Weiss Zarett Brofman | Sonnenklar & Levy, P.C. | Attorneys At Law

High Quality Services And Personal Attention


On Behalf of | Aug 1, 2013 | Healthcare Law

Physician practices are frequently advised to know the requirements for obtaining reimbursement from a payor for services rendered and to have necessary documentation in place to withstand an audit. But do you know the same holds true to withstand a HIPAA audit of your practice conducted by the U.S. Office for Civil Rights? In other words, every physician practice should know the minimum requirements of the HIPAA Privacy, Security and Data Breach Notification rules and be prepared to prove compliance should OCR come calling. OCR’s audit protocol is extremely comprehensive but, as a starting point, you should make sure you have forms, policies and procedures in place to implement the following:

Privacy Rule requirements:

Notice of Privacy Practices

Revised Notice required as of September 23, 2013

Patient rights to request restrictions on disclosure of PHI

Certain restriction requests must be granted

Patient rights to access their PHI

Special rules apply for EHR

Uses and disclosures of PHI

Special authorizations apply for certain disclosures

Accounting of disclosures

Accountings differ when an EHR is involved

Amendment of PHI

Protocol required for responding to patient requests to amend

Business Associate Agreements

Revised agreements to reflect new definitions and subcontractors

Training of personnel, including physicians

Documented training must occur upon hire and at least annually

Security Rule requirements:

Administrative safeguards

Mandatory security risk assessment

Workforce security and training

Contingency plan

Security awareness and training

Physical safeguards

Facility access control

Workstation use and security

Device and media controls

Technical safeguards

Access control

Transmission security

Encryption analysis

Secure patient portals

Breach Notification Rule requirements:

Protocol for responding to a security incident

Data Breach Notification Policy and Procedures required

State laws must be addressed

Risk assessment to determine whether a breach has occurred

New factors must be applied

Steps to take when a breach has occurred

Documentation of the investigation must be maintained

Notification of affected individuals, HHS and the media

Timeframes must be met

If you are missing any of the above in your HIPAA Compliance Program, your practice will be at risk come September 23, 2013. And the HITECH Act increased the penalties for non-compliance.