HIPAA Compliance Self-Certification Checklist

1. Organization Information

Organization Name:
Address:
Contact Person:
Title/Role:
Email:
Phone Number:

2. Policies and Procedures

Do you have written policies and procedures for HIPAA compliance?
Yes

No

Are these policies and procedures regularly reviewed and updated?

Yes
No

Date of the last review/update:

3. Training and Awareness

Do you provide HIPAA training to all employees?
Yes
No
Is this training conducted annually?
Yes
No
Date of the last training session:

4. Access Controls

Do you have access control policies to restrict access to PHI?
Yes
No
Are access levels assigned based on job roles and responsibilities?
Yes
No
Do you use unique user IDs and passwords for accessing ePHI?
Yes
No
Are multi-factor authentication methods implemented?
Yes
No
Do you maintain logs of access to ePHI?
Yes
No
Are these logs regularly reviewed for unauthorized access?
Yes
No

5. Data Protection

Is ePHI encrypted during transmission?
Yes
No
Is ePHI encrypted at rest?
Yes
No
Do you have a data backup plan for ePHI?
Yes
No
Are backups stored securely and tested regularly?
Yes
No

6. Physical Security

Are physical access controls in place to protect areas where ePHI is stored?
Yes
No
Are facilities monitored for unauthorized access?
Yes
No
Are portable devices containing ePHI secured against theft and loss?
Yes
No
Are policies in place for the secure disposal of devices containing ePHI?
Yes
No

7. Incident Response

Do you have an incident response plan for handling data breaches and security incidents?
Yes
No
Is this plan regularly tested and updated?
Yes
No
Do you have a process for reporting and documenting security incidents?
Yes
No
Are incidents reported to the relevant authorities as required by law?
Yes
No

8. Risk Management

Do you conduct regular risk assessments to identify and mitigate risks to PHI?
Yes
No
Date of the last risk assessment:
Do you implement risk mitigation strategies based on assessment findings?
Yes
No
Are these strategies reviewed and updated regularly?
Yes
No

9. Business Associate Agreements

Do you have Business Associate Agreements (BAAs) with all third-party vendors handling PHI?
Yes
No
Are these agreements reviewed and updated regularly?
Yes
No