Print Back
HIPAA PHI Checklist

The ClinicNerds divide HIPAA into two parts:

  1. Protected Health Information (PHI)
  2. Patient Rights
This is an overview checklist for PHI. Most HIPAA violations are due to breaches of PHI.

  • Designate a HIPAA Lifeguard
    (aka Privacy Officer)

  • Create a HIPAA Notebook

Conduct a Risk Assessement

Assess, evaluate and document the following:

  • Physical Spaces: Rooms, Doors, Locks

  • Document Physical Spaces on a Floorplan Diagram

  • Electronic Tools: Network Providers, Software Apps

  • Document Electronic Tools on Network Diagram

  • Business Owned Equipment

  • Workforce

  • Workforce Owned Equipment Used For Business Purposes

  • Business Partners

  • Business Associate Agreements

  • Collect Risk Assessment Documents in HIPAA Notebook

  • Identify and Document PHI Hotspots
Promo: The HIPAA Lifeguard App does all the above.

Develop A Risk Management Plan

Develop and document a policy and procedure to safeguard each type of PHI Hotspot

  • Policy & Procedures For Places Designated as PHI Hotspots — e.g. Room with paper medical records

  • Policy & Procedures For Things Designated as PHI Hotspots — e.g. Laptop computers

  • Policy & Procedures For People Designated as PHI Hotspots — e.g. reception, admin, clinicians

  • Document Sanctions (or Punsihments) For Violating The Policies and Procedures

  • Organize all the policies and procedures in the HIPAA Notebook

Promo: CCC is for sharing the best ideas for above policies & procedures. CCC = Clinic Collaboration Community

Conduct Training

Train the workforce in the new policies and procedures.

  • Document the training by having each member of the workforce sign and date an acknowledgement form

  • Train new employees before giving access to PHI Hotspots

  • When saying farewell to employees, provide reminders in an exit interview

  • Keep all the signed worker acknowledgement forms in the HIPAA Notebook


Develop and document a plan to monitor adherence to the policies and procedures.

  • Weekly, monthly, annual monitoring activites

  • An important time to monitor is when employees join or leave

  • Keep notes or reports each time monitoring is performed

  • Document Breach Investigation Procedures
    e.g. policy & procedure for missing laptop

  • Keep all documents in the HIPAA Notebook

{ End checklist }