Doctor Patient Relations

HIPAA Compliance: Six Steps to Protect Your Patients’ Privacy

By Robert Grant,

The Compliancy Group, AOAExcel Endorsed Business Partner
June 3, 2015

SYNOPSIS

Take six steps to protect your patients’ private information–and protect your practice from HIPAA violations.

ACTION POINTS

PLAN FOR MULTI-STEP PROCESS. Include risk analysis, implementation of policies and procedures, technological safeguards & vendor management.

CREATE HIPAA-FRIENDLY OFFICE ENVIRONMENT. Conduct physical site audit, and create areas where patients and staff can converse in private.

NOTIFY PATIENTS OF PRIVACY RIGHTS. Let patients know their HIPAA rights, and have them sign formto prove they were notified.

Protecting your patients’ private information while they seek care in your office is a key practice responsibility. Failure to do this not only risks your patients’ trust–it puts your practice in legal jeopardy for violating your patients’ HIPAA privacy protection rights. Here are some key ways to ensure you don’t accidentally disclose or share information that should be no one’s business but your patients’ and their healthcare providers’.

Strengthening HIPAA Safeguards: Key Steps

Perform Risk Analysis. You must have a risk analysis that audits you for Administrative (Policies and Procedures), Technical (safeguards of the access and protection of ePHI that resides on your systems), and Physical standards (assessing how you are protecting the data within the four walls of your site(s).

Fix Identified Privacy Risk. You must remediate (fix) all deficiencies that were found during the Risk Analysis and document what you did to resolve the deficiency.
Institute Policies & Procedures. You must have policies and procedures in place covering all aspects of HIPAA Privacy and Security and HITECH (Breach Notification).
Educate Staff. You must educate your staff with training and track their attestation to ensure they understand all the new policies and procedures in place to safeguard PHI.
Ensure Business Associates Also Are HIPAA Compliant. You must identify your business associates and make sure you have up-to-date BA Agreements in place, and if possible, obtain assurances the BA is complying with the HIPAA Security Rule.
Create Culture of Compliance. Everyone on staff should understand that they must take HIPAA seriously and optimize the safeguarding of Electronic Protected Health information.

Plan for Multi-Step Process

The most common mistakes a practice makes in trying to become HIPAA compliant are: thinking that completing a Risk Analysis or having a set of Policies and Procedures in a three-ringed binder is sufficient. This is akin to applying Band-Aid on an amputation.

The HIPAA standards require several components:

Risk Analysis: Discovery of deficiencies in relation to the HIPAA Privacy and Security Rule.

Risk Management: Remediation of deficiencies. Click HERE for more information about conducting a risk analysis and implementing risk management.

Policies and Procedures: Addressing each section of the HIPAA Privacy and Security Rule.

Vendor Management: Proper Business Associate Agreements and assurances that the Business Associate is complying with the HIPAA Security Rule.

Staff Attestation. Staff has attested to each Privacy and Security Policy. Your staff must also complete a HIPAA 101 training course and successfully attest they understand the basics of HIPAA.

Practice Due Diligence

The best way to avoid being fined by a HIPAA auditor is to show Due Diligence. What is that? Due Diligence is making a good faith effort in complying with rules, documenting all findings and being able to show anyone your Compliance Plan and efforts.

Optimize Technology to Enhance HIPAA Compliance

Practice technologies help practices comply with regulatory acts like Meaningful Use (MU)for Centers for Medicare and Medicaid Services (CMS), where funds are distributed to incentivize practices to implement electronic patients records.

This requires and ensures that certain elements of patient records meet CMS criteria. This process makes complying with HIPAA Security a must, why? Your incentive dollars are directly tied to complying with the HIPAA Security Rule.

It seems like just a small, innocuous check box on the application for MU. However, if you do not have the documentation of a HIPAA Security Audit you will be penalized and must return the money you received. Did you know CMS reported that 79 percent of Covered Entities failed their MU audit? Unfortunately, the liability does not fall on the EHR, nor is it their responsibility.

Provide Patient With Notice of Privacy Rights

Regardless of whether a patient is a portal user or an office patient, by law, they must be provided with a Notice of Privacy Practice.Not only must they receive this notice, but patients must also provide their signature acknowledging that they have received this notice. The signature can be provided either electronically or on paper. The notice must be signed once, and on file, and the notice must be presented to old patients if the form changes.

The Notice of Privacy Practice should be hanging in your waiting room. The easiest way to provide the notice is when the patient is visiting your office. Along with your intake sheet, provide them with the notice and acknowledgement form. One other note: it would behoove you to have a section on your intake sheet where a patient can add family and friends you can talk to about their condition; this will save you a lot of headaches in the future.

Train Staff to Protect Patient Privacy

The law requires your staff to be educated on the basics of HIPAA and requires attestation that your staff understands each individual policy in place regarding the Privacy and Security of Electronic Protected Health information (ePHI). You do not need videos or lengthy training, but you do need to have a training program that explains to your staff the importance of protecting the data.

You need to educate them so they understand the policies you have in place and what each staff member should be doing to protect PHI. For example, your staff should meet weekly to discuss aspects of HIPAA that you have learned or read about. Discuss possible breaches and how to prevent them. With these types of exercises, you are building a culture of compliance within your practice.

There are many ways to train and educate your employees. You do need one individual, either the doctor or office manager, knowledgeable on the rules. The individual can educate himself or herself by listening to webinars, reading up on the rules, or by going to a crash course. There are various inexpensive ways to educate your lead and your staff. Remember, knowledge of HIPAA 101 and policies and procedures is what is required, not a four-year college degree on it.

Some of the ways to train is to hire an outside trainer, or you could sign up for a training service, or you can get a tool that has a completed compliance plan like The Guard from Compliancy Group.

Alter Office Environment to Protect Privacy

There is a requirement for a Physical Site Audit that would identify areas of concern in how your location is set up and the deficiencies in the way you operate. This audit would look at issues such as: not having a secure area to discuss a patient’s condition, computer or tablet screens that have open views to the public, or the lack of an alarm system. I cannot stress enough that not only do you need to comply with the HIPAA Regulations, but you need to build and implement a Culture of Compliance. A Culture of Compliance is educating yourself and your staff to constantly tolook for areas of improvement to safeguard and protect patients’ private health information.

Robert Grant is co-founder and chief strategy officer for The Compliancy Group, an AOAExcel-endorsed business partner that simplifies the challenge of compliance, whether you are an experienced compliance expert or a front desk manager. The Guard, a simple, cost-effective, web-based solution, can help any-sized organization manage every aspect of HIPAA and Meaningful Use compliance.Use our proprietary Achieve, Illustrate, and Maintain methodology and experienced Compliance Coach support to address the entire set of HIPAA, HITECH, Omnibus, and PCI regulations. Click here for more information or contact us at 855.854.4722 (855 85 HIPAA) to learn how simple compliance can be. To contact him: bob@compliancygroup.com

To Top
Subscribe Today for Free...
And join more than 35,000 optometric colleagues who have made Review of Optometric Business their daily business advisor.