HIPAA Policies and Procedures

HIPAA policies and procedures are vital features of any plan that addresses HIPAA compliance.  All covered entity organizations that handle protected health information (PHI) must follow the HIPAA Privacy Rule.  It is the responsibility of these organizations to safeguard all protected health information and demonstrate this through carefully crafted HIPAA privacy policy. HIPAA Associates will guide you through the steps needed to create the necessary hipaa policy to satisfy HIPAA.

HIPAA Policies and Procedures must be in place to ensure compliance with the HIPAA Rules. These protect PHI and give individuals rights over their PHI and responsibilities to covered entities. The HIPAA Policies implement appropriate administrative, technical, and physical safeguards to protect the privacy and security of PHI. In addition, one must consider that privacy laws vary from state by state and must be considered every time HIPAA Polices are created or modified. It is important you obtain expert help when creating your HIPAA Policies & Procedures to include the appropriate state regulations

All Covered Entities must follow the HIPAA Rules.  Business Associates must follow the HIPAA Rules that apply when it enters into a Business Associate contract or agreement with a covered entity.

•             Covered  entities include hospitals, medical practitioners, nursing homes, and pharmacies.
•             Covered entities are also Health Plans and Healthcare Clearinghouses.
•             Business Associates are people or organizations that have access to or use PHI in order to                                   provide services to covered entities.

1. Covered entities must create plans that include HIPAA Policies & Procedures that help safeguard Protected Health Information (PHI) which the organization handles. This includes all forms of PHI such as written, verbal and electronic.
2. To be fully prepared an entity must also perform a full Security Risk Analysis to assess the health and security of their HIPAA program.  In some cases it may be best to start with a HIPAA Gap Analysis.
3. An organization must also name a Privacy-Security Officer to oversee the function of the Compliance Plan.
4. A training program must be in place to address every member of the organization based on their function in the organization.

Our professionals are prepared to assist you with all of these important policies and procedures. HIPAA Associates offers HIPAA Policies that include HIPAA privacy and HIPAA security. This includes all security policies and procedures and breach reporting requirements in compliance with the HIPAA Rules.

Our HIPAA compliance program was created by a HIPAA professional with over 19 year’s experience including 12 years as a Privacy Officer for a large health care system.

HIPAA Associates is always available to assist you when questions arise regarding the HIPAA Rule. HIPAA Consulting is the main focus of our organization. We would be happy to discuss with you how we can help with your program.

Contact us for your HIPAA Policies and Procedures

Template Privacy Policies – Contact Us

Template Security Policies – Contact Us

Fully Customized HIPAA Policies – Contact Us

A covered entity must enter into a Business Associate Agreement with each organization or vendor that accesses, uses or discloses PHI to on behalf of the organization . This will ensure the Business Associate uses appropriate safeguards to protect the PHI in the same manner that the covered entity must. It is essential that every covered entity create Business Associate Agreements with any entity that handles PHI on their behalf.

Prime examples of Business Associates would include accounting, billing, legal, risk management and IT services. We will help you identify business associates and provide business associate agreements.

We provide HIPAA consulting and advise on individual issues related to HIPAA privacy, security and breach notification. HIPAA Associates has the knowledge and breadth of experience to assess your unique situation and needs to craft the plan that you need for ultimate protection for PHI and the organization. Consequently, we can help protect your organization from issues that may otherwise bring involvement by the Office for Civil Rights.

Privacy and Security Officers must be appointed through the HIPAA Policies to oversee the HIPAA program. They are responsible for oversight of the program and for tracking, investigating, resolving and documenting all privacy and security complaints and investigative steps taken. They ensure there is no retaliation against any workforce member or other individual for reporting a PHI breach or filing a HIPAA complaint.

HIPAA Associates can help you prepare a Privacy & Security officer

The program must implement a training plan that trains workforce members on the requirements and HIPAA Policies that apply to them in their individual roles. The training program must train all workforce members upon employment on HIPAA and Policies and Procedures and on a regular basis thereafter.

HIPAA Associates has available training programs

A well-functioning program will have an ongoing process that evaluates and assess the organization to detect inappropriate behavior.  This will also help to ensure effectiveness of education and corrective action. The compliance program should in addition monitor compliance with privacy and provide a risk assessment of potential privacy issues.  A formal risk assessment is  a critical part of monitoring and auditing a privacy compliance program. The Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires that covered entities and its business associates conduct a risk assessment of their healthcare organization. A risk assessment helps your organization ensure it is compliant with HIPAA’s administrative, physical, and technical safeguards. A risk assessment also helps reveal areas where your organization’s protected health information (PHI) could be at risk.

Internal staff or an external contractor should conduct an audit of the overall programs at least annually.  The findings should be made available to the Chief Compliance Officer and/or the Chief Operating Officer.

HIPAA Associates can help you with a risk assessment

Frequently Asked Questions:

Do we need a HIPAA Compliance Plan?

Any covered entity that handles protected health information (PHI) must be prepared to protect that information. This is done by creating and implementing a HIPAA compliance plan with policies and procedures to safeguard PHI. The must outline the steps you will have to take in the event of a breach.

The plan will ensure that all workforce members are properly trained on how to handle PHI in all its forms.

HIPAA Associates is prepared to create the perfect compliance plan for your organization that has all the necessary policies, procedures and training you will need to keep your PHI safe.

How do I handle a breach?

It is important to follow all the steps to report a breach to the OCR. Every breach is different and must be handled on a case by case basis. A full breach analysis must be performed to determine if there was an impermissible use or disclosure that compromises the security of protected health information. Factors to be resolved are:
1. The nature and extent of the breach including identifiers
2. The unauthorized person to whom disclosure is made
3. Whether the PHI was acquired or viewed
4. The extent to which the risk to PHI has been mitigated.

HIPAA Associates can help your organization through this process to ensure you follow all the important steps.

The Office of Civil Rights expects all entities that manage protected health information to have a viable functioning compliance plan in place.  Are you prepared?  Have you recently reviewed your plan?  If you are unsure this is a good place to start.  Remember that failing to comply with the HIPAA Privacy Rule can put your organization at great risk.

Preparing your organization for HIPAA Compliance can be a very stressful and daunting process if you are not armed with all of the correct information. Our checklist will give you the important steps you need to complete this task.  We have extensive experience with HIPAA Privacy programs and have assisted multiple organizations in developing plans geared for their own institutions.

Walk through the steps on the checklist provided to begin a successful implementation of this important task. If at any time you feel overwhelmed, we are available to assist you and your organization with your HIPAA Compliance needs. Don’t hesitate to give us a call.

1. Implement written policies
2. Designate a compliance officer
3. Conduct effective training
4. Develop effective lines of communication
5. Conduct internal monitoring and auditing
6. Enforce standards of conduct
7. Respond to detected offenses

1. Implement Policies & Standards

Policies and procedures help establish the rules your organization will need to carry out the requirements of federal health care program guidelines.

Policies and procedures help establish rules that help employees carry out their roles that ensure compliance with federal health care program guidelines.  An organization must create the policies and procedures necessary to effect the requirements from the OCR.  In a well-crafted program it will be necessary to create Privacy Policies, Administrative Safeguards, Physical Safeguards and Technical Safeguards. It is important that your compliance team deal with all aspects of the plan.  We are available to help craft these policies.

What you need:

1. Privacy Policies
2. Administrative Safeguards
3. Physical Safeguards
4. Technical Safeguards

2. Designate a Compliance Officer

The compliance officer will be responsible for operating and monitoring the compliance program.

The compliance officer is responsible with operating and monitoring the compliance program. The compliance officer will often work with a committee that  includes key members that have functions within the organization that can assist the compliance officer, such as legal, information technology, and privacy.  The responsibilities of a compliance officer are to develop and implement an effective compliance program.  The officer will create internal controls and monitor adherence to them.  The officer will proactively audit practices and procedures to identify weaknesses.  In addition, the compliance officer will be responsible for the education and training of employees on the HIPAA Privacy Rule.  The officer will respond to all HIPAA privacy complaints from internal and external sources.

They key feature:

1. Designate a compliance officer
2. Create a compliance committee

3. Conduct an effective training program

All personnel should receive training on fraud & abuse laws as well as the compliance program.

It is expected that all employees, physicians, and board members should receive training on fraud and abuse laws, as well as the compliance program.  Periodic updates of the regulations are also expected.  A good training program will cover all of the general key features of HIPAA such that the employee will feel comfortable handling protected health information. Some of the main topics should be HIPAA Regulations and why they are important.  The training will discuss the patient’s right under HIPAA and your organization’s responsibilities and the permissible uses and disclosure of health information.  We have trained thousands of employees and now have a practical online training program for teams and individuals who want to learn HIPAA.

What you must do:

1. Create or obtain HIPAA Privacy training for your organization
2. Arrange for annual reviews of HIPAA and your plan

4. Develop effective lines of communication

Employees must have avenues available for reporting concerns internally. Anonymous reporting must be available.

Employees must have avenues available to them for reporting concerns internally.  An organization should have multiple reporting methods such as the compliance officer and an anonymous hotline. All organizations must take reports seriously, and conduct a thorough follow-up of each report. This is a very important function within all organizations.  We have seen multiple situations in which there was not an effective way of reporting internally and this resulted in whistle blower going directly to the government.  This creates a difficult situation for any organization.

Important Points:

1. Assure the compliance officer is available to all employees for complaints
2. Establish a hotline for anonymous complaints.

5. Conduct internal monitoring and auditing

A good program will have an ongoing process to evaluate and assess the organization for inappropriate behavior.

1. A well-functioning program will have an ongoing process that evaluates and assess the organization to detect inappropriate behavior.  This will also help to ensure effectiveness of education and corrective action. The compliance program should in addition monitor compliance with privacy and provide a risk assessment of potential privacy issues.  A formal risk assessment is  a critical part of monitoring and auditing a privacy compliance program.

Internal staff or an external contractor should conduct an audit of the overall programs at least annually.  The findings should be made available to the Chief Compliance Officer and/or the Chief Operating Officer.

Recently the OCR has enacted an audit program of covered entities and their business associates.  It is important that your organization perform a full audit to deal with any issues before you are faced with an OCR audit.

Key Elements:

1. Perform a yearly audit of your privacy plan
2. Report all audit findings to the compliance officer and the board of your organization

6. Enforce standards of conduct with guidelines

An organization must have well published standards of conduct. The plan should clearly state the implications and penalties of violating the standards.

It is important that an organization have well published standards of conduct.  These must  outline an organization’s rules, responsibilities, proper practices, and/or expectations of its employees. A compliance plan should clearly state the implications and penalties of violating the standards of conduct. The use of disciplinary guideline are important as they will encourage employees to observe the HIPAA Privacy Rule.  If you are audited or have to report a breach you will be asked by the OCR what disciplinary actions have been taken. The organization should review the disciplinary guidelines at least annually with all employees.  These guidelines should be available to all employees so that they may be aware of expectations.

Key Points:

1. Establish standards early and make sure your employees are made aware.

7. Respond promptly to violations and take corrective action

An organization must ensure timely and effective remedial action for offenses.

It is imperative for an organization to ensure timely and effective remedial action for offenses.  Lack of a response may create additional exposure for the organization.  As mentioned earlier it is important to have reasonable disciplinary guidelines that are followed.  The types of disciplinary actions might be staff education, termination of the employee or fines.  In addition, every time there is a breach or an incident it is mandatory the compliance officer investigate and offer a corrective plan to prevent future issues.

Key Points:

1. Maintain a record of all remedial action for offenses.
2. Review disciplinary guidelines annually.

HIPAA Associates is prepared to assist you in creating a thorough HIPAA Compliance Plan.  Contact us today to get started.

HIPAA Associates presents their HIPAA Compliance Checklist for 2021.  We believe this will give you a good start on creating your HIPAA Polices & Procedures.