Medical Practice Policies and Procedures Required for HIPAA Compliance
April 30, 2014
The Medical Economics article published 4/24/2014 “Be Proactive to avoid HIPAA violations” summarizes HIPAA and how to best develop procedures to avoid any violations. The recommended policies and procedures listed below are the foundation on which HIPAA compliance is built, thus medical practices should update and implement them to maintain compliance.
- Privacy Policies
- Security Policies
- Incident/Breach Report/Log
- Procedure for making records available to patients
- Incident Response Plan
- Complete Risk Assessment
- Train Employees
Click on link for HIPAA guidance materials: http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/index.html
The article details the steps that should be followed for each of these policies and procedures. After policies are updated, the practice must also complete a Notice of Privacy Practices (NPP) that clarifies the law and the practice’s obligations to the patient including the following:
- How Patient Health Information (PHI) can be used or disclosed
- Patient’s rights
- Practice’s Legal obligations
- Practice contact that can provide additional information
In addition to the practice’s obligations to secure PHI, any business associate will also share the liability for any breach. Therefore it is important to draft and implement a Business Associate Agreement that clarifies these responsibilities and requires that business associate abide by agreement to do business with the practice (click on link for the Office of Civil Rights’ (OCR) sample business associate agreement:http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html)
View the full article on Medical Economics:
http://medicaleconomics.modernmedicine.com/medical-economics/news/be-proactive-avoid-hipaa-violations
Medical Economics additional resources for HIPAA:
http://medicaleconomics.modernmedicine.com/medical-economics/news/hipaa-how-protect-yourself-and-your-practice
- HIPAA Omnibus Rule
http://www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf - HIPAA Security Rule Toolkit
http://scap.nist.gov/hipaa/NIST_HSR_Toolkit_User_Guide.pdf - OCR Guidance on Risk Analysis
http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/rafinalguidance.html - OCR’s Enforcement Policy
http://www.hhs.gov/ocr/privacy/hipaa/enforcement/index.html