Bamzooka logoBAMZOOKA  back to free templates

HIPAA Compliance Checklist

Schools and Education

health Insurance Portability and Accountability


The control assessment results provide organizational officials with: 

  • Evidence about the effectiveness of implemented controls
  • An indication of the quality of the risk management processes employed within the organization
  • Information about the strengths and weaknesses of information systems which are supporting organizational missions and business functions in a global environment of sophisticated and changing threats.

Security Risk Assessment

Performance measures are especially useful for federal managers who must meet regulatory, financial, and organizational requirements for their information security practices. Performance measurement programs help federal agencies operate more securely and more efficiently. Information security measurements can provide quantifiable data for assessing individual information systems, as well as enterprise-wide information security programs. Performance measurements help agencies apply the risk management approach to information security, the process for identifying the risks to information and information systems, assessing the risks, and taking steps to reduce risks to an acceptable level. Performance measurements also support the security certification and accreditation process.

Information security continuous monitoring (ISCM) is defined as maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions.

  • Define an ISCM strategy
  • Establish an ISCM program
  • Implement an ISCM program
  • Analyse data and Report findings
  • Respond to findings
  • Review and Update the ISCM strategy and program

Privacy Assessment

Privacy assessments are conducted by senior agency officials for privacy/privacy officers and privacy staff in these early life cycle phases as well. Privacy assessments include reviews to ensure that applicable privacy laws and policies are adhered to and that privacy protections are embedded in system design. Privacy assessments are also conducted to ensure adherence to organizational retention schedules.

It is designed to accomplish three goals:

  • Ensure conformance with applicable legal, regulatory, and policy requirements for privacy
  • Determine the risks and effects
  • Evaluate protections and alternative processes to mitigate potential privacy risks

Security-related and privacy-related weaknesses and deficiencies identified early in the system development life cycle can be resolved more quickly and in a much more cost-effective manner before proceeding to subsequent phases in the life cycle.

Administrative Assessment

  • Identify all information systems that house ePHI (electronic protected health information)
  • Include all hardware and software that are used to collect, store, process, or transmit EPHI
  • Analyze business functions and verify ownership and control of information system elements as necessary
  • Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of EPHI held by the covered entity
  • Although the HIPAA Security Rule does not require purchasing any particular technology, additional hardware, software, or services may be needed to adequately protect information.

Considerations for their selection should include the following:

  1. Applicability of the IT solution to the intended environment
  2. The sensitivity of the data
  3. The organization’s security policies, procedures, and standards
  4. Other requirements such as resources available for operation, maintenance, and training
  • Implement the decisions concerning the management, operational, and technical controls selected to mitigate identified risks
  • Create policies that clearly establish roles and responsibilities and assign ultimate responsibility for the implementation of each control to particular individuals or offices
  • Create procedures to be followed to accomplish particular security-related tasks
  • Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity
  • Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports

Have you conducted the following Audits/Assessments?

  • Security Risk Assessment
  • Privacy Assessment
  • Administrative Assessment

Policies and Procedures

Do you have Policies and Procedures relevant to the HIPAA Privacy, Security, and Breach Notification Rules

  • Security Risk Assessment
  • Privacy Assessment
  • Administrative Assessment

Have all staff members undergone basic HIPAA training?

  • Check the box if you have documentation of their training
  • Check

Have you identified all Business Associates?

  • Check this box if you have Business Associate Agreements in place with all incidents
  • Check this box if you have audited your Business Associates to ensure that they are HIPAA compliant
  • Check this box if you have reporting to prove your due diligence

Do you have a management process in the event of incidents or breaches?

  • Check this box if you have the ability to track and manage the investigations of all incidents
  • Check this box if you are able to demonstrate that you have investigated each incidents
  • Check this box if you are able to provide reporting of minor or meaningful breaches or incidents
  • Check this box if you have staff members that have ability to anonymously report an incident