This begs the question, what do we mean by a checklist, and more specifically in this context, a legal/compliance checklist? The short answer is that it is a way to “attack” a particular problem or issue. Checklists have been widely adopted across industries (e.g. aviation) and are now becoming quite acclaimed in the practice of medicine. This Checklist combines reusable solutions with analysis patterns, research, useful organizational techniques, and specific examples of successful approaches; it is a similar to having your own personal library, which can be tailored specifically for your experience and organization.
A checklist, from our perspective, is most useful when an organization is confronting a difficult problem that is either entirely new or for some reason has taken on additional complexity, or has never really been solved to a stakeholders’ satisfaction (e.g. the problem continues to be plagued with repeatable errors). This Checklist provides guidance on how to think through and solve a problem, based upon the experience of others, and provides a verification tool to be used repeatedly over time to ensure that important details are not missed in an evolving and complex regulatory environment. This Checklist is a kind of roadmap from a fellow traveler that has already crossed the same (or similar) terrain.
This Checklist is intended to deliver guidance, including suggested policies, processes, and tracking mechanisms that will allow you to make sense out of this new terrain. It is intended as a knowledge transfer vehicle to allow you to derive the HIPAA compliance solution that works best within your organization. This Checklist will “walk you through” the relevant statutory/regulatory sections of the HIPAA Privacy Rule, highlighting the policies, processes and tracking mechanisms required at a granular level.
are designed to rigorously walk your organization through the regulatory requirements contained within the specified subject matter domain. In addition to policy guidance (via our model policies) you will be provided process and tracking mechanism recommendations necessary to launch your initiative.
Ours Checklists are comprised of Checklist Items. In general, each Checklist Item contains the following: 1) a policy statement; 2) a definition of a process that underpins the policy; and 3) suggested tracking mechanism(s) to capture process results. Checklist items will be named using the following convention:
For example, “PR-UD-0001 Violation” is the name of a hypothetical checklist item. We have broken down the PR into the following three sub-segments: 1) Uses & Disclosure (“UD”); 2) the Patient’s Bill of Rights (“PBR”); and 3) the Administrative Requirements (“AR”). Progress on the Checklist directly correlates to progress on your Privacy Rule compliance initiative.
The word “policy” can be used in so many ways that it bears some exploration, especially regarding HIPAA regulatory compliance. We often talk of “developing a policy,” or of “implementing a policy” or of “carrying out a policy.” For example, 45 CFR §164.530 (i)(1) states as follows:
Standard: Policies and procedures. A covered entity must implement policies and procedures with respect to protected health information that are designed to comply with the standards, implementation specifications, or other requirements of this subpart and subpart D of this part.
Notice that the standard above makes a distinction between policies versus procedures. In general, think of a “policy” as a purposeful set of decisions or actions usually in response to a problem that has arisen. From a compliance perspective, a policy is a set of statements, including decisions and actions regarding what an organization intends to do in order to meet its regulatory requirements (e.g. see our Breach Notification Policy). A policy indicates what an organization intends to do and is often also used as a communications vehicle of that intent.
A process is a repeatable series of steps that are accomplished over time. From a HIPAA regulatory compliance perspective, processes are how policies get implemented. Policies without processes are nothing more than empty promises and will not prevent serious compliance liability. HHS will required evidence of policies and processes. For example, the Privacy Rule in section 45 CFR §164.530 (b)(1) states the training requirement as follows:
Standard: Training. A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information required by this subpart and subpart D of this part, as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity.
The requirement expressly states that the training must cover both your organization’s policies with respect to the Privacy Rule and your underlying processes. Notice that nothing in the standard indicates how the required training should be carried out. The training standard has a corresponding implementation specification that reads as follows:
(2) Implementation specifications: Training.
(i) A covered entity must provide training that meets the requirements of paragraph (b)(1) of this section, as follows:
(A) To each member of the covered entity's workforce by no later than the compliance date for the covered entity;
(B) Thereafter, to each new member of the workforce within a reasonable period of time after the person joins the covered entity's workforce; and
(C) To each member of the covered entity’s workforce whose functions are affected by a material change in the policies or procedures required by this subpart or subpart D of this part, within a reasonable period of time after the material change becomes effective in accordance with paragraph (i) of this section.
(ii) A covered entity must document that the training as described in paragraph (b)(2)(i) of this section has been provided, as required by paragraph (j) of this section.
Again, although the implementation specification speaks to when training is required and the fact that it must be documented, it does not prescribe how your training should be conducted. Your training process is the vehicle used to specify, with a degree of detail and rigor, how your training will be carried out (e.g. formal classroom training, audited video training, self help training, etc.).
A tracking mechanism is a way to keep track of process results. For example, QuickBooks is a tracking mechanism for accounting data and processes. You must be able to track the results of your compliance processes if you hope to provide visible demonstrable evidence that you are meeting regulatory requirements. Your HIPAA training policy indicates your compliance training intentions; your training process is how you go about fulfilling those intentions; and your tracking mechanism must capture the results of your training process (i.e. how well you did in meeting your intentions). HHS will likely want to see evidence of all three components, but if you cannot show process results, then your entire training initiative is likely to be suspect.
There are many compliance processes that require tracking (as discussed throughout this Checklist) including, but not limited to the following:
This “short list” of processes is not exhaustive but rather illustrative of the scope and magnitude of what needs to be tracked in order to move your organization along the compliance continuum toward full compliance.
How should your compliance processes be tracked? It is no longer reasonable to track compliance processes on paper (if it ever was). You are going to need a suitable Intranet, spreadsheets, and/or HIPAA compliance software in order to track and report effectively. We recommend the latter because it is the most economically viable option, even for small covered entities and business associates.