Since the Privacy Rule became effective in 2003, the HIPAA laws have become increasingly complex, with very detailed compliance requirements that come with stiff fines and penalties for noncompliance. As a covered entity, you are also required to follow the Security Rule of 2005, the HITECH Act of 2009 and the 2013 Final Omnibus Rule.
It’s easy to view compliance as a one-time event. However, just as we instruct patients to brush and floss daily, your compliance program requires ongoing attention as well. In doing so, keep the following five core HIPAA requirements in mind:
1. Manuals
Even if you buy a fill-in-the-blank compliance kit, you must customize it. In the end, the policies and procedures must be specific to your practice. In selecting a manual, it’s important to know whether it includes an electronic copy and what type of support is provided after the sale. Both the Privacy and Security Rules require you have up-to-date policies and procedures, and auditors will request copies of them.
2. Training
Attending CE courses is a good first step, but it’s not enough. Regulators will want proof your staff have been trained on your own policies and procedures. Both the Privacy and Security Rules have specific training requirements. For example, the Security Rule mandates that covered entities set up a security awareness/training program with ongoing security reminders and that all workforce members (employees, interns, contractors, etc.) receive security training.
Ensure new employees are trained upon hire and that all staff receive annual training.
3. Risk Assessments
You are required to conduct the mandatory security risk assessments on an annual basis — or more frequently if there are changes that could impact the security of your data, such as remodeling, equipment upgrades, staffing changes, etc. A risk assessment is a thorough evaluation of your administrative, physical and technical safeguards; it is not simply a checklist. It consists of a Threats and Vulnerability Assessment along with your Risk Management Plan to mitigate any risks you identified. Use checklists from your HIPAA manual or your IT vendor as guidelines. Your policies, procedures and risk assessments must back up what’s on the checklist.
And don’t forget to identify a Security Officer and Privacy Officer as required.
4. Notice of Privacy Practices (NPP)
Your NPP must be distributed to every new patient, and a copy must also be posted in a clear and easy-to-find location in your office as well as on your website. The Patient Acknowledgement of NPP form does not need to be updated every year. You are only required to re-distribute it when there is substantive change, which was the case with the Omnibus Rule. And remember, there are other key sections of the Privacy Rule you should be familiar with such as the permitted and authorized uses and disclosures of Protected Health Information.
5. Business Associate Agreements
The HITECH Act redefined Business Associates (BA) and made them directly liable for compliance with certain of the HIPAA Privacy and Security Rules’ requirements. BAs now include any person who creates, receives, maintains or transmits PHI on behalf of a covered entity.
Business Associates include, but are not limited to, software and information technology vendors, cloud storage providers, clearinghouses, third-party billing, collection agencies and accrediting agencies. The Rule specifically states you are not required to have a BA with entities that do not normally have direct access to PHI, such as contracted maintenance workers, janitorial services, repairmen or conduits like USPS or UPS.
In the end, it’s important that you separate myth from fact. If you’re unsure about anything you hear or read, fact check it by reading the Rule. You need cold, hard facts to be compliant. Keep current on HIPAA happenings and most importantly, share information with your team. The cost of preventive measures is worth the investment when you consider the fines can be as much as $50,000 per violation.
Good points. So many practices buy a manual and stick it on the shelf, but it’s so important to adapt the policies therein to their specific practices. Hopefully the ADA/CDA will engage dentists more in their education of HIPAA requirements.
Do you offer Webinars for additional trainings and updates?
I agree on making sure you have an in house policy but the manual is overwhelming ,, I too am asking of there are seminars or webinars available to cover the most important points…
Thanks everyone for your feedback and comments. Yes, we offer live webinar training on these topics that also fulfills the training requirements. Given the Office of Civil Rights is vowing to start the Phase Two mandatory audits early next year. It pays to be prepared. Feel free to call our office for details: 904-573-2232 (M-F 9-5pm ET).
Who has a good manual to buy… Sure would like one called. “HIPAA for Dummies”. A webinar would be appreciated!
Dr. Parco–the best advice when researching HIPAA manuals is to determine who wrote the manual. I recently visited a practice where the CPA furnished some generic HIPAA policies (paper only–no electronic copies). In addition, the manual was lacking a suite of helpful forms, the risk assessment and risk management plan, etc. The ADA manual is very thorough and it comes with a CD-rom to customize the policies. Setting aside time to customize the manual is key. It takes much more time than most offices realize. Our manual is written and updated by an attorney.
Are you saying that you provide a HIPAA manual that is not the ADA version? If so, do you provide customization?
Yes, Ernest. We use a manual that was written by and is reviewed annually by an attorney. We spend about 10-12hrs customizing it for practices, which in our experience is about the same amount of time it takes to customize the ADA manual. In addition to the policies/procedures, we complete the required security assessments, contingency plan and risk management plan. Feel free to call our office, if you’d like a custom proposal. 904-573-2232.