Free HIPAA Checklist for Business Associates

On of the most popular parts of our website is the place where you can download a free HIPAA checklist. Business associates are just getting acquainted with HIPAA unlike covered entities who have, at least in theory, been compliant for over a decade. Most of our new clients are business associates who are setting up a comprehensive privacy and security program that covers HIPAA compliance for the first time. One of the HIPAA requirements is to do a periodic HIPAA risk assessment and we give our clients the policies, procedures, and forms needed to do a self assessment. I have recently blogged about the process so I won’t go into great detail about that process other than to say that it is much more comprehensive than the checklist.

HHS does not require a certain format for your risk assessment but the NIST guidelines are the most widely accepted. You can download a copy at http://csrc.nist.gov/publications/nistpubs/800-30-rev1/sp800_30_r1.pdf but fair warning that this is a densely worded bureaucratic document. Another approach is to hire an outside consultant to do the risk assessment for you. We work with a firm called ACR2 Solutions which uses a technology called an Security Content Automation Protocol (SCAP) Validation Program to help them assess your risks. From this device as well as the answers to some questions they generate a Gap Analysis report that shows you where you need focus your risk mitigation efforts.

The question of how often you need to do a risk assessment is a little vague and ambiguous. Essentially they say that you need to do a risk assessment each time there are major changes in your business such as a new software program, a new business service, or personnel turnover. At a minimum you need to think of at least an annual risk assessment.

A big difference between a checklist and a risk assessment is that the checklist is really only for internal use while a risk assessment becomes a document that may be used to show your business partners, clients, or regulators that you are HIPAA compliant. It is becoming a common practice to ask for then to ask forcopies of certain policies and procedures and a recent risk assessment as proof of compliance.

So it is great to download our checklist and get a general picture of your level of HIPAA compliance but a formal risk assessment needs to done to help build a legal firewall around your company.