HIPAA Compliance Questionnaire:
Are You Compliant?

The Health Insurance Portability and Accountability Act (HIPAA), established a set of rules and regulations in regards to the healthcare industry. Any individual or organization that has access to protected health information (PHI), must adhere to the standards set forth by the HIPAA rule. PHI is any confidential identifying information, such as, patients names, addresses,Social Security numbers, email addresses, etc.

Covered entities (CEs) as well as business associates (BAs), must be HIPAA compliant under the law, and thus are held accountable for any data breach that may occur. HIPAA law dictates that there be administrative, physical, and technical safeguards in place to protect the PHI an organization is handling. However, the law is vague, as such a HIPAA compliance questionnaire can be helpful in determining whether or not you are compliant.

You can use the following as your HIPAA compliance questionnaire to determine your compliance:

Security Policies and Procedures

HIPAA law requires that you have policies and procedures in place to address security violations.

  • Have you completed a risk analysis?
  • Do you have an individual responsible for checking security logs, records, and reports?
  • Do you have a smart security policy with a security official in charge of the password?
  • Were your employees trained on what to do in the event of a security violation?
  • Do your employees know the repercussions of security violations?
  • Are employees held accountable with internal penalties in the event of a security violation?
  • Do you have a way to document, address, and track security incidents?

Access Management

As part of the law, there are specific rules as to how PHI should be handled. You must restrict the access of PHI to only those who need access as part of their job.

  • Do you have a system in place to determine the validity of access to PHI?
  • Do you have a process supervising or authorizing access to PHI?
  • When an employee quits or is terminated, do you block their PHI access?

Security Awareness Training

Security awareness training must be conducted annually for all of your employees. This training instills the responsibility that all employees have in maintaining the security of your organization.

  • Are your employees aware of the importance of password, software, and IT security?
  • Do you have a system in place for protecting, managing, and monitoring passwords?
  • Do you monitor and review login attempts for discrepancies?
  • Are your employees trained on how to recognize and report malicious software?

Emergency Planning

In the event of a disaster, you must have a plan in place for the use and protection of PHI.

  • Do you have tested plans for an emergency?
  • Can PHI be recovered or restored?
  • Can copies of PHI be retrieved or made?
  • Can critical business functions related to PHI be completed?
  • Are there proper safeguards in place to protect your PHI?

Business Associate Agreements

Business associate agreements (BAAs) are an integral part of protecting your organization in the event of a breach. BAAs protect each party in the event of a breach, so that only the responsible party is liable. BAAs must be executed before any PHI is transmitted, in order to be effective.

Physical Protection and Technology

Lastly, physical protection in this case refers to the access of equipment and facilities containing PHI. Access to such should be limited to only authorized employees. Depending on the facility, multi-factor authentication (MFA) may be your best option to protect your data. MFA requires users to provide multiple ways to authenticate that it is them, such as a password in combination with a fingerprint scan or a code sent to their phone for one-time use. Another available option is single sign-on (SSO) security solutions. This gives the user authority to provide access to others using a single credential.

Need Help?

Do you have concerns about your HIPAA compliance? Take our free quiz to find out where your organization stands. We have also developed a HIPAA compliance questionnaire for our clients to send to their BAs to verify the protection of PHI.