Physician practices are frequently advised to know the requirements for obtaining reimbursement from a payor for services rendered and to have necessary documentation in place to withstand an audit. But do you know the same holds true to withstand a HIPAA audit of your practice conducted by the U.S. Office for Civil Rights? In other words, every physician practice should know the minimum requirements of the HIPAA Privacy, Security and Data Breach Notification rules and be prepared to prove compliance should OCR come calling. OCR’s audit protocol is extremely comprehensive but, as a starting point, you should make sure you have forms, policies and procedures in place to implement the following:
Privacy Rule requirements:
Notice of Privacy Practices
Revised Notice required as of September 23, 2013
Patient rights to request restrictions on disclosure of PHI
Certain restriction requests must be granted
Patient rights to access their PHI
Special rules apply for EHR
Uses and disclosures of PHI
Special authorizations apply for certain disclosures
Accounting of disclosures
Accountings differ when an EHR is involved
Amendment of PHI
Protocol required for responding to patient requests to amend
Business Associate Agreements
Revised agreements to reflect new definitions and subcontractors
Training of personnel, including physicians
Documented training must occur upon hire and at least annually
Security Rule requirements:
Administrative safeguards
Mandatory security risk assessment
Workforce security and training
Contingency plan
Security awareness and training
Physical safeguards
Facility access control
Workstation use and security
Device and media controls
Technical safeguards
Access control
Transmission security
Encryption analysis
Secure patient portals
Breach Notification Rule requirements:
Protocol for responding to a security incident
Data Breach Notification Policy and Procedures required
State laws must be addressed
Risk assessment to determine whether a breach has occurred
New factors must be applied
Steps to take when a breach has occurred
Documentation of the investigation must be maintained
Notification of affected individuals, HHS and the media
Timeframes must be met
If you are missing any of the above in your HIPAA Compliance Program, your practice will be at risk come September 23, 2013. And the HITECH Act increased the penalties for non-compliance.