Become HIPAA Compliant
HIPAA was invented, initially, to ensure that workers maintained their health insurance as they moved between companies. However, since it was first enacted in 1996, HIPAA has undergone many changes and amendments due to the nature of modern technology and the way that data is stored and shared.
For your group to get on top of being HIPAA compliant, you should first follow the below steps
- Create privacy policies and procedures: Someone must be designated as a privacy officer. This person will need to learn about HIPAA, develop privacy policies and procedures for the practice, train staff, and make sure the privacy policies and procedures are being adhered to. HIPAA also states that you must have a process in place for staff to submit complaints concerning your practice’s policies and procedures as well as sanctions for staff who breach the privacy rule. You can learn more about it here.
- List your current and potential business associates: Review all the ways you use and share PHI to determine who best fits the definition of a business associate. Business associates and groups must sign business associate agreements.
- Design a privacy notice: Once you have thought about how you use PHI, you will need to come up with a privacy notice to inform of your policies and procedures You may want to obtain some examples from other practices to help you in this task, but don’t simply copy someone else’s notice without carefully reviewing how it applies to you.
- Map the process for the privacy notice: Choose a way in which you will give notice. Who will be responsible?
- Come up with authorization needs. The privacy regulation allocates patients the right to revoke or restrict the authorization.
- Decide how you will manage requests for PHI. You will need to write basic policies regarding the sharing of PHI.
- Integrate a system for controlling restrictions on PHI. Think about how you will manage PHI when patients restrict their use.
- Develop a procedure for logging and tracking disclosures. Under the privacy rule, you must be able to supply an accounting of disclosures (other than for TPO) to patients who ask for it. it. You will also have to choose how you will allow patients access to their information and establish a procedure for patients to ask for amendments to their records. If you do not allow patient access to his or her PHI for the very limited and specific reasons described in the regulation or refuse to amend the record.