EMR HIPAA Compliance Checklist

By May 18, 2017
group therapy session

Behavioral health agencies handle clients’ sensitive, protected health information (PHI). Therefore, EMR compliance is a primary concern for both your agency and your clients.

The HIPAA Security Rule contains the standards to safeguard and protect PHI while in transit. The Security Rule has three parts, and the following checklist addresses each one.

Each action item will help you achieve EMR HIPAA compliance, mitigating the risk of substantial fines and criminal or civil charges for failure to comply.

1.) Technical safeguards

  • Access control. Access control includes centrally-controlled, unique usernames and passwords for each user. Also included are your procedures on how you’ll release PHI during an emergency.
  • Encryption and decryption. Your EMR system should encrypt data during transmission, decrypting the data when received.
  • Audit controls. Audit controls are logs of attempted access to PHI. They record what users do with the data once they access it.
  • Automatic logoff. Your system should automatically log off users after a period of idle time to prevent unauthorized access to unattended devices.

2.) Physical safeguards

  • Physical access. Create procedures to control and record any person who has physical access to stored PHI, including safeguards to prevent unauthorized access. This includes every staff member from management to the janitorial staff.
  • Workstation use. Implement policies restricting use of workstation with access to PHI and how users can perform functions on those workstations.
  • Hardware inventory. Inventory all hardware and keep a record of where each item moves.

3.) Administrative safeguards

  • Risk assessment. Conduct risk assessments to identify potential weaknesses where breaches of PHI could occur.
  • Risk management policy. Create and test a risk management policy at regular intervals that includes sanctions for employees who fail to comply with HIPAA regulations.
  • Employee training. Train employees to be secure, raise awareness, and identify malicious software or attacks. Document all training.
  • Contingency plan. Develop a contingency plan detailing how you will continue critical business processes and protect the integrity of your PHI during an emergency. Test your plan periodically.
  • Third-parties. Restrict third-party access. Make sure all business associates sign Business Associate Agreements.
  • Breach policies. Develop policies and procedures on when and how to report an incident, and take daily action to prevent a breach.


Keep this EMR HIPAA compliance checklist handy to help you cover the Security Rule’s important technical, administrative, and physical safeguards. By proactively learning and acting upon this EMR HIPAA compliance checklist, you’ll mitigate the risk of a breach—which no one wants.

The Remarkable Health difference

Remarkable Health’s CT|One is a fully integrated behavioral health EMR system designed to improve client care and achieve efficiencies. You get practical and accessible functionality to help you achieve compliance. From automatic logoff to passwords restricting screens from unauthorized users, CT|One can help you with the everyday concerns of EMR HIPAA compliance.

Contact us today to request a demo today to discover the power of an EMR solution designed specifically for behavioral health providers.