|
•
Satisfy basic requirements.
• Create a HIPAA Reference Manual.
• Assign a Privacy Officer.
• Implement staff/employee training –
document all sessions.
• Incorporate HIPAA training in new-hire
orientation material and training.
• Develop a Privacy Policy – stress
patient confidentiality to current and new employees
– emphasize compliance in subsequent training
sessions.
• Incorporate Privacy Policy in the Employee
Manual or Policy & Procedures Guidelines –
outline expectations and the consequences of non-compliance
• Obtain a signed Confidentiality Agreement
from every workplace employee.
• Review routine practices pertaining to
the physical handling and location of patient
charts.
• Determine when, to whom, and for how long
charts are taken out of the record filing area.
• Utilize sign-out procedures in order to
track individual patient charts.
• Determine if charts are left in non-secure
areas whereby unauthorized viewing is possible.
• Secure access from unauthorized individuals
and initiate multi-peril physical safeguards.
• Develop and adhere to specific policy and
procedures pertaining to disclosure/release of
PHI. Document all employees understand the policy
and procedures.
• Ensure that all procedures comply with
federal and state laws pertaining to PHI retention,
access and release.
• Ensure security measures are in place for
computerized PHI pertaining to access – both
internal and external. Utilize passwords.
• Confirm that no unencrypted, unsecured
patient information is available over the Internet.
• Utilize employee/staff safeguards such
as log-ins and passwords.
• Back-up PHI computer files regularly. Document
a disaster recover plan outlining security measures.
• Determine the level of PHI access and extent
of information each employee needs to have.
• Audit measures should built into electronic
systems to record user access, date, time and
path to ensure compliance with privacy measures
and comply with patient’ rights to be furnished
an accounting of all disclosures.
• Position PC screens away from public reviewing.
• Keep charts out of view and access to only
those in need.
• Ensure that all telephone, fax, e-mail,
and paper communication is HIPAA compliant.
• Maintain a Business Associate Agreement
and Contract file.
• Consider adding indemnification or hold
harmless language in business agreements or contracts
to protect against privacy breach.
• Do not have arriving patients write the
nature of the illness or complaint on the sign-in
sheet if viewable by other patients or visitors.
• Assure that all conversations, including
telephone calls, entailing protected health information
are not audible to other patients or visitors.
• Do not allow telephone calls of a clinical
nature about another patient to be taken when
in the examining room or in the presence of others.
• Verify the validity of subpoenas and legal
documents requesting protected health information.
• Shred or destroy medical records and protected
health information to ensure confidentiality.
• Verify posting of the required Privacy
Notice.
• Determine if multilingual notices, forms
and documents are indicated.
• Confirm that accommodations required under
the American with Disabilities Act (ADA) are in
HIPAA compliance.
• Maintain a current HIPAA reference and
resource file or manual.
• Confirm that all authorizations and forms
utilized in the practice are updated or modified
to comply with HIPAA requirements.
• Comply with state statutes that are more
stringent than HIPAA privacy regulations.
Disclaimer
NOTE: FPIC provides HIPAA guidance as a benefit
to its policyholders for educational and informational
purposes only. Any representations or written
reports rendered in conjunction with this benefit
should not be considered a certification of HIPAA
compliance nor should it be interpreted as offering
legal, financial, or other professional services.
Policyholders that are developing policies and
procedures to comply with HIPAA’s Privacy
Rule should seek legal and/or professional assistance
to be sure that an appropriate compliance plan
is implemented for their particular practice.
BACK
TO HIPAA
|
