HIPAA Info, Forms and Checklists

  • Here’s a form for a HIPAA risk assessment that is actually a pretty good checklist for your HIPAA program.  It is compiled from a ton of sources, such as the HIPAA folks, the ADA, etc. This risk assessment will allow you to analyze your office for possible vulnerabilities and document the results, which should be done regularly to maintain your program. It should be used periodically, (I would do it at least annually) and/or whenever changes are made in your office, to evaluate your procedures related to patients’ private health information.


  • Click here for several different samples of HIPAA Authorization Form you can use as starting places to get your forms together in your office.


  • HIPAA penalties can now run as high as $1.5 million per incident!  Here is some information from the ADA that summarizes the penalties.  Make sure you have a HIPAA manual that is completely filled out and current.  Also, the program must be constantly maintained and updated, so have regular meetings and risk assessments to ensure that your program is current.



  • Here’s a sample Notice of Privacy Practices you can configure to use in your office.  It is available in Word so you can make changes for your office. 


  • Here’s a good article with five helpful hints about HIPAA computer security.


  • If you make non-routine disclosures allowed by law, you don’t have to get patient authorization, you just have to document the disclosure on an Accounting of Disclosure log (examples:  reporting a patient with suspected TB to the health department or complying with a subpoena for a patient’s record).  


  • If a breach occurs, and it involves less than 500 people in a single geographic area, a log must be kept and electronically submitted at the end of the year.  Here is a Breach Notification log to record the breaches during the year.



  • Here’s a super short form for HIPAA monthly risk assessment.  In order to show that we are regularly maintaining our HIPAA program, it’s a good idea to do a monthly risk assessment to ensure that patients’ information is protected as possible. Every month,  see if any changes were made in the office that could affect the privacy of patient information, and document them.  Date the form, and place it in the HIPAA notebook so you can show that you are constantly attending to the program.


  • To prevent large breaches, make sure your hard drive and all portable devices (smart phones, laptops, backup devices, etc.) are properly encrypted and secured.  Here is an article that does a good job of covering the topic.


  • Make sure you have a Business Associate Agreement for every entity that has access to your patients’ information as part of their duties they perform for you.  Here’s a great HIPAA BAA you can  configure for your specific office needs.  It’s easy to read and pretty complete, but check with your own attorney to make sure it covers everything you need!




  • Here’s a great summary guide for the Privacy and Security requirements from the HIPAA folks.


  • Here’s a website that allows you sign up for a free newsletter about what’s going on in the world of HIPAA.  It’s not just dental stuff, so don’t let it freak you out, but some of the information is very helpful and gives you an idea of what HIPAA is up to.



  • For specific questions and answers about HIPAA, go to the US Dept of Health & Human Services FAQ web link.  This is an AWESOME resource!  You can search for a term and they will show questions and answers related to that topic. 




  • Here’s a good example you can use for a fax cover sheet for a fax that contains private health information.


  • Here are several different types of HIPAA authorization forms that you can configure to work in your office.  We run into situations all the time where HIPAA prevents us from disclosing information but, for practical reasons, we need to disclose information so we can get paid (examples: moms who bring in college-age kids for dental work and they’re still paying the bill, divorced parents who don’t want the other parent to get information but they want us to bill them for payment, 40 year olds who are getting their dental work paid for by their parents, etc.)


  • Make it a policy in your office that anyone who has a financial interest in another person gets information and then have them sign this Authorization. If a patient doesn’t like this policy he can pay the bill himself or he can choose to go somewhere else. (Please note that you can’t refuse treatment specifically because a patient refuses to sign an authorization, but you can dismiss a patient for violating office policies, so long as you follow state and federal laws and make sure you don’t “abandon” your patient.) Anyway, it takes us out of the middle and will (hopefully!) help reduce our risk of HIPAA violations.


  • We all have work and school excuses we hand to patients; they then choose whether to hand that to their employer.  However, if a patient wants you to verify what work was done over the phone, personally, or in writing, this authorization will give you permission from the patient to release the information.


  • If you use patients’ photos, xrays, videos, or testimonials on social media or on a website you have to have an authorization, NOT a consent. If people are in the background of a picture, or their name is visible on a computer screen, those people will also have to sign an Authorization.  Even people who write a testimonial for your website have to sign one!  Many offices now have patients sign this as part of their initial paperwork. Here’s a sample authorization for photos/videos and testimonials that you can use as a starting place for your office.


  • If you allow the media in your office (to take pictures, have a film crew, take videos in your office), make sure all patients who may be visible have ALREADY signed an authorization.  Here’s info from the HIPAA folks about how to handle it.



Join my mailing list!

free CE and stay current on the latest information and whatever stupid crap the government has created for us this time!

(And don’t worry…I don’t share your information with others because getting spam sucks!)