtain and review policies and procedures related to minimum necessary uses, disclosures, or requests for an entire medical record for consistency with the established performance criterion. A covered entity may use or disclose a limited data set that meets the requirements of paragraphs e 2 and e 3 of this section, if the covered entity enters into a data use agreement with the limited data set recipient, in accordance with paragraph e 4 of this section.

A covered entity may use or disclose a limited data set under paragraph e 1 of this section only if the covered entity obtains satisfactory assurance, in the form of a data use agreement that meets the requirements of this section, that the limited data set recipient will only use or disclose the protected health information for limited purposes.

A data use agreement between the covered entity and the limited data set recipient must: A Establish the permitted uses and disclosures of such information by the limited data set recipient, consistent with paragraph e 3 of this section. The data use agreement may not authorize the limited data set recipient to use or further disclose the information in a manner that would violate the requirements of this subpart, if done by the covered entity; B Establish who is permitted to use or receive the limited data set; and C Provide that the limited data set recipient will: 1 Not use or further disclose the information other than as permitted by the data use agreement or as otherwise required by law; 2 Use appropriate safeguards to prevent use or disclosure of the information other than as provided for by the data use agreement; 3 Report to the covered entity any use or disclosure of the information not provided for by its data use agreement of which it becomes aware; 4 Ensure that any agents to whom it provides the limited data set agree to the same restrictions and conditions that apply to the limited data set recipient with respect to such information; and 5 Not identify the information or contact the individuals.

A A covered entity is not in compliance with the standards in paragraph e of this section if the covered entity knew of a pattern of activity or practice of the limited data set recipient that constituted a material breach or violation of the data use agreement, unless the covered entity took reasonable steps to cure the breach or end the violation, as applicable, and, if such steps were unsuccessful: 1 Discontinued disclosure of protected health information to the recipient; and 2 Reported the problem to the Secretary.

B A covered entity that is a limited data set recipient and violates a data use agreement will be in noncompliance with the standards, implementation specifications, and requirements of paragraph e of this section. Are data use agreements in place between the covered entity and its limited data set recipients, if any?

Obtain and review policies and procedures and evaluate the content in relation to the established performance criterion to determine if data use agreements are in place between the covered entity and its limited data set recipients. Obtain and review a sample data use agreement to determine if the agreements comply with the established performance criterion.

Obtain and review a sample limited data set to determine whether it complies with the established performance criterion. The method for an individual to elect not to receive further fundraising communications may not cause the individual to incur an undue burden or more than a nominal cost.

Is the disclosure of PHI to a business associate or institutionally related foundation limited to the information set forth in the established performance criterion? Obtain and review policies and procedures and notice of privacy practices and evaluate the content relative to the established performance criterion. Obtain and review a sample of communications for fundraising purposes to determine if it contains a clear and conspicuous opportunity to opt-out of further fundraising communications or reference to a mechanism for opting out.

Obtain and review documentation that the policies and procedures are conveyed to the workforce.