HIPAA Compliance: CCM to APCM Transition Checklist

Review all current Business Associate Agreements to ensure they cover AI-powered call handling and APCM risk-stratification tools.

Ensure that all patient data migrated from CCM legacy logs to new APCM dashboards is encrypted using AES-256 standards.

Validate that your AI call center provider maintains current SOC2 Type II certification for handling sensitive APCM clinical data.

Document how patient risk data moves from the EHR to the APCM platform to identify potential security gaps during the transition.

Define a specific retention policy for APCM clinical summaries that aligns with state laws and CMS audit requirements.

Move old CCM time-tracking data to a secure, HIPAA-compliant archive for the required 6-year look-back period.

Confirm that all AI-driven patient calls for APCM enrollment use encrypted SIP trunking to prevent interception of PHI.

Configure the AI call handler to perform 2-factor identity verification before discussing APCM benefits or risk levels with patients.

Set the AI system to automatically delete raw audio recordings once the clinical transcript is securely synced to the EHR.

Periodically review AI-generated summaries of APCM calls to ensure no sensitive PHI is incorrectly transcribed or stored.

Ensure that call logs, such as phone numbers and timestamps, are stored in a HIPAA-compliant database, not in clear text.

Require MFA for any staff member accessing the AI call center dashboard to view APCM patient interaction history.

Transition templates from tracking minutes to documenting the specific APCM service elements and risk-stratification outcomes.

Limit access to APCM risk-stratification data to only those clinical staff members directly involved in the patient's care plan.

Verify that the API connection between your AI call handler and the EHR uses secure tokens and HIPAA-compliant protocols.

Ensure the AI system automatically logs the date and nature of each APCM interaction to replace manual CCM time-tracking.

Conduct monthly reviews of who has accessed the APCM patient cohort data to detect any unauthorized PHI viewing.

When comparing CCM vs APCM revenue, ensure all patient-level data is fully de-identified before performing financial analysis.

Ensure that patient consents for the APCM program are stored in an encrypted format that is easily retrievable for audits.

Revise your NPP to explicitly mention the use of AI-powered communication tools for the APCM program transition.

If using SMS for APCM program education, ensure the platform uses secure, encrypted links rather than sending PHI via text.

Keep a HIPAA-compliant record of patients who choose to remain on CCM or opt-out of APCM to prevent billing errors.

Ensure AI-recorded verbal consents for APCM are stored with the same security rigor as written medical records.

Create a secure workflow for patients to revoke APCM consent, ensuring the AI system immediately stops automated outreach.

Train staff on the new APCM documentation requirements and how they differ from the old CCM time-tracking rules.

Audit the home office security of any care coordinators managing the APCM transition remotely via AI dashboards.

Modify your data breach response plan to include specific scenarios related to AI call center data or APCM platform failures.

Maintain detailed logs of all staff training regarding the CCM to APCM transition for compliance verification.

Ensure staff understands that APCM risk-stratification levels are sensitive PHI and must not be shared over unsecure channels.

Set a quarterly schedule to review the entire APCM workflow for HIPAA compliance and operational efficiency.