HIPAA Compliance Checklist for Locum Tenens Agencies

Locum tenens agencies operate inside a complex privacy and security landscape where Protected Health Information must be safeguarded at every step. This checklist translates HIPAA expectations into clear, repeatable actions—covering training, Risk Assessment, Business Associate Agreement management, provider vetting, Malpractice Insurance, continuous monitoring, and Breach Notification readiness.

Ensure Locum Tenens HIPAA Training

Deliver role-based education before placement

Require HIPAA training for every clinician and internal staff member before the first assignment and at least annually thereafter. Tailor content to roles so clinicians learn point-of-care privacy practices while recruiters and credentialing staff learn permissible uses and disclosures.

Cover the essentials

• Protected Health Information (PHI): minimum necessary, need-to-know access, secure sharing, and de-identification basics.
• Security behaviors: unique credentials, strong passwords/MFA, device encryption, secure messaging, phishing awareness, and safe remote work.
• Worksite expectations: EHR etiquette, workstation privacy, physical safeguards, and facility-specific policies.
• Incident handling: how to report suspected privacy incidents or potential breaches immediately—no self-investigation.

Document, test, and reinforce

• Maintain training rosters, completion dates, scored assessments, acknowledgments of policies, and renewal reminders.
• Embed just-in-time refreshers during onboarding to new facilities and when policies or systems change.

Implement Risk Assessment Procedures

Perform a comprehensive risk analysis

Map where you create, receive, maintain, or transmit ePHI, including applicant tracking, credentialing, timekeeping, communications, and storage systems. Identify threats and vulnerabilities, then rate likelihood and impact to prioritize remediation.

Build a living risk management plan

• Inventory systems, data flows, and third parties; note configurations, encryption status, and access points.
• Rank risks and assign owners, timelines, and mitigation steps (e.g., MFA rollout, data minimization, log monitoring).
• Review after material changes (new platforms, mergers, remote-work shifts) and at least annually; retain documentation.

Establish Business Associate Agreements

Determine when a BAA is required

If your agency creates, receives, maintains, or transmits PHI on behalf of a covered entity, a Business Associate Agreement is required. When only de-identified data is used, a BAA may not be needed; verify the data scope and update if circumstances evolve.

Include core BAA provisions

• Permitted uses and disclosures of PHI and the “minimum necessary” standard.
• Administrative, physical, and technical safeguards aligned to the Security Rule.
• Prompt incident and Breach Notification duties, investigation cooperation, and timelines.
• Flow-down terms to subcontractors and vendors handling PHI.
• Access, amendment, and accounting support; return or secure destruction of PHI at termination.

Operationalize the agreement

• Map BAA obligations to internal procedures; train staff on do’s and don’ts.
• Track BAA inventory, renewal dates, and vendor attestations; audit high-risk partners.

Verify Credentialing and Licensing

Use primary-source verification

Confirm every provider’s credentials directly with authoritative sources before placement and continuously monitor expirations. Document each check and ensure names, numbers, and specialties match across systems.

• State licensure: active, unrestricted status and any disciplinary actions.
• National Provider Identifier (NPI): validate assignment and taxonomy accuracy.
• DEA Registration (as applicable): status, schedules authorized, and expiration.
• Board certification and hospital privileges (if required by the site).
• Background checks, NPDB queries, exclusion screening (e.g., OIG/LEIE, SAM).
• Required training/certs (BLS/ACLS), immunizations, and fit testing per facility policy.

Plan for multi-state and telehealth work

Anticipate cross-state placements by tracking compact eligibility, telehealth rules, and supervising/collaboration requirements. Surface gaps early so placements are not delayed by last-minute credential issues.

Confirm Malpractice Insurance Coverage

Match coverage to assignment risk

Require written proof of Malpractice Insurance before start, confirming carrier, limits, retroactive date, and coverage type. Align coverage with specialty risk and site requirements to avoid exposure.

• Occurrence vs. claims-made coverage and who funds tail (if claims-made).
• Typical limits (e.g., per-claim/aggregate) and any higher limits for high-risk specialties.
• Named insured/additional insured status and vicarious liability considerations.
• No known gaps, cancellations, or material exclusions conflicting with the assignment.

Conduct Ongoing Compliance Monitoring

Make compliance continuous, not episodic

Shift from annual checklists to always-on oversight. Use dashboards and alerts to track expirations, exceptions, and investigation status so you can intervene before issues escalate.

• Monthly exclusion checks; real-time license and DEA Registration monitoring.
• Annual HIPAA refreshers and policy acknowledgments; targeted refreshers after incidents.
• Access reviews, log monitoring, and device patching; promptly remove access at offboarding.
• Vendor oversight: due diligence, BAA renewals, and risk-based audits.
• Sanction policy enforcement and documentation for policy violations.

Develop Breach Notification Protocols

Prepare an incident response playbook

Define roles, escalation paths, and decision criteria before an event occurs. Train teams to report quickly, contain issues, preserve evidence, and begin the four-factor risk assessment to gauge the probability of compromise.

Meet notice obligations and close the loop

• Notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery when notification is required.
• Coordinate with the covered entity on HHS and, if applicable, media notices; track state-specific obligations and shorter timelines.
• Document facts, decisions, and remediation; update training, contracts, and controls to prevent recurrence.

Conclusion

Strong HIPAA hygiene for locum tenens agencies starts with trained people, accurate Risk Assessment, airtight Business Associate Agreements, rigorous credentialing, proper Malpractice Insurance, continuous monitoring, and disciplined Breach Notification. Treat these elements as a single system, and you will protect patients, providers, and partners while keeping placements moving.

FAQs.

What are the key HIPAA requirements for locum tenens agencies?

Key requirements include safeguarding Protected Health Information, conducting a documented Risk Assessment with ongoing risk management, executing and honoring each Business Associate Agreement, training workforce members regularly, limiting access to the minimum necessary, monitoring vendors and user activity, and maintaining clear Breach Notification procedures with timely reporting and thorough documentation.

How do agencies verify the licensing of locum tenens providers?

Agencies perform primary-source verification with state licensing boards, confirm the National Provider Identifier, validate DEA Registration when prescribing controlled substances, check board certifications and hospital privileges as needed, query NPDB, and screen for exclusions. Results are documented, tracked for expirations, and rechecked before each placement.

What is the role of Business Associate Agreements in HIPAA compliance?

A Business Associate Agreement defines how PHI may be used or disclosed, requires appropriate safeguards, sets investigation and Breach Notification timeframes, and obligates subcontractors to the same standards. It also addresses access, return or destruction of PHI at termination, and remedies for noncompliance, turning legal obligations into actionable controls.

How often should compliance monitoring be conducted?

Make monitoring continuous. Run monthly exclusion checks, track licenses and DEA Registration in real time, provide HIPAA training at least annually and after material changes, review access regularly, and revisit the enterprise Risk Assessment at least once a year or when significant systems or business models change.