HIPAA Compliance Checklist For DPC

To answer this, check out DPC Frontier's thorough discussion of HIPAA here. If you are not covered, feel free to ignore the rest of this list.

In some states they are even more stringent than HIPAA.

This free tool from the ONC will make this much easier.

The HHS publishes a sample NPP that can be easily customized for your practice.

Once completed, publish the notice to your website.

HIPAA requires you to have a Release of Records Authorization form on file for any disclosure of protected health information for purposes other than treatment, payment, and health care. Here is an example.

Every time you have a patient sign one of these, make a note in an Accounting of Disclosures log such as this. You must be able to acocunt for all PHI discosures you've made should you get audited.

Though not required by HIPAA, many practices also have a Patient Consent Form which lets the patient green-light certain forms of communication (email, text, phone calls, answering machines). It also affords your practice an extra measure of protection. Here is a sample Consent Form.

This is a multi-faceted problem; full compliance involves writing a Breach Plan, a Training Plan, a Communications Plan, a Disaster Recovery Plan, and an Audit and Monitoring Plan, plus the maintenance of a detailed Policies and Procedures Manual and data governance documentation. Check out this page from the AMA for some resources to get you started. You can find a lot of the Policies and Procedures online - check out Kim Corba's DPC Manual.

You need to get a signed Business Associate Agreement from every company/product/service that handles your patients' health info. Some notable exceptions are labs, specialists you refer to, and data "conduits" (some messaging services qualify). See a complete description here and an agreement template here.