CalOHII developed checklists to support the Compliance Review team’s assessment of the artifacts (documentation) requested during the Compliance Review process. Our goals during the creation of the checklists were to ensure:

• All pertinent criteria (i.e., HIPAA, state regulations) are considered when assessing documentation compliance
• Objectivity and credibility in our review process
• A defined and repeatable review process

CalOHII reviews these checklists on an annual basis to ensure accuracy and currency with updates to state and federal regulations.

CalOHII recommends use of these checklists by state entities to self-assess their compliance and determine areas of risk or non-compliance.

• Authorizations
• Breach Notification
• Business Associate Agreement
• Business Associate Oversight
• Contingency Plan – Business Continuity Plan
• Contingency Plan – Technology Recovery Plan
• Contingency Plan – Data Backup Plan
• Device and Media Controls
• Facility Security Plan
• Health Information Locations
• Incident Reporting
• Individuals Right to Access Health Information
• Individuals Right to Amend Medical Records
• Notice of Privacy Practices (NPP)
• Privacy Training
• Risk Assessment Policy and Procedures (P-Ps)
• Risk Assessment
• Security Awareness and Training
• Security Evaluations