As your organization prepares to take on the challenges of HIPAA compliance you must have a game plan. At HIPAA Associates we are happy to provide you with a HIPAA Compliance Checklist that will assist you in successfully developing your HIPAA compliance plan. This checklist is a step by step guide that takes you through all the important steps the Office of Civil Rights expects from covered entities and business associates today.

Prepare for HIPAA Compliance

The Office of Civil Rights expects all entities that manage protected health information to have a viable functioning compliance plan in place.  Are you prepared?  Have you recently reviewed your plan?  If you are unsure this is a good place to start.  Remember that failing to comply with the HIPAA Privacy Rule can put your organization at great risk.

Preparing your organization for HIPAA Compliance can be a very stressful and daunting process if you are not armed with all of the correct information. Our HIPAA Compliance Checklist will give you the important steps you need to complete this task. We have extensive experience with HIPAA Privacy programs and have assisted multiple organizations in developing plans geared for their own institutions.

Walk through the steps on the checklist provided to begin a successful implementation of this important task. If at any time you feel overwhelmed, we are available to assist you and your organization with your HIPAA Compliance needs. Don’t hesitate to give us a call.

In addition we have also provided you with important information about the HIPAA Privacy Rule you will need to know as you create your compliance plan.  This is located at the end of the Compliance Checklist section.

Table of Contents

The Seven Steps of an Effective Compliance Plan

The Health Care Fraud Prevention and Enforcement Action Team (HEAT) within the Office for Civil Rights (OCR) issued a series of guidelines for Covered Entities (CEs) and Business Associates (BAs) called The Seven Fundamental Elements of an Effective Compliance Program. The Seven Elements describe  the steps that OCR has deemed absolutely essential to a HIPAA compliance program.   The intention is to effectively protect protected health information (PHI) and associated patient data and ensure that the  federal compliance regulation is being maintained. The seven elements of a compliance program are the minimum necessary requirements that HIPAA covered entities must have in place to address HIPAA privacy and security standards.

Implementing written policies, procedures and standards of conduct

Policies and procedures help establish rules that help employees carry out their roles that ensure compliance with federal health care program guidelines.  An organization must create the policies and procedures necessary to effect the requirements from the OCR.  In a well-crafted program it will be necessary to create Privacy Policies, Administrative Safeguards, Physical Safeguards and Technical Safeguards. It is important that your compliance team deal with all aspects of the plan.  We are available to help craft these policies.

What you need:

  1. Privacy Policies
  2. Administrative Safeguards
  3. Physical Safeguards
  4. Technical Safeguards

Designating a compliance officer and compliance committee

The compliance officer is responsible with operating and monitoring the compliance program. The compliance officer will often work with a committee that  includes key members that have functions within the organization that can assist the compliance officer, such as legal, information technology, and privacy.  The responsibilities of a compliance officer are to develop and implement an effective compliance program.  The officer will create internal controls and monitor adherence to them.  The officer will proactively audit practices and procedures to identify weaknesses.  In addition, the compliance officer will be responsible for the education and training of employees on the HIPAA Privacy Rule.  The officer will respond to all HIPAA privacy complaints from internal and external sources.

The key feature:

  1. Designate a compliance officer
  2. Create a compliance committee

Conducting effective training and education

It is expected that all employees, physicians, and board members should receive training on fraud and abuse laws, as well as the compliance program.  Periodic updates of the regulations are also expected.  A good training program will cover all of the general key features of HIPAA such that the employee will feel comfortable handling protected health information. Some of the main topics should be HIPAA Regulations and why they are important.  The training will discuss the patient’s right under HIPAA and your organization’s responsibilities and the permissible uses and disclosure of health information.  We have trained thousands of employees and now have a practical online training program for teams and individuals who want to learn HIPAA.

What you must do:

  1. Create or obtain HIPAA Privacy training for your organization
  2. Arrange for annual reviews of HIPAA and your plan

Developing effective lines of communication

Employees must have avenues available to them for reporting concerns internally.  An organization should have multiple reporting methods such as the compliance officer and an anonymous hotline. All organizations must take reports seriously, and conduct a thorough follow-up of each report. This is a very important function within all organizations.  We have seen multiple situations in which there was not an effective way of reporting internally and this resulted in whistle blower going directly to the government.  This creates a difficult situation for any organization.

Important Points:

  1. Assure the compliance officer is available to all employees for complaints.
  2. Establish a hotline for anonymous complaints.

Conducting internal monitoring and auditing

A well-functioning program will have an ongoing process that evaluates and assess the organization to detect inappropriate behavior.  This will also help to ensure effectiveness of education and corrective action. The compliance program should in addition monitor compliance with privacy and provide a risk assessment of potential privacy issues.  A formal risk assessment is  a critical part of monitoring and auditing a privacy compliance program.

Internal staff or an external contractor should conduct an audit of the overall programs at least annually.  The findings should be made available to the Chief Compliance Officer and/or the Chief Operating Officer.

Recently the OCR has enacted an audit program of covered entities and their business associates.  It is important that your organization perform a full audit to deal with any issues before you are faced with an OCR audit.

Key Elements:

  1. Perform a yearly audit of your privacy plan.
  2. Report all audit findings to the compliance officer and the board of your organization.

Enforcing standards of conduct through well-publicized disciplinary guidelines

It is important that an organization have well published standards of conduct.  These must  outline an organization’s rules, responsibilities, proper practices, and/or expectations of its employees. A compliance plan should clearly state the implications and penalties of violating the standards of conduct. The use of disciplinary guideline are important as they will encourage employees to observe the HIPAA Privacy Rule.  If you are audited or have to report a breach you will be asked by the OCR what disciplinary actions have been taken. The organization should review the disciplinary guidelines at least annually with all employees.  These guidelines should be available to all employees so that they may be aware of expectations.

Key Points:

  1. Establish standards early and make sure your employees are made aware.

Responding promptly to detected offenses and undertaking corrective action

It is imperative for an organization to ensure timely and effective remedial action for offenses.  Lack of a response may create additional exposure for the organization.  As mentioned earlier it is important to have reasonable disciplinary guidelines that are followed.  The types of disciplinary actions might be staff education, termination of the employee or fines.  In addition, every time there is a breach or an incident it is mandatory the compliance officer investigate and offer a corrective plan to prevent future issues.

Key Points:

  1. Maintain a record of all remedial action for offenses.
  2. Review disciplinary guidelines annually.

Understanding HIPAA Compliance

Everyone today wants to be “HIPAA Compliant” yet often it is a term poorly understood. Many organizations believe that it is accomplished by taking a HIPAA certification course and acquiring a HIPAA Compliant logo for their webpage. That is not what the term implies. To be “HIPAA Compliant” an organization must fulfill the requirements of the Health Insurance Portability and Accountability Act and the HITECH act. This is not a one-time process but an ongoing resolve to abide by its regulations. An organization must continuously monitor its activities and confirm the rules are constantly obeyed. These rules must be observed by Covered Entities and Business Associates as long as they are involved with the handling of Protected Health Information. Using a HIPAA Compliance Checklist will help you get on the right course from the beginning.

Congress passed the the Health Insurance Portability and Accountability Act of 1996 (HIPAA), to improve the efficiency and effectiveness of the health care system.  When this took place, Congress recognized that advances in electronic technology could affect the privacy of health information. With this in mind, Congress incorporated into HIPAA provisions that mandated the adoption of Federal privacy protections for individually identifiable health information.

The first provision HHS published was a final Privacy Rule in December 2000, and was later modified in August 2002. The purpose of the Rule was to set national standards for the protection of individually identifiable health information among three types of covered entities: health plans, health care clearinghouses, and health care providers.  All three of these routinely conduct standard health care transactions electronically.

The Rule affects business associates and entities that perform certain functions on behalf of covered entities that involve protected health information. These organizations are expected to develop their HIPAA Privacy compliance plans and train their staff.

In February of 2003 HHS published a final Security Rule. This Rule sets national standards for protecting the confidentiality, integrity, and availability of electronic protected health information.

Take Your Next Step

What Is Your Next Step?  Are you prepared?

In today’s health care climate, the occurrences of HIPAA violations appear to be on the rise. It is no longer a question of if, but when your organization will have a violation that results in significant penalties. We understand this can be a stressful occurrence in any organization.

Our HIPAA Compliance Checklist will help you get a good start on being “HIPAA Compliant”.

We are health professionals who understand HIPAA inside and out. We have decades of experience as compliance officers and with HIPAA Privacy/Security issues.

We have assisted many organizations large and small with creation of their HIPAA Compliance Plans. We have the experience to create the best plan for you and assist in making sure it works to protect your organization in the future. We provide personal assistance to ensure your needs are met.

We encourage you to contact us to assist with this important process. We can help your organization stay out of harm’s way.

Download a HIPAA Compliance Checklist

Get your HIPAA Compliance Checklist