Since the Privacy Rule became effective in 2003, the HIPAA laws have become increasingly complex, with very detailed compliance requirements that come with stiff fines and penalties for noncompliance. As a covered entity, you are also required to follow the Security Rule of 2005, the HITECH Act of 2009 and the 2013 Final Omnibus Rule.
It’s easy to view compliance as a one-time event. However, just as we instruct patients to brush and floss daily, your compliance program requires ongoing attention as well. In doing so, keep the following five core HIPAA requirements in mind:
Even if you buy a fill-in-the-blank compliance kit, you must customize it. In the end, the policies and procedures must be specific to your practice. In selecting a manual, it’s important to know whether it includes an electronic copy and what type of support is provided after the sale. Both the Privacy and Security Rules require you have up-to-date policies and procedures, and auditors will request copies of them.
Attending CE courses is a good first step, but it’s not enough. Regulators will want proof your staff have been trained on your own policies and procedures. Both the Privacy and Security Rules have specific training requirements. For example, the Security Rule mandates that covered entities set up a security awareness/training program with ongoing security reminders and that all workforce members (employees, interns, contractors, etc.) receive security training.
Ensure new employees are trained upon hire and that all staff receive annual training.
3. Risk Assessments
You are required to conduct the mandatory security risk assessments on an annual basis — or more frequently if there are changes that could impact the security of your data, such as remodeling, equipment upgrades, staffing changes, etc. A risk assessment is a thorough evaluation of your administrative, physical and technical safeguards; it is not simply a checklist. It consists of a Threats and Vulnerability Assessment along with your Risk Management Plan to mitigate any risks you identified. Use checklists from your HIPAA manual or your IT vendor as guidelines. Your policies, procedures and risk assessments must back up what’s on the checklist.
And don’t forget to identify a Security Officer and Privacy Officer as required.
4. Notice of Privacy Practices (NPP)
Your NPP must be distributed to every new patient, and a copy must also be posted in a clear and easy-to-find location in your office as well as on your website. The Patient Acknowledgement of NPP form does not need to be updated every year. You are only required to re-distribute it when there is substantive change, which was the case with the Omnibus Rule. And remember, there are other key sections of the Privacy Rule you should be familiar with such as the permitted and authorized uses and disclosures of Protected Health Information.
5. Business Associate Agreements
The HITECH Act redefined Business Associates (BA) and made them directly liable for compliance with certain of the HIPAA Privacy and Security Rules’ requirements. BAs now include any person who creates, receives, maintains or transmits PHI on behalf of a covered entity.
Business Associates include, but are not limited to, software and information technology vendors, cloud storage providers, clearinghouses, third-party billing, collection agencies and accrediting agencies. The Rule specifically states you are not required to have a BA with entities that do not normally have direct access to PHI, such as contracted maintenance workers, janitorial services, repairmen or conduits like USPS or UPS.
In the end, it’s important that you separate myth from fact. If you’re unsure about anything you hear or read, fact check it by reading the Rule. You need cold, hard facts to be compliant. Keep current on HIPAA happenings and most importantly, share information with your team. The cost of preventive measures is worth the investment when you consider the fines can be as much as $50,000 per violation.