Medical Practice Policies and Procedures Required for HIPAA Compliance

April 30, 2014

The Medical Economics article published 4/24/2014 “Be Proactive to avoid HIPAA violations” summarizes HIPAA and how to best develop procedures to avoid any violations. The recommended policies and procedures listed below are the foundation on which HIPAA compliance is built, thus medical practices should update and implement them to maintain compliance.

  • Privacy Policies
  • Security Policies
  • Incident/Breach Report/Log
  • Procedure for making records available to patients
  • Incident Response Plan
  • Complete Risk Assessment
  • Train Employees

Click on link for HIPAA guidance materials:

The article details the steps that should be followed for each of these policies and procedures. After policies are updated, the practice must also complete a Notice of Privacy Practices (NPP) that clarifies the law and the practice’s obligations to the patient including the following:

  • How Patient Health Information (PHI) can be used or disclosed
  • Patient’s rights
  • Practice’s Legal obligations
  • Practice contact that can provide additional information

In addition to the practice’s obligations to secure PHI, any business associate will also share the liability for any breach. Therefore it is important to draft and implement a Business Associate Agreement that clarifies these responsibilities and requires that business associate abide by agreement to do business with the practice (click on link for the Office of Civil Rights’ (OCR) sample business associate agreement:

View the full article on Medical Economics:

Medical Economics additional resources for HIPAA: