NEMT HIPAA Compliance Checklist for Florida

1. Do you have a formally designated Privacy and Security Officer for your NEMT business?

2. Is documented HIPAA training conducted for all new employees and drivers within 30 days of hire?

3. Do you require all staff to undergo annual HIPAA refresher training?

4. Do you have written policies and procedures for reporting suspected Protected Health Information (PHI) breaches?

5. Do you maintain a log of all individuals who have access to PHI (e.g., dispatchers, drivers, billers)?

1. Are printed daily driver manifests or schedules kept in a locked compartment when the driver is away from the vehicle?

2. Is all physical paperwork containing patient data securely shredded (not just thrown away) at the end of every shift?

3. Is your physical office/dispatch center secured with restricted access to authorized personnel only?

4. Are workstation screens in the dispatch office positioned so they cannot be viewed by unauthorized visitors or through windows?

1. Is your NEMT dispatch and routing software fully encrypted and explicitly marketed as HIPAA-compliant?

2. Do you use an encrypted, HIPAA-compliant email service (e.g., secure Google Workspace/Microsoft 365) to transmit patient manifests?

3. Are all driver mobile devices (smartphones/tablets) protected by a strong passcode, PIN, or biometric lock?

4. Do you have the ability to remotely wipe patient data from a driver's mobile device if it is lost or stolen?

5. Does your dispatch software automatically log out inactive users after a set period to prevent unauthorized access?

1. Do you have signed Business Associate Agreements (BAAs) on file with all software vendors who store or process your PHI?

2. Do you have signed BAAs with any third-party billing services or collection agencies you use?

3. Do you explicitly prohibit drivers from texting patient names and addresses via standard, unencrypted SMS (like iMessage or Android Messages)?