Section 1. Developing Policies and Procedures

Critical to the successful deployment of HIPAA guidelines by health practitioners is the development of internal policies and procedures that support the legislation. This is not optional, as there is the possibility of an audit in which the entity's documentation would be reviewed.

Because covered entities encompass a wide array of health care organizations of varying size, patient contact, and resources, the types of internal policies developed will vary. Each organization or sole practitioner must thoroughly assess their position and operations against the requirements of the privacy policy and implement procedures accordingly. For example, a large health plan would require vastly different and more complex procedures than a small practice staffed with one or two physicians.

Although the details and scope of internal policies will vary, each covered entity must address the following:

• Drafting the entity's privacy notice outlining its policies regarding the acquisition, storage, and transmission of protected health information

• Development of a clear patient authorization form and a process for attaining the patient's signature

• Identifying the minimum necessary access for each role or employee, and placing limitations on unneeded access

• Develop minimum necessary guidelines for use when disclosing patient information to another covered entity or business associate

• Develop a standard means of handling all requests for disclosure, including outlining the requirements to fulfill the request.

• Develop a process to handle non-standard disclosure requests

• Create a means for patients to request access to their medical record

• Draft a document and a process to facilitate amendment requests

• Create a business associate contract

• Devise a means for the efficient destruction of patient records, ensuring privacy

• Create a process to notify patients in the instance of a change in the entity's privacy policy

Section 2. Appointing a HIPPA Officer

Each health organization responsible for complying with HIPAA must appoint an officer responsible for overseeing the development and implementation of the policy. The appointed individual is personally responsible for a number of functions, such as ensuring that the policies and procedures mentioned above are written and that staff is thoroughly trained on the new requirements.

In addition to policy development and staff training, the HIPAA officer will act as the liaison to the facility's business associates, insurance payers, and other covered entities. The HIPAA officer is also responsible for developing the patient complaint process and overseeing internal investigations into misuses of patient health information. The name and contact information of the HIPAA officer must also be published as the direct contact person for patients to contact in the event of a disclosure violation. The HIPAA officer will ensure that the facility's privacy policy notice is readily available and cooperate with any investigations initiated by the U.S. Department of Health and Human Services.

Integral to implementing HIPAA provisions is the training of staff. Procedures can be written, but it is the team members who will carry them out. Failure to properly and thoroughly train staff can result in unauthorized disclosures, patient complaints, and even prosecution.

A covered entity is responsible for training any individuals who conduct business on its behalf, including staff, interns, consultants, and volunteers. It is important for staff members to understand their role in protecting patient health information and what limitations exist regarding access and disclosure of records.

Employees should clearly understand the HIPAA legislation, especially the privacy rule and minimum necessary guidelines. The training should be developed and facilitated by the HIPAA officer or their designated representative. Employees should be provided with copies of the company's privacy notice, patient authorization forms and any other materials to ensure familiarity.

In the training, it is helpful to use real world examples so that employees clearly see how their individual jobs are impacted by HIPAA. At the end of the course, all staff should be required to sign a document stating that they have been trained and fully understand their responsibilities under HIPAA. It is helpful to provide a yearly refresher course to ensure continued compliance, and to disseminate any updates to the legislation.

Section 4. Handling Policy Violations

Despite the development of policies and staff training, it is inevitable that there will be a policy violation at one point or another. In preparation for this, guidelines must be developed that outline how patient data breaches are to be handled. This should outline the steps in the process of investigating the incident, as well as reporting requirements and any repercussions that will result.

In the event that harm comes to a patient through the incorrect use or disclosure of their data, a covered entity is responsible for addressing the issue thoroughly, conducting retraining if needed, as well as taking corrective action against violators. This includes violations by internal employees, as well as business associates. All individuals that come into contact with PHI should be fully aware of what is considered a violation and the resulting consequences.

Section 5. Safeguarding Patient Information (paper and electronic)

The main focus of the privacy rule and a critical area for the administration of a health facility is to ensure proper safeguards are in place to protect patient health information.

• Clearly identifying access required by employees, and limiting access to PHI based on this
• Ensuring that the company's privacy policy is clearly visible and employees have been trained on its contents
• Removing PHI from common work areas where employees who do not have access may come across it
• Changing physical access to patient records as necessary, including access to computer files, securing file storage rooms, etc.
• Encouraging employees to avoid discussing patients in common areas, including using the patient's name and discussing particulars about their medical condition
• Forbidding employees to take patient records out of the facility to unsecured locations where patient data may be viewed by unauthorized persons
• Ensuring that all websites operated by the facility are secure and monitored regularly to avoid security breaches, and to seal with them expeditiously if detected
• Implement routine internal audits to ensure compliance with the privacy rule by all departments and employees.

It is the responsibility of the covered entity to maintain patient records in a secure manner. Files should never be taken off site and individuals who do not require access to patient records should not be given access to areas where they reside. This includes visitors to the facility and patients, as they are not a covered entity under HIPAA.

Patient records must remain stored on site and easily accessible in order to fulfill requests for disclosures, audits and patient requests for access and amendment. In addition, the covered entity must maintain copies of its privacy notice, all policies and procedures, patient correspondence regarding access, amendments and complaints, as well as business associate contracts. These documents and any others related to the implementation of the privacy rule must be retained for a minimum of six years

In addition to the proper retention of documents, patient records must be disposed of in a way that ensures the utmost confidentiality. Employing a reputable document destruction firm is one option, as is designating an employee onsite to shred documents that are no longer needed after a certain time frame.

Food for Thought