HIPAA Compliance Checklist for APCM Programs & Audits

Restrict access to APCM documentation platforms based on staff roles, such as care coordinators vs. billing clerks.

Require MFA for all staff accessing the EHR or the APCM tracking software to prevent unauthorized login attempts.

Ensure every staff member documenting the 13 service elements has a unique login to maintain a clear audit trail.

Set workstations to automatically log off after periods of inactivity to prevent PHI exposure in high-traffic clinical areas.

Review logs to identify any unusual patterns or unauthorized access to patient care plans or APCM billing data.

Ensure your AI phone automation provider has a signed Business Associate Agreement covering all APCM interactions.

Use encrypted VOIP services for all APCM patient outreach and 24/7 access requirements to prevent eavesdropping.

Configure AI tools to redact unnecessary PHI from call transcripts used for APCM documentation and quality assurance.

Program AI assistants to verify at least two patient identifiers before discussing care plan details or APCM enrollment.

Use HIPAA-compliant portals or encrypted email when sharing the comprehensive care plan with the patient or other providers.

Implement a digital archiving system that retains all APCM service element documentation for the required seven-year period.

Store electronic copies of APCM enrollment consents in a secure, backed-up environment that is easily searchable for auditors.

Maintain version history for care plans to prove they were updated 'as needed' per CMS requirements for APCM billing.

Ensure that all stored APCM data, including call recordings and care coordinator notes, is encrypted on local and cloud servers.

Perform internal reviews of APCM documentation to ensure all 13 service elements are present and HIPAA protocols were followed.

Provide annual training for care coordinators focusing on the 'minimum necessary' rule when sharing care plans.

Develop a specific protocol for responding to a breach of APCM patient data or unauthorized access to the care management platform.

Ensure all staff, including remote care managers, sign agreements specifically mentioning APCM data sensitivity.

Ensure monitors used for care coordination are positioned to prevent 'shoulder surfing' by unauthorized visitors.

Include the APCM workflow in the practice's annual HIPAA security risk analysis to identify and mitigate vulnerabilities.