Banner

Article

Step-by-step approach to HIPAA compliance

Author(s):

Lynn Triffletti, CPC

There are more than 50 policies that medical practices may have to implement to comply with the Health Insurance Portabilityand Accountability Act (HIPAA), so it’s no wonder meeting these requirements may appear overwhelming, especially for smaller practices with limited time and resources.

There are more than 50 policies that medical practices may have to implement to comply with the Health Insurance Portability and Accountability Act (HIPAA), so it’s no wonder meeting these requirements may appear overwhelming, especially for smaller practices with limited time and resources. The good news is that compliance might not be as difficult as it first appears.

Complying with HIPAA is not a one-time event. By taking a deliberate and forward-thinking approach, medical practices can ensure they continually meet the various requirements, and more importantly, keep patient data private and secure.

 

Understand the scope

A practice should first get a handle on what the requirements entail. The U.S. Department of Health and Human Services’ health information privacy website offers an overview, but organizations can quickly become swamped with too much information if they don’t know what to look for and what questions to ask. Therefore, it can be helpful to obtain guidance from professional associations or third-party vendors to learn which rules apply and when.

Next: Quantify the gap

 

Quantify the gap

Perform a gap analysis to compare current performance with where future performance needs to be. This will involve an in-depth review of existing policies, visual observations of operations and conversations with staff members about how they maintain the security of patient health information. Again, practices may want to leverage a third-party resource, such as a software program or other side-by-side comparison tool, to streamline the process of correlating the actual state of data security with the requirements of HIPAA.

Craft the policies

Although creating these documents may seem like a tall order, don’t start from scratch. Consult credible internet sources or software vendors. Customize any policies to make sure they address the practice’s specific characteristics, risks and needs. Auditors will not take kindly to a small practice that has a HIPAA policy designed for a large health system. 

 

Provide training

A practice should then turn its attention to training. Once a year, they should offer a comprehensive HIPAA refresher course that reacquaints staff members with the legislation’s pertinent elements and describes staff members’ roles in preserving patient data privacy and security.

In addition, practices should include a HIPAA education session in any new staff orientation. Consider offering quarterly educational activities that improve information retention and help staff members apply their knowledge.

Next: Plan for the unexpected

 

 

Plan for the unexpected

Even with the best planning, incidents can—and do—still occur, so practices must have a defined response protocol. This should include how the practice will document a breach and address root causes to prevent future occurrences. It should also describe how the organization will communicate about the incident with patients, staff, the public and regulatory authorities. Locking down these details before an incident occurs can ensure an adequate and appropriate response.

Related Videos
Emma Schuering: ©Polsinelli
Emma Schuering: ©Polsinelli
Scott Dewey: ©PayrHealth
Related Content
Medicare fraud trial ©MaksymYamilianov - stock.adobe.com
November 21st 2024

Dallas jury finds practice liable for Medicare fraud that could result in more than $300 million in penalties

Ep 40: Malpractice caps and nuclear verdicts with Bob White, the Doctors Company
September 20th 2024

Ep 40: Malpractice caps and nuclear verdicts with Bob White, the Doctors Company

© Barclay Damon LLP
November 21st 2024

Physician discipline in the new age of telehealth

Ep 34: U.S. Rep. Earl L. 'Buddy' Carter on physicians getting involved in policy
June 28th 2024

Ep 34: U.S. Rep. Earl L. 'Buddy' Carter on physicians getting involved in policy

© Reset Medical and Wellness Center
November 14th 2024

What primary care physicians should know about NSR treatment

© rogerphoto - stock.adobe.com
November 12th 2024

AMA supports additional oversight for nonprofit hospital charity care