HIPAA Compliance for APCM: Solo Practice Checklist

Ensure all AI-driven phone automation vendors handling PHI have signed legal agreements before service starts.

Verify that your electronic health record data sharing for remote care management is covered under current contracts.

If you outsource APCM billing, ensure the billing entity has a valid BAA to handle patient financial and clinical data.

Keep all signed agreements in a single secure folder for quick access during CMS or HIPAA audits.

Briefly verify that your AI partners maintain updated security certifications and encryption standards.

Obtain written or verbal consent for program enrollment and document it clearly within the patient's EHR.

Inform patients about potential co-pays for care management services to avoid billing disputes and privacy complaints.

HIPAA and CMS require retention of consent documentation for a minimum of six years for solo practices.

Ensure your NPP reflects how patient PHI is used for care coordination and AI-assisted management services.

Create a simple, documented workflow for when a patient chooses to stop receiving APCM services.

Apply MFA to all devices and platforms used to access APCM data, especially on the physician's mobile device.

Ensure all summaries generated by AI call systems are encrypted during transmission to your EHR.

Review logs to ensure only authorized personnel (or the doctor) have accessed the APCM management portal.

Set computers to lock after 5 minutes of inactivity to prevent unauthorized access in a solo office setting.

Avoid shared passwords for AI platforms or billing software to maintain a clear audit trail.

The solo doctor must personally initiate the APCM care plan during a face-to-face visit to bill incident-to.

Keep a monthly log showing the physician oversaw the automated care management and AI call outcomes.

Ensure all APCM claims are billed under the solo practitioner's NPI as the primary billing entity.

Use an automated timer or log to track the 20+ minutes of non-face-to-face care provided monthly.

Ensure all remote care interactions are integrated into the main clinical record to support billing audits.

Only use AI call handling systems that provide end-to-end encryption for patient conversations.

Implement a two-point verification protocol (e.g., Name and DOB) for all automated APCM outreach calls.

Ensure patient messages containing PHI are stored on secure cloud servers rather than local office machines.

Use a script for AI and staff to ensure only the minimum necessary PHI is disclosed over the phone.

Record the date, time, and duration of all remote patient interactions for compliance and clinical tracking.