How to Adhere to HIPAA
Section 1. Developing Policies and Procedures
Critical to the successful deployment of HIPAA guidelines by health practitioners is the development of internal policies and procedures that support the legislation. This is not optional, as there is the possibility of an audit in which the entity's documentation would be reviewed.
Although the details and scope of internal policies will vary, each covered entity must address the following:
- Drafting the entity's privacy notice outlining its policies regarding the acquisition, storage, and transmission of protected health information
- Development of a clear patient authorization form and a process for attaining the patient's signature
- Identifying the minimum necessary access for each role or employee, and placing limitations on unneeded access
- Develop minimum necessary guidelines for use when disclosing patient information to another covered entity or business associate
- Develop a standard means of handling all requests for disclosure, including outlining the requirements to fulfill the request.
- Develop a process to handle non-standard disclosure requests
- Create a means for patients to request access to their medical record
- Draft a document and a process to facilitate amendment requests
- Create a business associate contract
- Devise a means for the efficient destruction of patient records, ensuring privacy
Section 2. Appointing a HIPPA Officer
Each health organization responsible for complying with HIPAA must appoint an officer responsible for overseeing the development and implementation of the policy. The appointed individual is personally responsible for a number of functions, such as ensuring that the policies and procedures mentioned above are written and that staff is thoroughly trained on the new requirements.
Integral to implementing HIPAA provisions is the training of staff. Procedures can be written, but it is the team members who will carry them out. Failure to properly and thoroughly train staff can result in unauthorized disclosures, patient complaints, and even prosecution.
A covered entity is responsible for training any individuals who conduct business on its behalf, including staff, interns, consultants, and volunteers. It is important for staff members to understand their role in protecting patient health information and what limitations exist regarding access and disclosure of records.
Employees should clearly understand the HIPAA legislation, especially the privacy rule and minimum necessary guidelines. The training should be developed and facilitated by the HIPAA officer or their designated representative. Employees should be provided with copies of the company's privacy notice, patient authorization forms and any other materials to ensure familiarity.
In the training, it is helpful to use real world examples so that employees clearly see how their individual jobs are impacted by HIPAA. At the end of the course, all staff should be required to sign a document stating that they have been trained and fully understand their responsibilities under HIPAA. It is helpful to provide a yearly refresher course to ensure continued compliance, and to disseminate any updates to the legislation.
Section 4. Handling Policy Violations
Despite the development of policies and staff training, it is inevitable that there will be a policy violation at one point or another. In preparation for this, guidelines must be developed that outline how patient data breaches are to be handled. This should outline the steps in the process of investigating the incident, as well as reporting requirements and any repercussions that will result.
In the event that harm comes to a patient through the incorrect use or disclosure of their data, a covered entity is responsible for addressing the issue thoroughly, conducting retraining if needed, as well as taking corrective action against violators. This includes violations by internal employees, as well as business associates. All individuals that come into contact with PHI should be fully aware of what is considered a violation and the resulting consequences.
Section 5. Safeguarding Patient Information (paper and electronic)
The main focus of the privacy rule and a critical area for the administration of a health facility is to ensure proper safeguards are in place to protect patient health information.
- Clearly identifying access required by employees, and limiting access to PHI based on this
- Removing PHI from common work areas where employees who do not have access may come across it
- Changing physical access to patient records as necessary, including access to computer files, securing file storage rooms, etc.
- Encouraging employees to avoid discussing patients in common areas, including using the patient's name and discussing particulars about their medical condition
- Forbidding employees to take patient records out of the facility to unsecured locations where patient data may be viewed by unauthorized persons
- Ensuring that all websites operated by the facility are secure and monitored regularly to avoid security breaches, and to seal with them expeditiously if detected
- Implement routine internal audits to ensure compliance with the privacy rule by all departments and employees.
It is the responsibility of the covered entity to maintain patient records in a secure manner. Files should never be taken off site and individuals who do not require access to patient records should not be given access to areas where they reside. This includes visitors to the facility and patients, as they are not a covered entity under HIPAA.
Patient records must remain stored on site and easily accessible in order to fulfill requests for disclosures, audits and patient requests for access and amendment. In addition, the covered entity must maintain copies of its privacy notice, all policies and procedures, patient correspondence regarding access, amendments and complaints, as well as business associate contracts. These documents and any others related to the implementation of the privacy rule must be retained for a minimum of six years
In addition to the proper retention of documents, patient records must be disposed of in a way that ensures the utmost confidentiality. Employing a reputable document destruction firm is one option, as is designating an employee onsite to shred documents that are no longer needed after a certain time frame.
Food for Thought
What about small practices that have limited staff?
If you have worked in a health facility previously, were you aware who the HIPAA Compliance Officer was?
In order for the tenets of the privacy rule to be fully integrated into a facility's operations, a point person or team is required to oversee the development and implementation of the various components of ensuring patient privacy. This includes developing policies, training staff, and ensuring compliance.