• Revenue Cycle Management
  • COVID-19
  • Reimbursement
  • Diabetes Awareness Month
  • Risk Management
  • Patient Retention
  • Staffing
  • Medical Economics® 100th Anniversary
  • Coding and documentation
  • Business of Endocrinology
  • Telehealth
  • Physicians Financial News
  • Cybersecurity
  • Cardiovascular Clinical Consult
  • Locum Tenens, brought to you by LocumLife®
  • Weight Management
  • Business of Women's Health
  • Practice Efficiency
  • Finance and Wealth
  • EHRs
  • Remote Patient Monitoring
  • Sponsored Webinars
  • Medical Technology
  • Billing and collections
  • Acute Pain Management
  • Exclusive Content
  • Value-based Care
  • Business of Pediatrics
  • Concierge Medicine 2.0 by Castle Connolly Private Health Partners
  • Practice Growth
  • Concierge Medicine
  • Business of Cardiology
  • Implementing the Topcon Ocular Telehealth Platform
  • Malpractice
  • Influenza
  • Sexual Health
  • Chronic Conditions
  • Technology
  • Legal and Policy
  • Money
  • Opinion
  • Vaccines
  • Practice Management
  • Patient Relations
  • Careers

Step-by-step approach to HIPAA compliance

Article

There are more than 50 policies that medical practices may have to implement to comply with the Health Insurance Portabilityand Accountability Act (HIPAA), so it’s no wonder meeting these requirements may appear overwhelming, especially for smaller practices with limited time and resources.

There are more than 50 policies that medical practices may have to implement to comply with the Health Insurance Portability and Accountability Act (HIPAA), so it’s no wonder meeting these requirements may appear overwhelming, especially for smaller practices with limited time and resources. The good news is that compliance might not be as difficult as it first appears.

Complying with HIPAA is not a one-time event. By taking a deliberate and forward-thinking approach, medical practices can ensure they continually meet the various requirements, and more importantly, keep patient data private and secure.

 

Understand the scope

A practice should first get a handle on what the requirements entail. The U.S. Department of Health and Human Services’ health information privacy website offers an overview, but organizations can quickly become swamped with too much information if they don’t know what to look for and what questions to ask. Therefore, it can be helpful to obtain guidance from professional associations or third-party vendors to learn which rules apply and when.

Next: Quantify the gap

 

Quantify the gap

Perform a gap analysis to compare current performance with where future performance needs to be. This will involve an in-depth review of existing policies, visual observations of operations and conversations with staff members about how they maintain the security of patient health information. Again, practices may want to leverage a third-party resource, such as a software program or other side-by-side comparison tool, to streamline the process of correlating the actual state of data security with the requirements of HIPAA.

Craft the policies

Although creating these documents may seem like a tall order, don’t start from scratch. Consult credible internet sources or software vendors. Customize any policies to make sure they address the practice’s specific characteristics, risks and needs. Auditors will not take kindly to a small practice that has a HIPAA policy designed for a large health system. 

 

Provide training

A practice should then turn its attention to training. Once a year, they should offer a comprehensive HIPAA refresher course that reacquaints staff members with the legislation’s pertinent elements and describes staff members’ roles in preserving patient data privacy and security.

In addition, practices should include a HIPAA education session in any new staff orientation. Consider offering quarterly educational activities that improve information retention and help staff members apply their knowledge.

Next: Plan for the unexpected

 

 

Plan for the unexpected

Even with the best planning, incidents can—and do—still occur, so practices must have a defined response protocol. This should include how the practice will document a breach and address root causes to prevent future occurrences. It should also describe how the organization will communicate about the incident with patients, staff, the public and regulatory authorities. Locking down these details before an incident occurs can ensure an adequate and appropriate response.

Related Videos
Related Content
U.S. capitol congress © Sagittarius Pro - stock.adobe.com

UnitedHealth CEO to testify in House committee about Change Healthcare cyberattack

April 19th 2024
Article
How AI threatens the privacy of patient health data

How AI threatens the privacy of patient health data

February 8th 2024
Podcast
physician fees money concept © Nuttapong punna - stock.adobe.com

The case for having insurance companies pay physicians for prior authorizations

April 19th 2024
Article
Is too much regulation stifling health care innovation?

Is too much regulation stifling health care innovation?

October 10th 2023
Podcast
congress capitol house: © Gary Blakeley - stock.adobe.com

After Change Healthcare massive cyberattack, lawmakers consider what comes next in cybersecurity

April 16th 2024
Article
Headshot of Conrad L. Flick, MD (credit: Family Physician Network)

It’s time to address the needs of primary care

April 16th 2024
Article