• Know the location of HIPAA Policies and Procedures. • Know the location of the Privacy Notice and HIPAA forms. • Know where all protected health information (PHI) is in the Agency. The following are just a few questions to ask when examining HIPAA compliance in the Agency. This is not all-inclusive list. • Is PHI visible on white boards, desks, by the copier, by the fax machine, or on computer screens? • Are medical records stored in a record room or file cabinets? o Are they locked? o Who has access? o Are there sign out logs for medical records? • Do you use travel charts with PHI that are taken off premises? o How is PHI protected? o Is it visible in the car? o What happens if it gets lost? o What happens to PHI in the travel chart when it is no longer needed? • Do you send PHI via fax? o How are you sure it is sent to and received by the correct recipient? o Is there a confidentiality statement on the cover page? • Do you send PHI via email? o Is your email secure and HIPAA compliant? o How do you confirm the email address for the recipient is correct? • Do you store PHI on a cloud? o Is your cloud secure and HIPAA compliant? o How is access limited to the information? • Do you send PHI using text messaging? (You should NOT!) • Do you use paper that has PHI on it as scrap paper or use the other side in the fax machine or copier? • Do you shred PHI that is no longer needed? o Who is responsible for shredding? o Do you use a shredding company?
