APCM HIPAA Compliance & Audit Readiness Checklist

Ensure a signed BAA is on file for every AI call center provider and care management software vendor before sharing any PHI.

Confirm that APCM vendors use AES-256 or higher for data at rest and TLS 1.2+ for data in transit.

Audit the vendor's internal policy for notifying your practice in the event of a PHI exposure, ensuring it aligns with HITECH Act timelines.

Verify that your APCM vendor's own subcontractors (e.g., cloud hosting) also maintain HIPAA-compliant environments and BAAs.

Ensure all APCM patient data and call recordings are stored on servers located within the United States to simplify jurisdictional compliance.

Include specific language in patient consent forms regarding the use of AI-powered call assistants and data sharing for care coordination.

Program AI call flows to verify at least two patient identifiers before discussing care plan details or PHI over the phone.

Set strict rules for what information AI agents can leave on a patient's voicemail to avoid unauthorized PHI disclosure to household members.

Create a clear workflow for patients to opt-out of APCM calls, ensuring their data is immediately flagged as 'do not contact' in the AI system.

Configure AI scripts to only access and present the specific PHI required for the current care management task.

If recording calls for quality assurance, ensure recordings are encrypted and stored in a HIPAA-compliant repository separate from public clouds.

Restrict access to APCM call logs and patient care plans to only authorized clinical and administrative staff.

Set the AI system to automatically archive or purge APCM records after the required 6-year HIPAA retention period or per state law.

Ensure that any data used to improve AI performance is fully de-identified according to HIPAA Safe Harbor methods.

Review system logs monthly to identify any unauthorized attempts to access APCM patient records or call histories.

Provide specialized training for care managers on the unique privacy risks associated with automated patient outreach.

Include the APCM AI platform in your practice's annual HIPAA Security Risk Assessment (SRA).

Ensure internal policies reflect consequences for staff who misuse APCM data or bypass AI security protocols.

Develop a specific incident response workflow for potential leaks involving automated care management data.

Appoint a specific staff member to oversee the relationship between the clinical APCM team and the AI technology vendor.