Step-by-step approach to HIPAA compliance

June 10, 2016

There are more than 50 policies that medical practices may have to implement to comply with the Health Insurance Portabilityand Accountability Act (HIPAA), so it’s no wonder meeting these requirements may appear overwhelming, especially for smaller practices with limited time and resources.

There are more than 50 policies that medical practices may have to implement to comply with the Health Insurance Portability and Accountability Act (HIPAA), so it’s no wonder meeting these requirements may appear overwhelming, especially for smaller practices with limited time and resources. The good news is that compliance might not be as difficult as it first appears.

Complying with HIPAA is not a one-time event. By taking a deliberate and forward-thinking approach, medical practices can ensure they continually meet the various requirements, and more importantly, keep patient data private and secure.

 

Understand the scope

A practice should first get a handle on what the requirements entail. The U.S. Department of Health and Human Services’ health information privacy website offers an overview, but organizations can quickly become swamped with too much information if they don’t know what to look for and what questions to ask. Therefore, it can be helpful to obtain guidance from professional associations or third-party vendors to learn which rules apply and when.

Next: Quantify the gap

 

Quantify the gap

Perform a gap analysis to compare current performance with where future performance needs to be. This will involve an in-depth review of existing policies, visual observations of operations and conversations with staff members about how they maintain the security of patient health information. Again, practices may want to leverage a third-party resource, such as a software program or other side-by-side comparison tool, to streamline the process of correlating the actual state of data security with the requirements of HIPAA.

Craft the policies

Although creating these documents may seem like a tall order, don’t start from scratch. Consult credible internet sources or software vendors. Customize any policies to make sure they address the practice’s specific characteristics, risks and needs. Auditors will not take kindly to a small practice that has a HIPAA policy designed for a large health system. 

 

Provide training

A practice should then turn its attention to training. Once a year, they should offer a comprehensive HIPAA refresher course that reacquaints staff members with the legislation’s pertinent elements and describes staff members’ roles in preserving patient data privacy and security.

In addition, practices should include a HIPAA education session in any new staff orientation. Consider offering quarterly educational activities that improve information retention and help staff members apply their knowledge.

Next: Plan for the unexpected

 

 

Plan for the unexpected

Even with the best planning, incidents can—and do—still occur, so practices must have a defined response protocol. This should include how the practice will document a breach and address root causes to prevent future occurrences. It should also describe how the organization will communicate about the incident with patients, staff, the public and regulatory authorities. Locking down these details before an incident occurs can ensure an adequate and appropriate response.