HIPAA Compliance Checklist

HIPAA Compliance Checklist

Policies and Procedures Needed for HIPAA Compliance

The following is a checklist of the resources needed (and policies and procedures that should be put in place) to ensure compliance with HIPAA regulations once you have determined you are a HIPAA-covered entity:

  1. SUNY Business Associate Agreement (as released by Counsel’s Office in August of 2013)
    The SUNY Office of General Counsel each year releases a template of the approved Business Associate Agreement.
    The 2013 SUNY Business Associate Agreement Template is available here.
  2. SUNY Risk Assessment Tool (For Suspected Breaches) - No longer the standard with the issuance of the 2013 HIPAA Omnibus Rule
    This tool helped SUNY HIPAA-covered entities determine IF a breach has occurred PRIOR to the Final 2013 HIPAA Omnibus rule.  After the passing of the HIPAA 2013 Omnibus Rule, the final rule on Breach Notification replaced the previous breach notification rule's "harm" threshold (which was reflected in the Risk Assessment tool) with a more objective standard. The final rule says a risk assessment for determining the probability that PHI was compromised should consider at least four factors: 1. The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification; 2. The unauthorized person who used the protected health information or to whom the disclosure was made; 3. Whether the protected health information was actually acquired or viewed; and 4. The extent to which the risk to the protected health information has been mitigated.  In the final breach rule, HHS notes: "We have added language to the definition of breach to clarify that an impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised." To explain why the harm standard was replaced, HHS explains: "We recognize that some persons may have interpreted the risk of harm standard in the interim final rule as setting a much higher threshold for breach notification than we intended to set. As a result, we have clarified our position that breach notification is necessary in all situations except those in which the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised."
  3. Summary of the HIPAA Privacy Rule from the U.S. Department of Health and Human Services website
  4. Summary of the HIPAA Security Rule from the U.S. Department of Health and Human Services website
  5. HITECH Enforcement Rule from the U.S. Department of Health and Human Services website.  Also see below for more information on HITECH and its implications.
  6. HIPAA Enforcement from the U.S. Department of Health and Human Services website
  7. Business Associates:  Office of Civil Rights also reminded organizations that Business Associates are going to be subject to breach notification once the HIPAA rules finalize this summer, previously only HIPAA covered entities were subject to breach notification.  This change came about with the passage of the HITECH Act of 2009.   The government has issued information on the Breach Notification Rule, a part of the Health Information Technology for Economic and Clinical Health (HITECH) Act, which requiresHIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information; information is available from the the U.S. Department of Health and Human Services website.
  8. Standard Policies and Procedures you see at HIPAA covered entities:
    1. Information Access and Security
    2. Media Controls
    3. Systems and Network Security
    4. Notice of Privacy Practices
    5. Right to Request Access and Amendment to Designated Record Set
    6. Accounting for Disclosures
    7. Request Restrictions or Confidential Communications
    8. Reporting Incidents Involving the Security or Privacy of Protected Health Information; Breach Notification
    9. Reporting Protected Health Information (PHI) Compliance Issues
    10. Authorization Requirements for Use and Disclosure of Protected Health Information, Including Verification of Identification
    11. Use and Disclosure of Protected Health Information for Research Purposes
    12. Disclosure of PHI to Business Associates
    13. Uses and Disclosures of PHI for Marketing
    14. Uses and Disclosures of PHI for Fundraising
    15. Transmission and Receipt of Protected Health Information via Fax
    16. Minimum Necessary Uses, Disclosures, and Requests
    17. Personal Representatives
    18. Use and Disclosure of De-Identified Information and of Limited Data Sets
    19. Electronic Protected Health Information (ePHI) Security Compliance: HIPAA Security Anchor Policy
    20. Physical Security Policy
    21. Electronic Communication of Health Related Information
    22. Information System Activity Review
    23. IT Security Incident Response Policy
  9. OCR Audit Protocol Recommendations from the U.S. Department of Health and Human Services website 
    • The audit protocol covers Privacy Rule requirements for (1) notice of privacy practices for PHI, (2) rights to request privacy protection for PHI, (3) access of individuals to PHI, (4) administrative requirements, (5) uses and disclosures of PHI, (6) amendment of PHI, and (7) accounting of disclosures.
    • The protocol covers Security Rule requirements for administrative, physical, and technical safeguards.
    • The protocol covers requirements for the Breach Notification Rule.

HITECH Enforcement Rule

The American Recovery and Reinvestment Act (ARRA) and HIPAA (Source:  Yale University)

The American Recovery and Reinvestment Act of 2009 includes legislation known as the Health Information Technology for Economic and Clinical Health (HITECH) Act which promotes the use of electronic health records (EHRs) by providing incentives to health care providers who convert their medical records from paper files to EHRs. Congress recognized the increased risk to the privacy and security of protected health information (PHI) with widespread adoption of EHRs and amended the HIPAA requirements to mitigate these risks. Some key changes are outlined below:

Effective February 17, 2009

Effective September 23, 2009

Effective February 17, 2010

Phased in beginning 1/1/2011

∧ Back to Top  


The information contained on the SUNY Compliance website is for general campus guidance only and is not intended, nor can be relied upon, as legal advice or the imposition on SUNY campuses of specific policies or requirements. The site is intended to be an informational-only clearinghouse for some of the laws, rules, and regulations that may impact the State University of New York’s campuses. Additionally, given the rapid, changing nature of laws, rules and regulations, there may be delays or omissions contained on this site which therefore cannot be relied upon as complete. For complete compliance information, consult your campus compliance officials. For legal advice, consult your lawyer.

Compliance