A policies and procedures manual

February 6, 2004

Am I required to put HIPAA privacy policies in writing for my staff?

Q: Am I required to put HIPAA privacy policies in writing for my staff?

A: Yes. Among the areas you need to address in your policies and procedures manual are: release of medical records, patient access to records, patients' right to amend their records, faxing medical information, permitted uses and disclosures of protected information, and complying with the "minimum necessary" standard—which generally limits the information doctors may disclose to the minimum necessary to accomplish a specific purpose.

Employees aren't the only ones who need to see your HIPAA policies in writing. Your policies also should be outlined in a Notice of Privacy Practices, which you probably distributed to all patients last April, and which you should give to all new patients. You should also make a good faith effort to have established patients sign an acknowledgment form, indicating that they've seen the notice. If there's a complaint, be prepared to share your policies with the Office for Civil Rights, US Department of Health and Human Services.

Q:Where can I find out more about how to prepare a HIPAA policy manual and a Notice of Privacy Practices?

A: Besides the federal government itself ( www.hhs.gov/ocr/hipaa), many state medical societies make this material available on their Web sites or in hard-copy form. In many cases, you can customize these sample manuals and notices to suit your practice. Also consult your hospital (you can adapt its policies to your own practice) and an attorney familiar with HIPAA