HIPAA Implementation Toolkit

This is a preview of restricted content.

  • If you are an Advisory Board member, please log in.
  • If you are logged in and still see this message, the content is outside your memberships portfolio, and we invite you to learn more by contacting us.
  • If you are not an Advisory Board member and wish to learn more, please contact us.

Topics: Electronic Medical Records Strategy, Information Technology, Privacy and Security, Standards and Regulatory Policy, Practice Management, Physician Issues

The HITECH Act of 2009 requires hospitals and physicians to adopt EHRs in care delivery and simultaneously expands the HIPAA regulations to ensure patient data stored in these systems is protected from breaches. Unfortunately, despite strengthened privacy and security laws, the sheer number and variety of threats to patient data has grown dramatically, and the number of breaches is growing rapidly. Most hospitals, however, focus on complying with HIPAA requirements or deploying action steps in response to a breach instead of prioritizing risk mitigation through appropriate breach prevention efforts.

Recognizing the reputational, financial, and audit implications of a breach on hospitals and the limited resources available to prevent against damaging breaches, IT Strategy Council offers a three-part webconference series to assist members in taking a risk management approach to privacy and security. Furthermore, this toolkit supports implementation of the best practices highlighted in the webconferences, assisting hospitals in identifying their greatest vulnerabilities; prioritizing risk mitigation; and strengthening training practices, breach identification, response planning, and patient notification. To access an archived webconference providing an overview of these tools, click here.

Threat Identification Tool

This two-part diagnostic is designed to assist privacy and security officers in developing a comprehensive list of vulnerabilities and threats that could result in breaches of sensitive data, including both protected health information (PHI) and personally identifiable information (PII). Identification of these vulnerabilities is critical to targeting implementation of appropriate controls and solutions that minimize the risk of breaches while simultaneously meeting HIPAA risk assessment requirements.

Download Excel tool Threat Identification Tool

Threat Scoring Grid

This two-part scoring tool is designed to aid executives in weighing the relative risk levels associated with current threats to the privacy and security of sensitive data - both Protected Health Information (PHI) and Personally Identifiable Information (PII) - at their organization. Each threat is scored to reflect its likelihood of occurrence and its potential impact to the organization; these scores are further weighted to place greater emphasis on high-probability, high-impact events, allowing executives to allocate limited privacy and security resources to areas with greatest risk.

Download Excel tool Threat Scoring Grid

Download PDF Sample Threat Scoring Grid

Business Associate Identification Worksheet

This Business Associate Identification Worksheet is intended to aid department leadership and the Privacy Officer in determining whether entities who provide services for the healthcare organization are Business Associates, for the purposes of HIPAA compliance.

Download Excel tool Business Associate Decision Tree

Business Associate Agreement Checklist

This tool is designed to provide Privacy and Security Officers a checklist of contractual clauses that should be considered for inclusion in the Business Associate Agreement (BAA). Satisfactory responses to the questions posed in this checklist ensure no critical requirements have been overlooked while drafting the BAA. That said, all BAAs should be reviewed and tailored by legal counsel to incorporate local or state requirements and to reflect the organization's risk tolerance and expectations of its Business Associates (BAs) with regard to the handling of sensitive information.

Download PDF Business Associate Agreement Checklist

Customized Staff Training Toolkit

This two-part HIPAA Training Toolkit is intended to aid HIPAA training professionals in designing an effective HIPAA training curriculum for executives and staff across the healthcare organization. Part 1 of this toolkit, Training Plan Customization Guide, provides key considerations for designing an effective HIPAA training curriculum tailored to the unique needs of different types of staff. Part 2 of this toolkit, the HIPAA 101 Starter Set, provides an initial set of PowerPoint slides for HIPAA trainers to incorporate into their general HIPAA training.

Taken together, this toolkit assists Privacy and Security staff in driving enterprise-wide understanding of the importance of HIPAA compliance.

Download PDF Training Toolkit Notes on Use

Download PDF Training Plan Customization Guide

Download PowerPoint HIPAA 101 Starter Set

Breach Notification Decision Tree

This tool is intended to aid the investigation committee in determining whether or not a suspected violation constitutes a breach requiring notification. This form should be completed for all suspected breaches. A signed copy of this completed form - as well as any supporting documentation related to the incident in question - should be saved by the Privacy Officer for each suspected breach.

Download Excel tool Breach Notification Decision Tree

Patient Notification Letter

This tool is designed to provide Privacy Officers with a customizable template for composing a breach notification letter to be sent to affected patients. In the event of a breach that requires patient notification, this letter should be modified to include relevant details and recommendations. Additionally, the letter must be reviewed with legal counsel, the investigation committee, the communications department, and other relevant stakeholders prior to mailing the letter to affected patients.

Download PDF Patient Notification Letter

Back to top