HIPAA Compliance Checklist for Oncologists: Step-by-Step Guide for Cancer Care Practices

As an oncology practice, you handle complex care, frequent care coordination, and high volumes of Protected Health Information (PHI) and electronic Protected Health Information (ePHI). This HIPAA compliance checklist walks you step by step through what to implement, document, and monitor so you can protect patients, streamline operations, and be ready for audits.

HIPAA Privacy Rule Compliance

Know your PHI landscape

• Map how PHI and ePHI move through scheduling, referrals, tumor boards, infusion centers, radiation therapy, labs, imaging, billing, and patient portals.
• Identify who may use or disclose PHI for treatment, payment, and healthcare operations, and where authorizations are required.

Apply the minimum necessary standard

• Use role-based access so team members see only what they need (e.g., front desk vs. infusion nurses vs. clinical research coordinators).
• Redact sensitive details when disclosing to non-clinical functions or external parties.

Honor patient rights

• Provide your Notice of Privacy Practices and obtain acknowledgments.
• Enable access to records within required timeframes, allow amendments, and maintain an accounting of disclosures.
• Offer confidential communications (e.g., alternative addresses) and process restriction requests.

Breach Notification Requirements

• Document a process to assess incidents, determine if PHI was compromised, and notify affected individuals without unreasonable delay.
• Notify the Department of Health and Human Services and, when applicable, the media, consistent with breach thresholds and timelines.
• Maintain records of investigations, notifications, and corrective actions for your Risk Management program.

Implementing HIPAA Security Safeguards

Administrative safeguards

• Appoint a Security Officer, perform a risk analysis, and implement Risk Management plans tied to timelines and owners.
• Establish an incident response plan, a sanctions policy, and vendor oversight aligned to Business Associate Agreements (BAAs).
• Require security awareness training, phishing simulations, and workforce sign-offs.

Physical safeguards

• Control facility access for clinics, infusion suites, radiation therapy vaults, and records rooms.
• Secure workstations at nursing stations and treatment bays; use privacy screens where patients are nearby.
• Implement device and media controls for laptops, portable drives, and copier hard drives; sanitize before reuse or disposal.

Technical safeguards

• Use unique IDs, strong passwords, and multi-factor authentication on EHR, email, and remote access.
• Encrypt ePHI at rest and in transit; configure secure messaging instead of unencrypted texting.
• Enable audit logs for EHR, PACS, and portals; review for snooping and anomalous access.
• Patch operating systems and oncology device workstations; segment networks for clinical systems.
• Back up critical systems and test restorations; document disaster recovery and emergency mode operations.

Conducting Risk Assessments

Step-by-step risk analysis

• Define scope: all systems storing or transmitting ePHI (EHR, oncology EMR modules, telehealth, billing, cloud services).
• Inventory assets, data flows, and vendors; identify threats and vulnerabilities (ransomware, misconfigurations, lost devices).
• Rate likelihood and impact; prioritize remediation and assign owners, budgets, and deadlines.
• Document outcomes and integrate into ongoing Risk Management tracking.

Frequency and triggers

• Perform a comprehensive risk assessment at least annually and whenever major changes occur (new EHR, cloud migration, telehealth rollout, mergers).
• Reassess after incidents, audit findings, or facility expansions such as new infusion chairs or satellite clinics.

Methods and evidence

• Use questionnaires, configuration reviews, vulnerability scans, and tabletop exercises.
• Retain reports, screenshots, remediation tickets, and approvals as audit evidence.

Designating Compliance Officers

Privacy Officer

• Oversees Privacy Rule compliance, patient rights, authorizations, notices, and complaint handling.
• Chairs privacy incident reviews and coordinates Breach Notification Requirements.

Security Officer

• Leads the security program, risk assessments, technical/physical safeguards, and incident response.
• Coordinates with IT, vendors, and leadership on remediation and monitoring.

Right people, right authority

• Give officers authority, resources, and direct access to leadership.
• In smaller practices, one individual may serve both roles; define responsibilities clearly and avoid conflicts of interest.

Developing HIPAA Policies and Procedures

Core policy set

• Privacy policies: minimum necessary, uses/disclosures, authorizations, patient rights, and complaint workflows.
• Security policies: access control, authentication, encryption, device/media control, change management, logging, and incident response.
• Operational policies: telehealth, secure messaging, remote work, contingency planning, and data retention.
• Vendor management: due diligence, BAAs, onboarding/offboarding, and performance monitoring.

Practical tips

• Write concise procedures with step-by-step tasks, screenshots, and escalation paths.
• Version-control documents, track approvals, and review at least annually or after major changes.
• Retain HIPAA-required documentation for at least six years from the date of creation or last effective date.

Providing HIPAA Training and Education

Role-based training

• Onboard all staff before accessing PHI; provide annual refreshers tailored to roles (front desk, infusion nurses, physicians, research teams).
• Use oncology scenarios: chairside chart access, verbal disclosures in open bays, tumor board case sharing, and patient portal education.

Reinforce and measure

• Run phishing drills, spot checks of workstation security, and periodic access log reviews.
• Track attendance, test scores, acknowledgments, and corrective coaching where needed.

Establishing Business Associate Agreements

Identify business associates

• Vendors that create, receive, maintain, or transmit PHI on your behalf: EHR hosting, cloud storage, billing and coding, IT support, transcription, shredding, secure messaging, and telehealth platforms.
• Maintain a current vendor inventory and categorize risk by data volume and service criticality.

BAA essentials

• Permitted uses/disclosures of PHI and the minimum necessary standard.
• Safeguard expectations, subcontractor flow-downs, and right to audit or receive attestations.
• Breach Notification Requirements, including prompt notice to you and cooperation on investigations.
• Termination, return/destruction of PHI, and continuity arrangements.

Oversight and continuous improvement

• Collect security questionnaires, certifications, or reports; address gaps through action plans.
• Test offboarding: verify PHI return/destruction when a vendor relationship ends.

Bringing it all together

When your Privacy Officer and Security Officer drive an evidence-based Risk Management program, supported by clear policies, targeted training, and strong BAAs, you create a sustainable HIPAA compliance posture that protects patients and keeps your oncology operations resilient.

FAQs

What are the key HIPAA requirements for oncologists?

Focus on the Privacy Rule (uses/disclosures, minimum necessary, patient rights), Security Rule (administrative, physical, and technical safeguards for ePHI), Breach Notification Requirements (timely assessment and notifications), and documentation of policies, training, risk assessments, and vendor oversight through Business Associate Agreements (BAAs).

How often should risk assessments be conducted?

Perform a comprehensive risk assessment at least annually and whenever significant changes occur—such as new systems, telehealth expansions, cloud migrations, mergers, or after security incidents—and feed results into an actionable Risk Management plan.

Who should be designated as compliance officers?

Designate a Privacy Officer to oversee Privacy Rule obligations and a Security Officer to lead the security program. In smaller practices, one qualified individual may serve both roles if responsibilities are clearly defined and the person has authority and resources to act.

What steps should be taken after a HIPAA breach?

Immediately contain the incident, preserve evidence, and investigate. Conduct a risk assessment to determine if PHI was compromised, implement corrective actions, and issue required notifications to affected individuals—and, when applicable, regulators and media—within mandated timelines and any stricter timeframes specified in your BAA.