HIPAA Policy

HIPAA Security PolicyOne of the most important elements in safeguarding against HIPAA violations is to have a HIPAA Policies and Procedures Manual in your office.  However, having a binder labeled “HIPAA Policy” is not enough.  The guidelines of an office need to be outlined and referred to in training new employees or when questions arise.

The HIPAA legislation calls for businesses and practices to have a policy to address everything from the everyday tasks performed at that office to some of the most unlikely—yet possible—situations.  Some of the policies that should be created and included in such a manual might be overlooked at first because they are so routine and habitual for a particular business.  For example, a doctor’s office should have a guideline that addresses proper sign-in procedures that comply with HIPAA and keep as much information regarding that patient private.  There should also be a policy outlining the proper storage of patient information and files as well as the proper destruction of old paperwork.  The HIPAA Policies and Procedures manual should contain templates for letters that are sent out along with x-rays or other PHI to collaborating doctors.  There should also be a guideline that states how patients are notified that such information is being sent in order to obtain their authorization.  It may seem rather extreme to have such detailed procedures but it is safe, and in order to be truly HIPAA compliant, it is necessary.

Other HIPAA policies that should be spelled out might also be overlooked for an entirely different reason.  These policies address the theoretical situations that an office may not even anticipate.  These HIPAA policies usually deal with security breaches.  Every HIPAA Policies and Procedures manual should delineate the protocol to be followed in the case that there is a break-in at the office.  All patients and customers must be notified according to appropriate HIPAA policy of the situation and the possibility that their PHI has been compromised.  Other policies should outline how to prevent such information being accessed in the event of a break-in (such as keeping all files in locked cabinets).  HIPAA policies should be in place also addressing breaches of security with regards to electronic information and databases.

Many offices and businesses find the difficult thing about the HIPAA legislation is that it contains many requirements but not specific direction on how to create policies and procedures in order to follow the law.  It can be helpful to use a HIPAA Software program to help create the HIPAA Policies and Procedures manual.    There are a variety of training programs and software programs available.  A good program will help create HIPAA policies specific to the entity.  One such software, Interactive HIPAA, does just that.  The software:

  • Asks questions about the type of business conducted by the entity
  • Asks specific questions about current policies and procedures
  • Uses information specific to that entity to create appropriate HIPAA policies
  • Uses that information to generate forms suitable for use by that entity

The convenience of using such a program is that a business can draw upon the knowledge of experts well-versed in the intricacies of the HIPAA legislation and what it requires by way of HIPAA policies and procedures without spending the time to really delve into and understand the minutiae of the legislation.  And it is far less expensive than hiring an expert or attorney to create HIPAA policies for an office.