HIPAA Privacy & Security: Answers and Compliance for Health Care Providers

HIPAASimple.com subscribers - review these shaded items ONLY

NON-subscribers should review and understand this entire tutorial

With HIPAASimple.com, you don't have to become an expert in HIPAA. We think about it for you.

Doing HIPAA on Your Own
If you build a 'Do It Yourself' HIPAA solution, here are some of the things you will need (all documents and agreements will have to contain specific wording to be valid):

1. Valid notice about your privacy practices given (or in some cases available) to all patients.
2. Valid agreement for all vendors that receive or create patient information on your behalf.
3. Specific policies and procedures in your office designed to meet the HIPAA requirements.
4. One person on your staff ('privacy officer') who will design your policies and procedures, and answer questions on HIPAA.
5. Training for everyone at your practice, so they will know and follow your specific privacy policies and procedures.
6. Specific handling of certain computer operations.
7. Handling of complaints, violations, mitigation, and sanctions.
8. Special rules to handle specific requests the patients make concerning their health information, such as: accounting of disclosures, amendment, access, confidential communications and restrictions.
9. Valid documentation of all privacy/security activities.

HIPAASimple.com accomplishes these for you with a simple online solution.

NONE of these are true...

Some of the Many Myths about HIPAA

• "I don't need to do anything in my practice. I signed an agreement at the hospital, and that covers me." (A physician in Illinois)
• "The regulations still are so restrictive, it will make it difficult for physicians to discuss cases with one another." (A pathologist quoted in the Birmingham Business Journal)
• "The regulations are impossible to comply with. There's no way these will be enforced." (An internist in New Mexico)
• "Specialists often have discussed cases with me as a favor, at no charge, and so I've been able to save the patient a visit and the cost of seeing that specialist. I can't do that now." (a family physician in Alabama)
• "You have to switch your charts from names to numbers." (A supplier of charting materials, in their catalog)
• "You can't call the patient from the reception room by name." (A clinic manager in Texas)
• "If a patient overhears a conversation about another patient, you have broken the law." (A Montana surgeon)
• "We've always been HIPAA compliant" (meaning we've always been careful with patient records - A Florida Family Physician, in an article in Medical Economics Magazine, June, 2003)
• "The regulations require you to give patient information to law enforcement." (An office manager in Colorado)
• "You can't send a friend or family member to the pharmacy to pick up a prescription." (A consultant in Tennessee)
• "Every physician in private practice must comply with the regulations" (An attorney in South Carolina)
• "You must train your entire staff on the HIPAA regulations." (An advertisement for a HIPAA training course)

Let HIPAASimple.com set you straight

This tutorial covers Privacy and Security in private practice

HIPAA Transactions and Code Sets
This part of HIPAA concerns the standardization of electronic transmission of health information. It identifies several 'standard' transactions (claims, referrals, eligibility verification, etc.), and defines the electronic format for each one. Everyone who does any of these electronic transactions must use these formats.

Compliance with this regulation in private practice usually depends on your software vendor and/or claims clearinghouse to modify their software to match these standards. Compliance is required by October 2002, UNLESS you filed an extension with the Department of Health and Human Services before then.

This is normally done by your software vendors

This small portion of HIPAA is hundreds of pages long

HIPAASimple.com combines Security and Privacy into one solution

With HIPAASimple.com, compliance is easy

Who Must Comply?
Most healthcare providers must comply with HIPAA. Those who don't may want to comply anyway.

HIPAA Privacy applies to 'covered entities:' all health plans; all health care clearinghouses; and any health care providers who transmit health information in electronic form in connection with any of the standard transactions.

This means if you or your organization provides healthcare in private practice, AND you transmit or receive standard health information (listed below) ELECTRONICALLY...

YOU MUST COMPLY. (April 14, 2003 was the 'due date' for Privacy compliance.)

Note that if someone else files any of your claims electronically, or does any other standard healthcare transaction (listed below) for you electronically, the regulations apply as if you performed them yourself. You must comply. Also remember that (as of October 2003) all practices with 10 or more employees that file to Medicare must file electronically, which would make them 'covered entities.'

Also, the transactions carried over a 'wire' which are specifically EXCEPTED from being defined as 'electronic' are phone conversations and paper faxing (not computer-generated faxes), because the information was not in electronic format prior to transmission.

THE 'STANDARD TRANSACTIONS' ARE:

• Health care claims or equivalent encounter information
• Health claims attachments
• Enrollment and disenrollment in a health plan
• Eligibility for a health plan
• Health care payment and remittance advice
• Health plan premium payments
• First report of injury
• Health care claim status
• Referral certification and authorization
• Coordination of benefits
• Other transactions that HHS may prescribe by regulation

Patients may not understand that some providers don't have to comply

Risks of Non-compliance
Unlike the widely ignored False Claims Act, HIPAA Privacy involves your ongoing relationship with your patients, not problems with payors. Patients will know within five minutes of being in your office, whether or not you have a Privacy compliance program in place. Plus, ANYONE can file a complaint about you, not just a concerned patient.

Patients cannot sue a provider using HIPAA. But HIPAA compliance is already being used in other legal actions, such as invasion of privacy and violation of confidentiality. It may be used to demonstrate either a good faith effort to protect privacy, or, if there is no compliance, negligence.

Violations can bring hefty fines and lengthy prison terms

Complying as Related Entities
HIPAA allows two classes of legally separate entities to join together in Privacy/Security compliance:
Organized Health Care Arrangement (OHCA): separate entities that are 'clinically integrated' can join into an OHCA for compliance. This might apply when legally separate providers share office and/or staff, treat (at times) the same patients, and appear to the patients to be unified. If so, these providers can agree to comply with HIPAA as a single entity.
Affiliated Entities: when entities are legally separate, but share common ownership or control (click below to see definitions), they can agree to comply with HIPAA as a single entity. This might apply if the providers in a practice also share ownership with a treatment center.
>>Click here for a brief definition of Organized Health Care Arrangement
>>Click here for a brief definition of Affiliated Entities

You might share the work with those who share your office

Anything about patients and their health or payment for health care, is PHI

A name by itself is not PHI. Health information that cannot be identified with a patient is not PHI.

Even 'non-permanent' information must be protected

Examples of PHI (Protected Health Information)
The things that go into a patient's 'chart' are PHI. But the following are examples of other items that are, as well:

• An insurance claim or EOB
• An accounts receivable report with patient last names
• A list of co-pays received with last names and check numbers
• A schedule of patients to be seen, and the reasons for the appointments
• A 'sticky' note with a patient's name and the words 'claim for March 23 denied'
• A recorded phone message giving the persons name and the reason they want an appointment
• A lab request to be sent with a specimen
• A referral request
• A computer screen showing a patient's name and text or graphic representation concerning their health
• An x-ray with a patient's last name
• A discussion about a recent procedure performed where the patient's last name was mentioned
• The 'office side' of a phone call where the patient's name and the reason they wanted to speak to a nurse are repeated

Your policies and procedures must address protecting ALL PHI

Patients have a right to access their records (the Designated Record Set)

Basically, you will give patients access to their 'chart' and billing history, whether held by you or a Business Associate

The rules for de-identification are long and complex.

De-identified Information
The Privacy regulations allow you to freely use and disclose de-identified health information. Health information is de-identified, or not individually identifiable, under the Privacy Rule, if it does not identify an individual and if the covered entity has no reasonable basis to believe that the information can be used to identify an individual. Two methods are given to accomplish de-identification. Use the 'Ask a Question' button above if you need more information.

This might be used for research, summary reporting, or other purposes.

Limited Data Set
The Privacy Rule allows use of health information for research, public health, or health care operations if the "covered entity (1) uses or discloses only a 'limited data set'" (as defined), and (2) "obtains from the recipient of the limited data set a 'data use agreement'” (as defined).

The Limited Data Set is more information than the 'De-identified health information,' and includes data that is useful for the three purposes given. This provision intends to for the data use agreement to protect the data, while allowing the three listed activities to continue effectively.

Many practices will not encounter a need for de-identified or limited data sets

The records that meet this specification are very limited

Psychotherapy Notes
The Privacy Rule OMITS from the Designated Record Set a special class of records referred to as Psychotherapy Notes. This means that these records, although they must remain confidential, do not have to be preserved and maintained for patient access.

GENERALLY SPEAKING, if certain notes are part of the permanent record, are used in billing, are used to make diagnosis or other treatment decisions, or would be provided to another professional in assisting with treatment, they do NOT meet the criteria. The notes a mental health professional would keep separate, not disclose to others, and only use to recall things said in a previous session could qualify.

This ONLY applies to Mental Health Professionals

'USE' means internal to your practice, 'DISCLOSURE' means outside of your practice

Required Use and Disclosure
You are only required by the HIPAA Privacy regulations to disclose patient health information to (1) the patient, on request, and (2) to the Secretary of Health and Human Services (or authorized representative) to verify compliance with this regulation. Otherwise, uses and disclosures are permitted under various conditions, restrictions, and stipulations.

Except for these two, you cannot violate HIPAA by NOT using or disclosing PHI

Uses or Disclosures not specifically allowed are considered VIOLATIONS OF THE LAW

Permitted Uses and Disclosures
Under HIPAA you are PERMITTED to use or disclose health information:

• For treatment, payment, or health care operations (as defined);
• Incident to a use or disclosure otherwise allowed;
• According to an authorization given by the patient;
• To a personal representative, a family member or friend involved in the patient's care, or for notification of such a person; and
• In a select set of public policy situations.

The restrictions, requirements, and conditions of each of these is discussed further in the next topics.

You may USE or DISCLOSE PHI for these three functions









Patient authorization is NOT required for these three functions









You will need to cover these issues in your 'Notice of Privacy Practices'

Treatment, Payment and Health Care Operations
1. TREATMENT means the provision, coordination, or management of health care and related services by one or more health care providers, including the coordination or management of health care with a third party; consultation between health care providers; or the referral of a patient to another provider.

2. PAYMENT means Payment means The activities undertaken by a health care provider to obtain or provide reimbursement for the provision of health care to an individual. These activities include, but are not limited to:

• Determinations of eligibility or coverage (including coordination of benefits or the determination of cost sharing amounts), and adjudication or subrogation of health benefit claims;
• Billing, claims management, collection activities, obtaining payment under a contract for reinsurance (including stop-loss insurance and excess of loss insurance), and related health care data processing;
• Review of health care services with respect to medical necessity, coverage under a health plan, appropriateness of care, or justification of charges; Utilization review activities, including precertification and preauthorization of services, concurrent and retrospective review of services; and
• Disclosure to consumer reporting agencies of any of the following protected health information relating to collection of premiums or reimbursement: Name and address; Date of birth; Social security number; Payment history; Account number; and Name and address of the health care provider and/or health plan.

3. HEALTH CARE OPERATIONS means any of the following activities:

• Conducting quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines, population-based activities relating to improving health or reducing health care costs, protocol development, case management and care coordination, contacting of health care providers and patients with information about treatment alternatives; and related functions that do not include treatment;
• Reviewing the competence or qualifications of health care professionals, evaluating practitioner and provider performance, health plan performance, conducting training programs in which students, trainees, or practitioners in areas of health care learn under supervision to practice or improve their skills as health care providers, training of non-health care professionals, accreditation, certification, licensing, or credentialing activities;
• Conducting or arranging for medical review, legal services, and auditing functions, including fraud and abuse detection and compliance programs; Business planning and development, such as conducting cost-management and planning-related analyses related to managing and operating the entity, including formulary development and administration, development or improvement of methods of payment or coverage policies; and
• Business management and general administrative activities of the entity, including, but not limited to: Activities relating to compliance with this regulation; Customer service, provided that protected health information is not disclosed to such customer; Resolution of internal grievances; The sale, transfer, merger, or consolidation of all or part of a covered entity with another covered entity; and creating de-identified health information or a limited data set, and fundraising for the benefit of the covered entity.

>>Click here for the HIPAA definition of Health Care Operations

We include detailed definitions here because these three functions encompass MOST (and in many cases ALL) of what private practices do with PHI







Disclosing (outside of your organization) these three functions is permitted, but may require a Business Authorization Agreement (see below)

'Reasonable Safeguards' include being in compliance with the HIPAA Regulations

Incidental Disclosure
The Privacy regulations do not find incidental or unintentional disclosures of health information a violation of the regulations, provided:

• The entity took reasonable precautions and safeguards to prevent this disclosure from occurring; and
• The entity was engaged in a lawful use or disclosure when the incidental or unintentional disclosure occurred.

This means that if someone overhears a conversation while in a hallway or semi-private room, if someone sees a name on a chart at the front desk, etc., this disclosure is NOT a violation, provided reasonable safeguards to prevent these from occurring are in place.

The regulations do not intend to demand remodeling of facilities

Family and Friends
You can disclose personal health information to a family member, friend, or personal representative to enable them to assist in the patient's care, or in order to locate such a person for notification. You can only do so if you first notified the patient of your intentions, and gave them the opportunity to object. You also must limit the information to only that necessary for them to assist in the patient's care.

If the patient is unable, due to incapacity, to understand and/or object, you can use your professional judgment based on what is best for the patient, and infer consent based on the circumstances.

You might infer that the family member who brought in the patient should be given enough information to assist in their care

In these circumstances, patient authorization or opportunity to consent of object is not required

Some of these have special requirements to follow to ensure the use or disclosure is valid

Public Policy Disclosures
HIPAA permits you to use/disclose patient health information in certain defined situations, without having to notify the patient, or obtain authorization from the patient. The list of situations includes:

• Uses and Disclosures Required By Law
• Uses and Disclosures for Public Health Activities (including FDA monitoring of drugs)
• Disclosures About Victims of Abuse, Neglect or Domestic Violence
• Uses and Disclosures for Health Oversight Activities
• Disclosures for Judicial and Administrative Proceedings
• Disclosures for Law Enforcement Purposes
• Uses and Disclosures about Decedents
• Uses and Disclosures for Cadaveric Organ, Eye, Tissue Donation
• Uses and Disclosures for Research Purposes (although the rules you must follow here are very arduous)
• Uses and Disclosures to Avert a Serious Threat to Health or Safety
• Uses and Disclosures For Specialized Government Functions (including national security, military and veterans activities, and correctional institutions)
• Disclosures for Workers' Compensation

>>Click here for the regulations concerning judicial and administrative orders

These uses and disclosures are PERMITTED, NOT required



ACCOUNTING of disclosures is generally required for these (discussed below)

HIPAA avoids taking sides on this sensitive issue

This key provision is often referred to in the regulations

Most private practices can avoid many of these situations

Authorized Use and Disclosure
Except as otherwise required or permitted in the Privacy regulations, uses or disclosures of patient health information REQUIRE A SIGNED AUTHORIZATION FROM THE PATIENT. In other words, an authorization is required for most uses and disclosures that are: (1) to the patient; (2) as requested by Health and Human Services to verify compliance; (3) for treatment, payment, or health care operations; (4) incidental disclosures; (5) disclosures to family or friends; (6) certain fundraising activies; or (7) public policy situations.

Using or disclosing health information (including basic demographics) for marketing of any type requires an authorization, unless you are face-to-face with the patient, or giving a gift of nominal value.

You must be aware of any situation where you deliver individually identifiable health information to drug companies, a hospital, data aggregation services, etc. These might require an authorization from the patient.

Fundraising
You may disclose only demographics and dates of health care provided to a business associate or institutionally related foundation for fundraising activities, without authorization from the patient. However, you must inform the patient in your Notice of Privacy Practices, and give them an opportunity to opt out. Fundraising materials must also give the individual the opportunity to opt out of receiving future materials.

Research
HIPAA recognizes the value of medical research, and gives various ways it can be conducted without violation.

• Personal health information may be used and disclosed for research with an individual’s written permission in the form of an Authorization.
• De-identified health information, as described above, is not protected, and thus can be used in research.
• Personal Health Information may be used and disclosed for research without an Authorization in limited circumstances:
• Under a waiver of the Authorization requirement (normally through an Institutional Review Board (IRB) that approved the research,
• as a limited data set with a data use agreement,
• preparatory to research, and
• for research on decedents’ information.

>>Click here to download Health and Human Services guidance booklet on Research (.pdf)
(takes a little time to load)

The HIPAASimple.com solution gives all of the forms and guidance needed to deliver these rights to individuals

Right to Access Protected Health Information
An individual has a right to inspect and obtain a copy of protected health information about the individual in a designated record set, for as long as the record set is maintained.

Concerning private practitioners, access can be denied on any portion of the information that meets the following exceptions:

• Psychotherapy Notes (remember the definition is very limited, as explained above);
• Information compiled in anticipation of, or for use in, a civil, criminal, or administrative action or proceeding;
• Research records, provided the research is ongoing, and the patient agreed to be denied access during the research;
• Inmate health records created or received on behalf of a correctional institution, if access to the records might endanger any person;
• If the information came from a third party who is NOT a health care provider, with the understanding it would be kept confidential;
• If a health care provider has determined, in the exercise of professional judgment, that access to the information by the individual or a personal representative would endanger the individual or others (this is 'reviewable');
• The information is about a third party (not a health care provider), and a health care provider has determined, in the exercise of professional judgment, that access to the information could cause substantial harm to that third party (this is 'reviewable')

You must give access within 30 days (60 if the information is off-site), and there are documentation requirements



'Reviewable' items have a specific process whereby an patient can object to an exclusion

Right to Request Amendment to Health Information
An individual has the right to request that a provider amend protected health information in a designated record set for as long as that record set is maintained.

A private practitioner can deny the amendment if any of the following are determined:

• The record is accurate and complete;
• The provider being asked to amend the record did not create the record in question; or
• Based on one of the exceptions, the patient cannot access the record in question.

There are various documentation and notification requirements that accompany this regulation. HIPAASimple.com will guide you through these.

HIPAASimple.com gives you the guides and forms to keep this accounting.

Right to Accounting of Disclosures
An individual has a right to receive an accounting of disclosures of protected health information (which are outside of the normal course of activities) you made in the six years prior to the date of the request. All of the normal uses and disclosures do not need accounting (ie: treatment, payment, and operations; disclosures to the patient or authorized by the patient; incidental disclosures; disclosures to family and friends; disclosures of a limited data set). The two categories of disclosures that require accounting are:

• The group referred to as 'Public Policy Disclosures' (see above);
• Disclosures that VIOLATE THE PRIVACY RULE.

Right to Request Restrictions of Uses and Disclosures
A covered entity must permit an individual to REQUEST that the covered entity restrict uses and disclosures for either: treatment, payment, and health care operations; or those made to friends and family. You do NOT have to agree to the restrictions. However, if you do, you must abide by them.

Restrictions made on disclosures for treatment, payment, and operations would likely be a hindrance on your practice, and therefore would not normally be agreed to. Disclosures made to friends and family already require the opportunity to object, if possible.

This part of the regulation is mostly about making sure they have the right and opportunity to make the request.

Right to Request Confidential Communication
You must communicate protected health information to individuals by alternative means or at alternative locations when you receive a reasonable request to do so. You may require the request in writing, and require that payments for services are not disrupted.

The patient may request that all information go to a different address, or the contact is made through a different phone or pager number.

HIPAASimple.com fits your compliance to your systems and capabilities

Flexible and Scalable
The Rule allows you to "use any security measures that allow the covered entity to reasonably and appropriately implement the standards and implementation specifications as specified in this [regulation]." In doing so, you must consider the following factors:

• The size, complexity, and capabilities of the covered entity.
• The covered entity's technical infrastructure, hardware, and software security capabilities.
• The costs of security measures.
• The probability and criticality of potential risks to electronic protected health information.

Addressable Standards
Some of the Security safeguards are 'addressable' instead of required. You must examine (and document) the addressable safeguards considering the following factors:

• Assess whether each implementation specification is a reasonable and appropriate safeguard in its environment, when analyzed with reference to the likely contribution to protecting the entity's electronic protected health information, and;
• Implement the implementation specification if reasonable and appropriate; or
• If implementing the implementation specification is not reasonable and appropriate-- then
• Document why it would not be reasonable and appropriate to implement the implementation specification; and
• Implement an equivalent alternative measure if reasonable and appropriate.

'Addressable does NOT mean 'Optional'

These 42 (total) different implementation standards are all handled by HIPAASimple.com

Administrative Safeguards
You must meet the required standards, and meet or document an alternative method for the addressable standards following:

• Standard: Security management process. Implement policies and procedures to prevent, detect, contain, and correct security violations.
  • Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.
  • Risk management (Required). Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with the regulations.
  • Sanction policy (Required). Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity.
  • Information system activity review (Required). Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.
• Standard: Assigned security responsibility (required). Identify the security official who is responsible for the development and implementation of the policies and procedures required by this subpart for the entity.
• Standard: Workforce security. Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information, as provided in this regulation, and to prevent those workforce members who do not have access from obtaining access to electronic protected health information.
  • Authorization and/or supervision (Addressable). Implement procedures for the authorization and/or supervision of workforce members who work with electronic protected health information or in locations where it might be accessed.
  • Workforce clearance procedure (Addressable). Implement procedures to determine that the access of a workforce member to electronic protected health information is appropriate.
  • Termination procedures (Addressable). Implement procedures for terminating access to electronic protected health information when the employment of a workforce member ends or as otherwise required.
• Standard: Information access management. Implement policies and procedures for authorizing access to electronic protected health information that are consistent with the applicable requirements of HIPAA.
  • Isolating health care clearinghouse functions (Required). If a health care clearinghouse is part of a larger organization, the clearinghouse must implement policies and procedures that protect the electronic protected health information of the clearinghouse from unauthorized access by the larger organization.
  • Access authorization (Addressable). Implement policies and procedures for granting access to electronic protected health information, for example, through access to a workstation, transaction, program, process, or other mechanism.
  • Access establishment and modification (Addressable). Implement policies and procedures that, based upon the entity's access authorization policies, establish, document, review, and modify a user's right of access to a workstation, transaction, program, or process.
• Standard: Security awareness and training. Implement a security awareness and training program for all members of its workforce (including management).
  • Security reminders (Addressable). Periodic security updates.
  • Protection from malicious software (Addressable). Procedures for guarding against, detecting, and reporting malicious software.
  • Log-in monitoring (Addressable). Procedures for monitoring log-in attempts and reporting discrepancies.
  • Password management (Addressable). Procedures for creating, changing, and safeguarding passwords.
• Standard: Security incident procedures. Implement policies and procedures to address security incidents Response and Reporting (Required). Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity; and document security incidents and their outcomes.
• Standard: Contingency plan. Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information.
  • Data backup plan (Required). Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information.
  • Disaster recovery plan (Required). Establish (and implement as needed) procedures to restore any loss of data.
  • Emergency mode operation plan (Required). Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode.
  • Testing and revision procedures (Addressable). Implement procedures for periodic testing and revision of contingency plans.
  • Applications and data criticality analysis (Addressable). Assess the relative criticality of specific applications and data in support of other contingency plan components.
• Standard: Evaluation. Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, that establishes the extent to which an entity's security policies and procedures meet the requirements of this subpart.
• Standard: Business associate contracts and other arrangements. A covered entity may permit a business associate to create, receive, maintain, or transmit electronic protected health information on the covered entity's behalf only if the covered entity obtains satisfactory assurances that the business associate will appropriately safeguard the information.

Physicial Safeguards
You must meet the required standards, and meet or document an alternative method for the addressable standards following:

• Standard: Facility access controls. Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed.
  • Contingency operations (Addressable). Establish (and implement as needed) procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency.
  • Facility security plan (Addressable). Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft.
  • Access control and validation procedures (Addressable). Implement procedures to control and validate a person's access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision.
  • Maintenance records (Addressable). Implement policies and procedures to document repairs and modifications to the physical components of a facility which are related to security (for example, hardware, walls, doors, and locks).
• Standard: Workstation use. Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protected health information.
• Standard: Workstation security. Implement physical safeguards for all workstations that access electronic protected health information, to restrict access to authorized users.
• Standard: Device and media controls. Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility, and the movement of these items within the facility.
  • Disposal (Required). Implement policies and procedures to address the final disposition of electronic protected health information, and/or the hardware or electronic media on which it is stored.
  • Media re-use (Required). Implement procedures for removal of electronic protected health information from electronic media before the media are made available for re-use.
  • Accountability (Addressable). Maintain a record of the movements of hardware and electronic media and any person responsible therefore.
  • Data backup and storage (Addressable). Create a retrievable, exact copy of electronic protected health information, when needed, before movement of equipment.

Technical Safeguards
You must meet the required standards, and meet or document an alternative method for the addressable standards following:

• Standard: Access control. Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights.
  • Unique user identification (Required). Assign a unique name and/or number for identifying and tracking user identity.
  • Emergency access procedure (Required). Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency.
  • Automatic logoff (Addressable). Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.
  • Encryption and decryption (Addressable). Implement a mechanism to encrypt and decrypt electronic protected health information.
• Standard: Audit controls. Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.
• Standard: Integrity. Implement policies and procedures to protect electronic protected health information from improper alteration or destruction. Use a mechanism to authenticate electronic protected health information (Addressable). Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner.
• Standard: Person or entity authentication. Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.
• Standard: Transmission security. Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.
  • Integrity controls (Addressable). Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of.
  • Encryption (Addressable). Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.

This document is given to each patient (in 'Direct' relationship) when they first arrive at your practice

The content required in this notice is very specific, and specific to your practice.

The requirements and definitions of this provision are extensive

Patient Authorizations
You may not use or disclose protected health information without a valid authorization except as otherwise permitted or required by HIPAA. An authorization is required for most uses and disclosures that are not in the categories of (1) treatment, payment, or health care operations; (2) incidental disclosures; (3) disclosures to family or friends; (4) fundraising; or (5) public policy situations.

The patient must sign the authorization. The content requirements of these authorizations are specific, with additional requirements in the area of marketing.

Data Use Agreements
If you disclose a 'Limited Data Set' of health information for research, data aggregation, or health care operations, you must have a valid Data Use Agreement before doing so.

HIPAASimple.com will give this person in your office the guidelines needed to perform these functions.

Users of HIPAASimple.com receive these policies and procedures specific to their organization

Training on the general rules of HIPAA does NOT meet this requirement

Workforce Training
You must train all members of your workforce on the policies and procedures with respect to protected health information.

This training must be appropriate to the functions performed by the workforce member in your practice. You must retrain any time a person's functions are affected by a material change in policies or procedures. HIPAASimple.com gives the training materials needed for each function in your practice, and will deliver new materials whenever you make a change to your practice information entered and stored on our system.

Ongoing training is key to HIPAA Privacy compliance

Safeguards
You must have appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information.

To 'reasonably safeguard' will require physical arrangement and other procedures to prevent the wrong ears and eyes from hearing and seeing the information.

The 'facility guides' at HIPAASimple.com will help you accomplish this for your specific situation.

A good compliance program will prevent most complaints

Complaints and Retaliation
You must provide a process for individuals to make complaints, and you MUST NOT RETALIATE.

The process must be simple, and listed in your Notice of Privacy Practices. You must document every complaint, and its disposition. Of course, any negative action taken against that person, whether patient, employee, or someone else, must be done with great caution and good cause from that point.
>>Click here for the HHS complaint addresses by Region

Mitigation will require a quick response to any situation or complaint where a violation is discovered

Mitigation and Sanctions
You must mitigate, to the extent practicable, any harmful effect that is known concerning a use or disclosure of protected health information in violation of HIPAA by your organization, workforce, or business associates.

You must have AND APPLY appropriate sanctions against members of your workforce who fail to comply with the privacy policies and procedures required by HIPAA. As an employer, your workforce must know in advance these sanctions are in place, and must know the policies and procedures they are expected to follow.

HIPAASimple.com provides the materials and documentation you need.

Complete Documentation
HIPAA requires you to document most everything done concerning the Privacy regulations. You need to demonstrate your effective training, monitoring, and handling of health information, and processing of complaints or violations.

Forms and filing system of HIPAASimple.com make this SIMPLE

HIPAASimple.com allows addition of any needed wording concerning laws in your state