Day One: Research of Your Operations – How do you use PHI and what policies and procedures do you have for Privacy, Security, and Breach Notification? Understand your operations and information flows, and the ways you use or disclose PHI.
Day Two: Limitations on Uses and Disclosures – Establish the proper limitations according to the Privacy Rule, including requirements for Business Associates, handling authorizations, and required processes for uses and disclosures of PHI under HIPAA.
Day Three: Patient Rights under HIPAA – Make sure the processes are defined and in place for providing opportunities to access, amend, and restrict uses of PHI, to ask for an accounting of disclosures of PHI, to request alternative means or methods of communication, and to receive a Notice of Privacy Practices.
Day Four: HIPAA Risk Analysis – Look at how you handle information, identify the risk issues and decide their priority for mitigation.
Day Five: HIPAA Security Safeguards – Decide what safeguards you will use to address the various Security issues and start implementing physical, technical and administrative safeguards.
Day Six: HIPAA Security and Breach Notification Policies and Procedures – Adopt a thorough process for managing, evaluating and acting on any incidents involving PHI and breaches of PHI.
Day Seven: Documentation of Policies and Procedures – All the things you’ve been doing need to be properly documented so you can show compliance. Just creating documentation alone is easily a day’s work.
Day Eight: Training in Policies and Procedures Related to HIPAA – Once you have your HIPAA policies and procedures ready, you can begin training staff on your own policies and procedures relating to privacy, security and breach notification.
Day Nine: Verification and Audits of Compliance – Implementation of HIPAA Privacy, Security and Breach Notification compliance should be regularly evaluated to ensure that policies are being followed and systems are secured.
Day Ten: Long-Term Compliance Planning and Risk Management – To establish and maintain compliance, it is essential to implement one-time actions, to schedule compliance activities that should take place regularly and to identify that which can trigger the need for security maintenance and risk management activities.