Five Steps to HIPAA Compliance for a Doctor's Office

Why do you, as a doctor, dentist or any other medical provider, need to comply with HIPAA? HIPAA, the Health Insurance Portability and Accountability Act, was enacted by the U.S. government to not only protect patient confidentiality and privacy but also to ensure that doctors and other medical practices protect their data to prevent unauthorized persons and criminals from getting access to patients' confidential, private and financial information.

Patient health records called PHI (Protected Health Information) are a valuable commodity for criminals and sell for high prices in the black market.   Medical professionals must therefore strictly abide by HIPAA rules in order to avoid monetary fines, damage to their reputation, loss of their license(s), and even imprisonment.

Over the last few years, we have been hearing of multiple instances of doctors, nurses and healthcare workers being jailed or fined hefty sums for HIPAA violations. The Office for Civil Rights (OCR) has concentrated on education and outreach and has also focused on enforcement of HIPAA law especially when a healthcare organization suffers a breach or is in violation of HIPAA law.

Professionals in the medical field have the ethical responsibility to abide by laws that govern them and to provide the utmost care, which includes protecting the health information of each and every patient. This requires the ability to make logical decisions minute by minute, plus a great deal of patience, professionalism, and high standards related to HIPAA compliance to ensure protection of ALL health information… which includes the following steps:

1. Exercise Privacy in Your Office Everywhere

• Give patients the privacy they deserve in your office whether it’s in the lobby or their patient room.
• Minimize references to patients; it is best to call patients by first or last name only when directing them to their patient room.
• Allow for a quiet, private space when talking with patients individually so only those intended for the information are the ones who hear it.
• Never leave patient documents/files unattended or unsecured.
• Always knock before entering patient rooms.
• While accessing electronic PHI (ePHI), make sure that no unauthorized person can see the data on your screen or device.
• Continuously enforce this culture of privacy with your staff.

2. Post Notice of Privacy Practices

• Print notice of privacy practices and place it in a common and clearly visible area in your office, so that patients are openly provided with the privacy laws and information that strives to keep their care confidential.
• If you have a website for your practice, then be sure to post a copy of the Notice of Privacy Practices prominently on your website.
• Keep copies of the Notice of Privacy Practices available in case any of your patients asks for a copy.

3. Maintain and Follow Written Policies and Procedures

• Develop a written policies and procedures manual for everyone in your practice to follow, to ensure patient privacy and security. The manual should also contain forms, notices, disclosures and step-by-step procedures for patient privacy notification and overall HIPAA compliance.
• Your policies and procedures should be accessible to all staff.  Get attestations from your staff that they have read and will abide by your written policies and procedures.
• Review your policies and procedures annually to ensure that they are still current, and review them with your staff every year after this review.
• Review, and if needed update, your policies and procedures whenever there is a major change in your practice, for instance, a change in your EHR or key software used like anti-virus, data backup service or anything similar.

4. Train Your Team on HIPAA Do’s and Don’ts

• Ensure that your employees go through HIPAA training every year.
• Your employees should sign and acknowledge their awareness of these HIPAA policies and procedures.
• Document training dates and employee names as proof that all your employees have been trained.
• All healthcare providers - doctors, nurses, and all staff - should undergo annual HIPAA training.
• Ensure that your Business Associates also undergo annual HIPAA training.

5. Conduct the Mandatory Annual HIPAA Security Risk Assessment

• This mandatory HIPAA security risk assessment should be completed in order to analyze risks within the practice. Typically, a security risk assessment will check your office for compliance with the HIPAA Security Rule and the HIPAA Privacy Rule.  Your security risk assessment would involve reviewing in detail your technical safeguards, physical safeguards and administrative safeguards which are all key elements of the HIPAA Security Rule.
• You can either do this annual assessment internally or hire a HIPAA expert to perform the assessment.
• If any evaluated areas require remediation or follow-up, plans of action will have to be developed with timelines to address them.
• Be sure to address your follow-up action items within a reasonable period of time.  About three to four months is often considered a reasonable amount of time for most doctors' offices.  For instance, if you are using a straight-cut shredder, your report might ask you to procure a cross-cut shredder or shredding service to make your document disposal process more secure.
• Know where your patients' Protected Health Information is - where it is stored on your EHR, where your data backups are kept, of which employees you or your employees store any PHI, and where printed versions of PHI may be kept.
• If you don't already have Business Associate Agreements with your vendors, you should arrange to get them immediately.  These are important legal documents where you can specify the roles and responsibilities of your vendors or business associates when it comes to handle your patients' protected health information that you are ultimately responsible for.
• While disposing of anything that has PHI on it - in any format - use secure disposal techniques. Your security consultant can guide you on how to securely dispose of PHI on different media. 
• Some of the action items may be very technical, for instance, it may recommend that you implement secure email or encrypt your storage devices, or that you may need to get a vulnerability assessment done. Your IT vendor or security vendor should be able to guide you in these situations.

Ultimately, medical facilities that do not stray from complying with current rules and laws that govern their care and practice will continue to have the best reputation and the best rapport with their patients. Enforcing the highest level of HIPAA compliance within your facility means that you understand the importance of protecting health information and providing continuity of care across the medical spectrum to provide the best care outcomes for each and every patient in every way possible.

Watch our brief video below on Five Steps to HIPAA Compliance!

This blog post was first published in April 2016, and has been revised and updated as of September 2018.