HIPAA checklist: how to get started and stay out of trouble

March 20, 2017

You probably know the basics about the Health Insurance Portability and Accountability Act of 1996 (HIPAA).  The HIPAA Privacy, Security and Breach Notification Rules protect the privacy and security of health information and provide patients with rights to their health information. But is your practice following all the rules, and do you have a checklist of things you need to do each year to stay compliant? 

Whether you’re just getting started in practice or you’re a veteran allergist, we have the HIPAA resources you need to keep your practice and patients safe. Learn what you need to do when starting a HIPAA program, what should be on your annual checklist and what should be an ongoing focus.

Getting started

1. Assign a compliance officer to take the lead on HIPAA compliance.

2. Develop and maintain a HIPAA manual:

  • Use the Centers for Medicare and Medicaid Services’ HIPAA Fact Sheet, which summarizes the HIPAA Privacy, Security and Breach Notification Rules, as a guide.
  • The Office of the National Coordinator for Health Information Technology (ONC) has a more detailed Guide to Privacy and Security of Electronic Health Information, which offers practical suggestions for practices – regardless of whether you have an EHR.
  • Include a contingency plan for electronic protected health information.
  • Include a plan to handle HIPAA breaches.

3. Implement the policies and procedures outlined in your HIPAA manual.

4. Train all physicians and staff in HIPAA policies and procedures.

Annual checklist

1. Provide annual HIPAA training for all physicians and staff. Document training attendance and have everyone acknowledge, in writing, that they understand the policies.

According to J. Kelly Davis, BS, CMPE, Practice Manager of Covenant Allergy & Asthma Care in Chattanooga, Tennessee and College Practice Management Committee member, “HIPAA is one of those things that can keep me up at night. Electronic security is an important part of the puzzle, but the proper training of your staff is a very close second. In the medical industry, most data breaches are not due to server hacks but to unencrypted mobile devices lost by physicians and staff. The key is to have good policies and procedures in place and train your staff regularly.”

2. Review your current business associates, and make sure you have an up-to-date, signed business associate agreement (BAA) for each. It’s best to:

  • Perform an annual internal audit of companies requiring a BAA. If they aren’t adhering to HIPAA requirements, you may need to educate them.
  • Make it easy. For a sample BAA, check out HHS’ Sample Business Associate Agreement.

3. Perform an annual Security Risk Analysis:

  • Use the Security Risk Assessment Tool from the ONC.
  • Don’t just shelve the results of your Security Risk Analysis! It is a guide to what changes need to be made to protect your practice and patients, so take time to review the results and implement appropriate changes.

Ongoing tasks

1. Train all new employees in HIPAA policies and procedures.

2. Make your Notice of Privacy Practices (NPP) available to all patients. It needs to:

  • Be posted in a prominent place on your website.
  • Be offered to anyone who asks for it (post it in your office and keep multiple laminated copies at the front desk for review).
  • Be patient-friendly. For an updated, modifiable NPP, check out this one from HHS.

3. Get patient authorization to disclose personal health information when necessary.

4. Make patient privacy and security continuing priorities in your office culture.