Best Practices

New Year HIPAA Compliance
Best Practices, HIPAA

NEW YEAR’S RESOLUTION: BE COMPLIANT

December 22, 2022 Comments Off on NEW YEAR’S RESOLUTION: BE COMPLIANT

December 22, 2022 The end of the year is right around the corner and while you’re enjoying the festivities with friends and family (we love a good holiday tradition!), you might already be thinking about New Year’s resolutions. And if you are, props to you for not being a procrastinator. We bet your goals for the year may include eating healthier and learning a new skill, but what about getting compliant? Ensuring your organization is HIPAA and OSHA compliant should be a top priority for every practice – and it’s an easy goal to check off your list! Here are some quick tips to help you start the new year off on the right foot:  Complete your annual Security Risk Analysis and Facility Risk Assessment  This should be your top priority as it is the first piece of documentation you will be asked for in the case of a HIPAA audit or OSHA investigation. The SRA sets a baseline for your organization by assessing all physical, technical, and administrative areas of risk and determining where your HIPAA program stands. Much like the SRA, the FRA is an assessment of your facility’s environment that will help to identify, minimize, and eliminate hazards in the workplace. Keep in mind that both the SRA and FRA must be documented and must be more than a generic checklist. They should provide you with actionable information and insights into all risks and hazards within your organization. Complete annual HIPAA and OSHA training All staff members including doctors and part-time employees must complete annual training. A best practice is to conduct training in a modular type format with a quiz at the end so you have documentation to prove that training has been completed. When it comes to OSHA training, each facility is different so you must incorporate site-specific training in order to address any site-specific hazards.  Update all Policies, Procedures, Programs, and Forms  This is a big one! Without proper documentation that accurately reflects all procedures within your organization, you are not considered to be compliant! If you have been using some templates you found online or have a dusty manual sitting on a shelf, this is your sign to trash it and update your policies to be practice-specific. Don’t forget to implement a plan to routinely review all policies with staff members so they are up-to-date with the latest information as well.  Get signed Business Associate Agreements  In order to be HIPAA compliant, run an inventory list of all vendors you work with that have access to Protected Health Information (PHI). Some examples would include your IT vendor, EHR/PM system, and encryption provider. Once you have gathered all vendor information, double-check that you have a signed Business Associate Agreement with them. If you do, great! If not, be sure to reach out to them right away. If you don’t have a BAA in place with every vendor then you run the risk of getting slapped with your own HIPAA fine if a breach occurs.  Update your Safety Data Sheets  When it comes to OSHA compliance, Safety Data Sheets are essential for tracking and managing any hazardous chemicals in the workplace. Make sure you have a Safety Data Sheet for any chemical which is known to be present in the workplace, in such a manner that employees may be exposed to it under normal conditions of use or in a foreseeable emergency. The big takeaway here – these MUST be readily accessible to all employees. If you do not have a safety data sheet for a particular chemical, you should contact the manufacturer to obtain one. And that’s it! If you follow these steps, there’s no doubt you will be in great shape when it comes to compliance. Still have questions or need help implementing a compliance program for your practice? Contact the experts (hey, that’s us!) at 800.594.0883 for all of your compliance goal-setting needs! While we might not be giving up Chick-fil-a, enrolling in a new gym, or even improving our culinary skills, our resolution always remains the same – make compliance the easiest part of running your practice.

Healthcare OSHA Safety and Health Committee
Best Practices, OSHA

All Hands In For the OSHA Safety and Health Committee

October 21, 2022 Comments Off on All Hands In For the OSHA Safety and Health Committee

October 21, 2022 Book clubs are cool. Fantasy football leagues deserve their moment. But do you know what the elite of all groups and clubs is? For us, it’s an OSHA safety committee. The US Department of Labor says, “the safety and health committee is an integral part of the safety and health program, and helps ensure effective implementation of the program at the establishment level.”  We know firsthand that a group is always better together. So what does a safety and health committee even do? The committee helps improve the organization’s understanding of workplace safety and encourages co-workers to follow best practices in order to prevent workplace injury and illness. Additionally, they review current safety programs and recommend changes, as needed, to all safety and health procedures. Think of this committee as a soundboard for employees to voice their concerns and recommendations. Although practices cannot always prevent injuries or illnesses, implementing a safety committee is a significant step to help lower injury and illness rates. And we all know, lower rates equate to happier employees.  The safety and health committee should meet regularly (we recommend a monthly cadence – quarterly at a minimum) and bring its findings to the OSO (OSHA Safety Officer). And because we like to give advice away for free ninety-nine, here are a few ideas to get you started:  Maintaining safety and health is very important, to say the least. And if the US Department of Labor hasn’t given you any indication of that, this is not a solo job. Now let’s get all hands in because it is everyone’s responsibility to ensure a safe work environment. On three… LET’S GO OSHA! Want more on state specifics guidance? Give us a call to discuss industry guidelines.

OSHA Healthcare Facility Risk Assessment
Best Practices, OSHA

Kickstart your OSHA Compliance Program with a Facility Risk Assessment

October 11, 2022 Comments Off on Kickstart your OSHA Compliance Program with a Facility Risk Assessment

October 11, 2022 If you are familiar with OSHA compliance, you may know that you need to complete a Facility Risk Assessment, otherwise known as a Workplace Hazard Assessment. Tomato, toe-mat-oh, right? Despite the differing names, it’s important to know that this assessment helps your organization to identify, minimize and eliminate hazards in the workplace with the goal of providing a safe and healthful work environment for all employees.  Think of your Facility Risk Assessment (FRA) as the meat and potatoes of your entire OSHA compliance program. This is a baseline survey of all the hazards in your workplace. Without properly identifying, and more importantly, documenting all hazards within your organization, you cannot move forward with the rest of your OSHA compliance program and cannot show that there is a culture of compliance within your organization. Additionally, in the case of an investigation, the FRA is going to be the first thing the government asks for, so that is why it is so important it is completed first.  What kind of questions does your FRA need to include? Just as there is not a single recipe for a savory steak and potato meal, there is no single checklist to follow when it comes to completing a Risk Assessment for your organization. However, OSHA does recommend incorporating 7 core elements as part of your Facility Risk Assessment:  Once you have completed your Facility Risk Assessment, you should not tuck it into a folder and forget about it. Your FRA must be reviewed periodically to ensure that it is up to date and accurately reflects all processes and controls within your organization. It’s also important to keep in mind that all employees should be involved in the process of mitigating hazards identified from your FRA.  What’s the best way to tackle a Facility Risk Assessment? If your organization has not completed an FRA before or if you have but not sure if it was thorough, using an outside organization will help to ensure all areas of the FRA are fully completed and documented accordingly. A third party can also help add new areas and questions into the FRA that reflect changing regulations. Are you looking for help kickstarting your OSHA compliance program? Reach out to Abyde today for a customized, easy to complete FRA that is tailored to you and your organization.

HIPAA Internal Communication Dos and Don’ts
Best Practices, Cybersecurity, HIPAA

Internal Communication Dos and Don’ts

October 6, 2022 Comments Off on Internal Communication Dos and Don’ts

October 6, 2022 Have you ever accidentally sent a text to the wrong person? Most of us have and it likely made your heart skip a beat! Now, imagine sending a text and thousands of patients’ health information gets leaked. Talk about a gut-wrenching moment! Speaking of leaks, did you know that over 1.14 million people have been impacted by a protected health information (PHI) breach just last month alone? The leaked data includes names, social security numbers, phone numbers, email addresses, and more. That’s 7% higher than last September!  Internal communications are an efficient means of sharing and exchanging information within the practice. Employees communicate internally through channels like SMS, email, phone calls, and other means through the use of a third-party platform like Slack, Microsoft Teams, Zoom, and Cisco Webex. And while oftentimes we like the thought of quick and easy, it’s crucial to take that extra minute or two and double check that you are using a secure provider for all internal communication.  First things first, if you haven’t already done so, take this as your sign to reach out to your communications provider and ask if they are HIPAA compliant. Many times, companies will have this information available on their website as well. Keep in mind that some providers, like Google and Microsoft, offer HIPAA compliant services in an upgraded package. If you are not using a secure platform, or you are unsure, then you should not be discussing ANY patient information through that method of communication (yes, that includes names!). If you are using a secure, HIPAA compliant provider or application for internal communication, great! The next very important step is to double check that you have a signed Business Associate Agreement.  You may also be wondering about SMS/ text messaging within your organization. Staff members should not be texting each other with information related to patients, even if it is related to scheduling. Keep all work-related communication through your secure provider or application.  Quick reminder! Just because you are communicating internally through a secure provider does not in fact mean you are compliant. You’ll also need to implement security policies and procedures in order to follow best practices. These policies and procedures should include:  It is highly recommended that you consult with your IT professional for best practices on securing all applications in your practice.  Lastly, It’s important to remember that HIPAA is not a barrier law and, in fact, is intended to help you share protected health information securely and efficiently. Being efficient within your practice can help the overall health of your patients and your organization. Having these best practices in place will help you and your team avoid the anxiety of sharing something that shouldn’t be shared.

HIPAA Breach Reporting Requirements
Best Practices, HIPAA

The Road to Meeting HIPAA Breach Reporting Requirements

February 23, 2022 Comments Off on The Road to Meeting HIPAA Breach Reporting Requirements

February 23, 2022 Accidents happen, no matter how careful you try to be. That’s why a safe driver can find themselves in a fender bender and a “cyber-secured” healthcare practice can fall victim to a data breach. Without complete control over everything and everyone, there’s a risk we take just by connecting to the internet or getting behind the wheel. But while the 89% of providers who’ve experienced a cyberattack (and vast-majority of Florida drivers) have proven that you can’t always put the breaks on unpredictability – having an incident response plan in place helps to reduce the impact should an incident occur. So just as you wouldn’t flee the scene to turn a minor rear-end into a major hit and run, meeting HIPAA’s reporting requirements are key in preventing a minor breach from having major implications on your organization. Now whether you’re amongst last year’s 71% increase in healthcare data breaches, or just looking to take your breach response plan for a test drive, steering your practice in the right direction starts with understanding your responsibilities under the HIPAA Breach Notification Rule. Assessing the Breach Anything from an accidental mass email to a targeted ransomware attack can trigger a potential data breach. But the same way backing into a curb doesn’t necessarily warrant a police report, not every disclosure of protected health information (PHI) qualifies as a reportable breach. According to the Department of Health and Human Services (HHS), an impermissible use or disclosure of PHI is presumed to be a breach unless the organization can determine that there is a low risk of the patient information being compromised. Properly assessing the scope of the situation helps in figuring out what type of data was exposed, who exactly was impacted, and how you should best handle the next steps. Determining the risk level can be done with the help of our related article: What to Assess in a Possible HIPAA Breach Notifying the Right People Once you’ve assessed the breach, it’s time to get your apology letters en-route to the impacted patients. HIPAA requires covered entities to provide individual notifications “without unreasonable delay and in no case later than 60 days following the discovery of a breach.” The specifics of what should be included in individual breach notifications can be found in our related article: What is the Breach Notification Rule? Reporting in a Timely Manner Considering the fact that 60-80% of data breaches go unreported, notifying the HHS (and any additional state-specific parties if applicable) is an essential step that is too often missed. HIPAA law drives home some pretty specific reporting timeframes that require: The HHS has made it clear just how important timely notification is in reducing penalties resulting from a breach and has levied several fines, including a $2 million settlement with a hospital, for failing to report on time. So regardless of the number of people impacted, once a breach has been assessed and individual notifications have been sent, we recommend setting the HHS Breach Reporting Web Portal as your next destination. Documenting in Entirety Another step that practices too often speed past is documenting their breach response in entirety. With documentation usually taking the driver’s seat when it comes to proving the action your practice has taken in handling an incident, it’s important to keep a record of the breach analysis and reporting process for up to six years following the incident.  Mitigating Further Risk And finally, whether it’s enhancing staff training, implementing stronger safeguards or just ensuring that your patient’s security remains a top priority moving forward – handling a data breach means mitigating whatever fueled it in the first place and taking measures to prevent any future incidents from happening down the road.   Some final words of advice? If you have experienced a breach in 2021 and have yet to report it – you should probably get the pedal to the metal before the deadline passes. And if you haven’t experienced a breach and want to keep it that way, having a complete HIPAA and security program are great places to start.  So while accidents aren’t always predictable or preventable, having safety measures in place – whether it’s a seatbelt or technical controls – can reduce your risk of an incident and help minimize the damage if there is. Because when it comes to protection, it pays to go the extra mile – especially when there’s a solution out there like Abyde that puts your practice’s compliance on cruise control.

HIPAA Extreme Risk Protection Orders
Best Practices, HIPAA, Legislation

HHS Issues Guidance on HIPAA Disclosures for Extreme Risk Protection Orders

December 20, 2021 Comments Off on HHS Issues Guidance on HIPAA Disclosures for Extreme Risk Protection Orders

December 20, 2021 To combat HIPAA’s common misconception of acting as a barrier law, the Department of Health and Human Services (HHS) along with the Office for Civil Rights (OCR) has continued to emphasize that the law does not simply prohibit PHI disclosure altogether but rather permits the safe sharing of relevant information when necessary.  While we’ve recently seen information published in response to HIPAA’s role in a public health emergency and disclosure of vaccination status – just today the government issued guidance addressing another widely important concern. The latest announcement helps clarify how the HIPAA Privacy Rule permits covered health care providers to disclose protected health information (PHI) for the purpose of extreme risk protection orders (ERPO) and to prevent an individual in crisis from accessing firearms. This guidance follows suit with the U.S. Department of Justice’s model extreme risk protection order legislation and aims to support law enforcement, family members and others who intervene in an effort to prevent firearm injuries and deaths. The issued guidance speaks to HIPAA’s requirements in relation to ERPO laws, stating that the Privacy Rule does allow a health care provider to disclose PHI in support of an application for an ERPO against an individual in limited circumstances. HIPAA allows entities to share an individual’s PHI without authorization if they feel that the individual poses a danger to themselves or others, if the disclosure is required by law, or when the disclosure is in response to an order of a court or other lawful process. It details specific examples for each permission along with general considerations for meeting the Privacy Rule’s “minimum necessary” standard. This standard requires covered entities and business associates to make reasonable efforts to limit the PHI disclosed to the minimum necessary to accomplish the intended purpose of the use or request. In response to the issued notice, recently appointed OCR Director, Lisa J. Pino states that, “HIPAA should not be a barrier to communication for law enforcement, concerned family members, health care providers, and others when they see an individual in crisis. Today’s guidance helps clarify legal requirements and to better support individuals in crisis.” This guidance is essential in not only improving the public’s safety but clarifying any confusion that could get in the way of doing that. “Too often, communities bear the weight of heartbreaking tragedies caused by the epidemic of gun violence in our country,” said HHS Secretary Xavier Becerra. “Today’s guidance on HIPAA and Extreme Risk Protection Orders is an important step the Biden-Harris Administration is taking towards protecting communities from gun violence by allowing law enforcement, concerned family members, or others to prevent a person in crisis from accessing firearms.” HIPAA plays a key role in not only protecting the privacy and security of patients’ health information but permitting health care providers to intervene in a safe and appropriate matter if ever necessary. So when it comes to keeping your patients and your practice’s best interest at heart, understanding HIPAA law and following guidance such as the one released today, is vital.  

Healthcare Fraud Waste and Abuse
Abyde News, Best Practices

Is Fraud, Waste and Abuse Training Required For My Practice?

August 27, 2021 Comments Off on Is Fraud, Waste and Abuse Training Required For My Practice?

August 27, 2021 It’s understandable for healthcare organizations to sometimes feel drowned by responsibilities. In addition to the ongoing balance of patient care and running a business that you’re already tasked with, having to add compliance into the mix can make for some especially muddy waters to tread. However, the compliance struggle is more than just having yet another thing added to your list. It is all of the complexity and confusion that surrounds it. And since the word “compliance” consists of many different legal, ethical and professional standards – it’s not always easy to decipher which items are a must-have to keep your practice afloat.  So when it comes to the responsibilities of your practice, though providing quality healthcare and protecting your patients is always a must, not all organizations have to follow the same requirements. Because of this, one question in particular that seems to leave practices scratching their head is, “Are we responsible for providing fraud, waste, and abuse training to employees?”  What is fraud, waste and abuse training? If you are familiar with fraud, waste and abuse (FWA) you most likely understand the impact it has on the healthcare industry and why it’s so important to prevent. All employees within a healthcare organization should know what FWA is and how to avoid it, the same as they should know what HIPAA is and how to protect patient health information. However, while annual HIPAA training is a legal requirement with specific stipulations for compliance – the rules are a bit different when it comes to the education for FWA.  Previously, the Centers for Medicare and Medicaid Services (CMS) required both Medicare Part C (Medicare Advantage) and Part D (Prescription Drug Coverage) plans along with all participating healthcare organizations to meet the annual fraud, waste and abuse training requirement. Training was to be provided to all employees within the first 90-days of onboarding and on an annual basis thereafter. The goal being to clearly identify what fraud, waste and abuse is and ensure all health plan providers and their “downstream, related entities” (a.k.a. healthcare organizations like you) have the know-how to properly detect, correct, report and ultimately prevent instances of FWA. Now if you’re already meeting HIPAA training requirements (fingers-crossed that you are) the stipulations for FWA training probably seem straightforward enough. However in typical government fashion, with legislation comes continual changes and as of January 1, 2019, the CMS officially updated the standard to only apply to Medicare service providers – not Medicaid – based on the feedback they received regarding the burden of the requirement. But before all the non-Medicare providers who are currently reading go to click the “x” at the top of this page, there are other specific insurance plans that may require their covered entity providers to complete some type of healthcare fraud training. One thing to keep in mind is even if your organization doesn’t fall into these parameters, providing FWA education for all employees is certainly beneficial. So in getting back to that commonly asked question – the requirements for offering fraud, waste and abuse training really just depend on the healthcare plan that your organization provides. Luckily, finding answers can be a simple process as most plans provide their specific standards for not only training but general FWA compliance online. Additionally, there is the CMS’s online resource that’s free to the public.  In summary, including fraud, waste and abuse education as a part of your staff compliance training doesn’t have to be complicated. And with the costly impact that FWA and noncompliance can have on your organization, providing this training (even if you aren’t required) can make all the difference in keeping your practice’s head above water and avoiding a violation or fine that could otherwise put you under. 

Security Risk Analysis Misconceptions
Best Practices, HIPAA

The Security Risk Analysis and its Many Misconceptions

August 13, 2021 Comments Off on The Security Risk Analysis and its Many Misconceptions

August 13, 2021 HIPAA is kind of like a puzzle – without having each and every individual requirement in place, your practice can’t consider itself fully compliant. But much like building a jigsaw blindfolded, it’s a lot harder to piece together the big picture of compliance with all of the misconceptions out there masking what HIPAA’s requirements actually entail.  Now, the first piece in this so-called “HIPAA puzzle” is the Security Risk Analysis (SRA) which requires all covered entities to assess any potential risks and vulnerabilities to protected health information (PHI) based on the physical, technical, and administrative safeguards that their organization has in place. It’s essentially just a self-evaluation that helps lay the groundwork for a complete HIPAA program AND is the first thing a practice will be asked to provide in the case of an audit. But despite its importance, only 14% of entities actually fulfill the requirement – so what is causing this lack of compliance and why does the SRA seem like an unsolvable puzzle in itself? A large piece of the widespread noncompliance is all of the confusion that surrounds the ‘what, why, and how’ of the SRA. This is why in order to ensure all organizations know how to complete the first part of the big HIPAA puzzle, we need to break down the myths vs the facts.  Myth #1: Small practices and independent providers don’t need to worry about the SRA. False: All providers, no matter the size or specialty, are covered entities under HIPAA and are therefore obligated to perform a risk analysis along with all other requirements under HIPAA law. Myth #2: My Electronic Health Record (EHR) takes care of privacy and security, so I don’t need to complete an SRA. False: Even with a certified EHR, the risk analysis isn’t completed for you. The EHR vendor may provide information and training on the privacy and security aspects of their product but they are not responsible for privacy and security compliance within your practice. Additionally, an SRA involves all PHI within your organization, including what isn’t housed in your EHR like paper records and files.   Myth #3: My IT company handles a full SRA.  False: Similar to the confusion around your organization’s EHR, IT companies might help to assess technical safeguards and identify technical risks – but do not provide a comprehensive analysis of all aspects of your organization to cover the administrative and physical requirements.  Myth #4: I can use a templated checklist to complete my SRA.  False: While the government does provide some tools that can be used as helpful guidance for conducting an SRA, in order for the analysis to meet the requirements it must assess specific elements of your organization and practice operations which may differ from the types of things assessed in a template or generic checklist.  Myth #5: The SRA is a one-time thing and as long as I completed it once, I’m good to go! False: The HIPAA Security Rule specifically states, “the risk analysis should be an ongoing process, in which a covered entity regularly reviews its records to track access to e-PHI and detect security incidents, periodically evaluates the effectiveness of security measures put in place, and regularly reevaluates potential risks to e-PHI.” But although, your organization does need to be conducting an SRA on a continual basis – this doesn’t mean that each year you’ll need to start over from scratch. It’s important (and required) that you update your SRA annually at the very least as well as any time there are changes to your practice or systems to identify any changes in risks and maintain the necessary safeguards within your organization.  While we hope our little game of “myth busters” helped clarify any confusion around what goes into completing this requirement and why it’s so important, we know that it might’ve also caused some concern for how a small, independent practice is supposed to tackle all of this alone. Completing a comprehensive analysis (on an ongoing basis) along with the proper documentation and risk mitigation that’s required involves time, resources, and expertise that might seem unfeasible to a small or medium-sized organization. But luckily there are outside resources available to help debunk the other misconception that completing an SRA HAS to be challenging. So while your practice can tackle this requirement DIY-style, a software solution like Abyde makes it so you don’t have to – providing all the tools and support to guide you through the misconceptions and help to put the pieces into place so that your practice can easily complete the puzzle of HIPAA compliance. Schedule a one-on-one consultation today to see where your practice currently stands and how Abyde makes meeting the SRA – and all other HIPAA requirements – a breeze!

Fraud Waste and Abuse in Healthcare
Best Practices

Fraud, Waste, and Abuse in Healthcare

August 6, 2021 Comments Off on Fraud, Waste, and Abuse in Healthcare

August 6, 2021 Fraud, waste, and abuse are three little words that have impacted the rising cost of healthcare in a way that’s anything but little. Now, most are probably aware that U.S. health expenditures are growing at a rapid rate, and have been for many years. And while there are many reasons that resulted in the healthcare industry closing out 2020 with a whopping $3.8 trillion tab – ‘fraud’ is a five-letter word that can account for about $60 billion of it. So with an issue this common and costly, how can patients and providers help to stop it?  What is it?  Now, you’ve probably heard of fraud, waste, and abuse before and can associate each of them with nothing but bad news but what exactly do they mean to healthcare specifically?   Who can commit fraud?  The answer to this question is pretty much anyone. This includes doctors, patients, billing services…you name it. That being said, as a healthcare provider – it’s your job to not only ensure that you aren’t partaking in any fraudulent activities but are also on the lookout for your staff, patients, and billing providers. How do I prevent it?  As a provider, it’s important to develop appropriate prevention policies for your organization that outline best practices for avoiding and detecting healthcare fraud, waste, and abuse. According to the HHS Office of the Inspector General, this program should “establish a culture within an organization that promotes prevention, detection, and resolution of instances of conduct that do not conform to Federal and State law, and Federal, State and private payer healthcare program requirements, as well as the organizations’ ethical and business policies,” and include some of the following components:  In helping to reduce and ultimately prevent fraud and abuse, it’s important for your organization to not only have the proper compliance programs in place but also take additional measures such as: With billions of dollars lost each year to health care fraud in the U.S., and the costly impact an investigation could have on your organization’s reputation and revenue – it’s important to have the processes in place to detect and prevent fraud and abuse. Ensuring that your practice is meeting all areas of healthcare compliance, including a complete HIPAA program, is essential to keeping up with government standards and best protecting your patients. So while the rising cost of healthcare might not be totally avoidable, having the right compliance programs in place mean that the expense of a HIPAA or fraud violation can be. And with the penalties ranging from fines of hundreds of thousands of dollars and some even resulting in jail time – proactively preventing incidents before they happen and ensuring complete compliance is priceless.

HIPAA Policies & Procedures
Best Practices, HIPAA

Your Organizations’ HIPAA Rulebook: Policies & Procedures

June 21, 2021 Comments Off on Your Organizations’ HIPAA Rulebook: Policies & Procedures

June 21, 2021 Imagine if each sport didn’t have its own set of rules – we’d have baseball players tackling each other in the outfield and hockey players kicking the puck down the ice in front of a stadium full of confused fans with not a clue as to what they’re supposed to be cheering for. These unique sets of guidelines tailored specifically to each sport enable athletes to excel and spectators to appreciate what they’re watching. Without them, the games wouldn’t make much sense. So while the excitement of HIPAA is nowhere near anything you might find in a sports arena, having a rulebook specific to your organization is essential to ensuring patients’ sensitive information is being handled properly and HIPAA requirements are being upheld. HIPAA law came into play back in 1996 to set a national standard for how protected health information (PHI) should be handled and protected. Part of its requirements include the implementation of reasonable and appropriate policies to comply with these standards, but what exactly does reasonable and appropriate mean? Essentially, your organization is required to have policies and procedures in place to set expectations for how PHI should be handled as well as guide daily work operations and ensure consistency in patient care. But just as the specific rules differ for a game of football versus tennis, a small eye care facility has different expectations and work operations than a large hospital would – and therefore requires its own unique HIPAA rulebook.  What Do These Documents Include? For any HIPAA fanatics out there, you might already be familiar with the Security Rule’s provisions around the administrative, technical and physical safeguards necessary for protecting PHI which cover a wide range of requirements like completing a Security Risk Analysis (SRA), implementing facility access controls and maintaining up to date asset logs. So in looking at the documentation requirements, your policies should outline these required safeguards as well as the standard procedures for your organization to implement these protections. While the full list of documents and their included content will vary based on your organization’s size and specialty – there are some must-have elements that each rulebook should contain, including:  How Should These Policies & Procedures be Implemented? While the list provided above is definitely extensive and probably brings along an image of an overflowing HIPAA manual, it’s only a sample size of all the policies and procedures that your organization could potentially need to implement. And while yes, you can find templates for the majority of these policies online and even some directly on the HHS website, they lack an especially important element to the HIPAA requirement – customization. The latest HIPAA Industry Audit Report uncovered widespread non-compliance for the policy and procedure requirement – a major red flag being the common usage of “template policy manuals that contain no evidence of entity-specific review or revision and no evidence of implementation” (their words not ours). This lack of entity-specific evidence came as a result of organizations not including details like their practice name and HIPAA Compliance Officer (HCO) contact information within each policy document – which are important elements of actually fulfilling this requirement. In addition to providing specific details about your organization itself, another piece to the “customization” requirement is taking into consideration certain state laws that might take precedence over HIPAA. It’s important to ensure that policies including things like breach reporting and responding to record requests meet the most stringent timeframes and requirements that apply to where your facility is located. So in order to meet this important HIPAA standard, the ball is truly in your court. As new opponents like legislative changes, technology advancements, and evolving patient needs require adjustments in your organizations’ operations – your policies and procedures must reflect these updates accordingly. But having the proper documentation and specific content included isn’t all that’s needed to make the cut. Providing employee training on a continual basis is essential to getting staff members up to speed on how they should be running the plays and ensuring that PHI is being handled correctly within your practice. So when it comes to developing a winning HIPAA strategy, having a comprehensive set of properly documented policies and procedures that are understood and followed by everyone within the organization is the best way to stay in the HIPAA compliance game.

Concerned about HIPAA & OSHA compliance requirements in 2025? Join our live webinar for expert answers to the most common questions to ensure your practice is protected.

REGISTER TODAY
X