Lynn Triffletti, CPC, is the vice president of coding/compliance at
There are more than 50 policies that medical practices may have to implement to comply with the Health Insurance Portabilityand Accountability Act (HIPAA), so it’s no wonder meeting these requirements may appear overwhelming, especially for smaller practices with limited time and resources.
There are more than 50 policies that medical practices may have to implement to comply with the Health Insurance Portability and Accountability Act (HIPAA), so itâs no wonder meeting these requirements may appear overwhelming, especially for smaller practices with limited time and resources. The good news is that compliance might not be as difficult as it first appears.
Complying with HIPAA is not a one-time event. By taking a deliberate and forward-thinking approach, medical practices can ensure they continually meet the various requirements, and more importantly, keep patient data private and secure.
A practice should first get a handle on what the requirements entail. The U.S. Department of Health and Human Servicesâ health information privacy website offers an overview, but organizations can quickly become swamped with too much information if they donât know what to look for and what questions to ask. Therefore, it can be helpful to obtain guidance from professional associations or third-party vendors to learn which rules apply and when.
Perform a gap analysis to compare current performance with where future performance needs to be. This will involve an in-depth review of existing policies, visual observations of operations and conversations with staff members about how they maintain the security of patient health information. Again, practices may want to leverage a third-party resource, such as a software program or other side-by-side comparison tool, to streamline the process of correlating the actual state of data security with the requirements of HIPAA.
Although creating these documents may seem like a tall order, donât start from scratch. Consult credible internet sources or software vendors. Customize any policies to make sure they address the practiceâs specific characteristics, risks and needs. Auditors will not take kindly to a small practice that has a HIPAA policy designed for a large health system.
A practice should then turn its attention to training. Once a year, they should offer a comprehensive HIPAA refresher course that reacquaints staff members with the legislationâs pertinent elements and describes staff membersâ roles in preserving patient data privacy and security.
In addition, practices should include a HIPAA education session in any new staff orientation. Consider offering quarterly educational activities that improve information retention and help staff members apply their knowledge.
Even with the best planning, incidents canâand doâstill occur, so practices must have a defined response protocol. This should include how the practice will document a breach and address root causes to prevent future occurrences. It should also describe how the organization will communicate about the incident with patients, staff, the public and regulatory authorities. Locking down these details before an incident occurs can ensure an adequate and appropriate response.