HIPAA Rules: Back to the Basics

The Health Insurance Portability and Accountability Act (HIPAA) is a complex piece of legislation that has undergone many additions and revisions since it was signed into law in 1996. The task of ensuring HIPAA compliance may seem overwhelming as a result.

For that reason, it is often beneficial to do a brief review of the basics.  Let’s take a look at the things your medical office should be doing to protecting your patients’ health information.

Staff training – All staff who will be handling protected health information (PHI) should be trained on HIPAA Privacy and Security at the time of hire and yearly thereafter. This training should be documented. Your office should have a designated Privacy Officer to oversee this process and to act as a point of contact.

Notice of Privacy Practices – A Notice of Privacy Practices (NPP) should be posted prominently in the office. New patients should be given an NPP at their first visit, and it should be readily supplied upon request. NPPs should be periodically reviewed and updated.

Authorization to release PHI – Patients must sign a form granting permission for any release of PHI that is not related to treatment, payment, or operations.

PHI disclosure log – Your office should maintain a record of to whom a patient’s PHI was disclosed.  This should be provided to the patient upon request.

Sign-in sheet – If patients are required to sign in when they come in for appointments, their PHI should not be visible to others in the office. For example, peel-off systems are often used, so the patient’s information can be removed.

Workstation and chart location – Consider where computers are placed so that visitors cannot view patient information.  Charts should be stored away from general office traffic, and care should be taken to not leave paper charts open on desks or in exam rooms.

Disposal of PHI – Any paperwork containing PHI should be properly shredded. Electronic PHI on laptops or flash drives must be removed before issuing those items to others.

Fax usage – Fax machines should not be located in areas accessible to the public. Notify the recipient prior to sending a fax. Include a cover sheet that identifies the information as being confidential in nature and states that improper handling of the information can result in legal consequences.

Telephone policies – Telephone calls discussing a patient’s medical information should be out of the hearing distance of others. If you have to leave a message, do not include test results, diagnoses, or other personal information unless authorized in writing by the patient.

Laptop and Wireless Device Policies – Make certain that your office has policies in place regarding the use of laptops and cell phones. If staff members use these devices to transmit PHI, it should be encrypted.  Consider the use of an EHR with a patient portal to safely send medical information to patients or have patients sign a release acknowledging that they accept any risks with transmitting PHI electronically to them.

Breach Notification Policies – Should a breach of PHI occur, be sure that policies exist explaining who to needs to be notified and the steps that need to be taken to mitigate the risk.

Spending some time to ensure that your office is maintaining your patients’ privacy is critically important. If you need further guidance, there are many resources available to help walk you through the basics of HIPAA and beyond.