HIPAA Compliance Checklist for Business Associates

Documentation 

1. Risk Assessments need to be completed annually. 
   1. All gaps have been remediated. 
2. Review your policy and procedures every year for business or legal changes.  
   1. Document that all audit logs have been reviewed in the current year and gaps have been  remediated. 
      
      
3. Keep track of visitors to your physical site. 
   
   
4. Keep track of storage devices (Hard Drives, USB Flash Drives) that have been properly  destroyed. 
   
   
5. Log all viruses and malware attacks to The Guard’s Incident Manager. 
   
   
6. Confirm any new business associates have completed their technical audit and that you have a  signed BAA. 

Security 

1. Send quarterly security and procedure reminders to staff. 
   
   
2. Log out when leaving workstation, turn on alarm when leaving, etc. 
   
   
3. Update passwords to a minimum of eight (8) characters in length, using a special character and  capital letter. 
   
   
4. Restrict sequential, repetitive characters, context specific passwords, and commonly used passwords (i.e. 12345, aaaaaa, the name of the site, p@ssw0rd, and dictionary words).
   1. Make sure you are not sharing passwords.
      
      
5. Make sure you have encrypted email or a policy that no emails containing ePHI are to be sent. Restrict admin rights to any PHI software. 
   
   
6. Make sure your staff understands that breaches occur. If a breach occurs, please report it to the Privacy or Security Officer for resolution. 

Training 

1. Make sure all employees (new and existing) have completed their new hire, or  yearly HIPAA training.