Privacy (Hipaa) Policy Notification: Fill & Download for Free

The Health Insurance Portability and Accountability Act of 1996, commonly known as HIPAA, is a series of regulatory standards that talks about the lawful use and disclosure of protected health information (PHI). HIPAA compliance is regulated by the Department of Health and Human Services (HHS) and enforced by the Office for Civil Rights (OCR).The OCR’s role in maintaining HIPAA compliance comes in the form of routine guidance on new issues affecting health care and in investigating common HIPAA violations.Through a series of interlocking regulatory rules, HIPAA compliance is a living culture that health care organizations must implement into their business in order to protect the privacy, security, and integrity of protected health information.HIPPA RULESHIPAA Privacy Rule: The HIPAA Privacy Rule sets national standards for patients’ rights to PHI. The HIPAA Privacy Rule only applies to covered entities, not business associates. Some of the standards outlined by the HIPAA Privacy Rule include patients’ rights to access PHI, health care providers’ rights to deny access to PHI, the contents of Use and Disclosure forms and Notices of Privacy Practices, and more. The regulatory standards must be documented in the organization’s HIPAA Policies and Procedures. All employees must be trained on these Policies and Procedures annually, with documented attestation.HIPAA Security Rule: The HIPAA Security Rule sets national standards for the secure maintenance, transmission, and handling of ePHI. The HIPAA Security Rule applies to both covered entities and business associates because of the potential sharing of ePHI. The Security Rule outlines standards for the integrity and safety of ePHI, including physical, administrative, and technical safeguards that must be in place in any health care organization. Specifics of the regulation must be documented in the organization’s HIPAA Policies and Procedures. Staff must be trained on these Policies and Procedures annually, with documented attestation.HIPAA Breach Notification Rule: The HIPAA Breach Notification Rule is a set of standards that covered entities and business associates must follow in the event of a data breach containing PHI or ePHI. The Rule differentiates between two kinds of breaches depending on the scope and size, called Minor Breaches and Meaningful Breaches. Organizations are required to report all breaches, regardless of size to HHS OCR, but the specific protocols for reporting change depending on the type of breach.HIPAA Omnibus Rule: The HIPAA Omnibus Rule is an addendum to HIPAA regulation that was enacted in order to apply HIPAA to business associates, in addition to covered entities. The HIPAA Omnibus Rule mandates that business associates must be HIPAA compliant, and also outlines the rules surrounding Business Associate Agreements (BAAs). Business Associate Agreements are contracts that must be executed between a covered entity and business associate–or between two business associates–before ANY PHI or ePHI can be transferred or shared.

While each investigation is different, there are some commonalities. the HIPAA Privacy and Security Rules complaint process follows a standard pathway that begins with a complaint that is reviewed by the OCR for validity before an investigation is initiated.If the OCR determines an investigation is warranted, the covered entity will be notified in writing of the data request. The notification will include the complainant’s name and the allegations brought forth in the complaint. The OCR notification will also include a list of references to the applicable HIPAA Administrative Simplification Regulation (45 CFR §160, §162, and §164) that the covered entity may have violated.It is the responsibility of the covered entity to respond to the data request within 30 days of receipt with all items requested. Typically, the length of the data request correlates with the number of alleged violations; it is not uncommon for a data request to include 20 or more items to be addressed, as many of the privacy and security requirements are overlapping.A covered entity will be required to produce its HIPAA policies and procedures corresponding to the rule that was allegedly violated. This includes producing those that were in effect at the time of the incident and those currently in effect, including all revisions.Additional forms of documentation are also requested as evidence that privacy and security rules are followed. This could include employee training documents and logs, security and risk assessments, security agreements with business associates and other third-party vendors, and even internal memos and emails. Without a doubt, covered entities that had a comprehensive HIPAA compliance program in place were able to produce the documentation requested by the OCR much more easily than those that did not.Pretty much sums up what happens during an investigation. To ensure you pass a HIPAA audit/investigation, you can utilize a HIPAA compliance software called HIPAA Ready. It will help you with documentation, risk assessments, and even training and certifications along with other compliance procedures. Just look up HIPAA Ready or you can also find the link in my bio.

HIPAA compliance isn't something you achieve. There is no starting and ending point with a simple road map or checklist.You are supposed to strive for a robust HIPAA compliance program that is addressing your obligation to comply in a reasonable and appropriate manner for your environment.Only an OCR audit can tell you how well you are doing in your program. That opinion on an audit also only applies to what they audited and not where you are the very next day. Your HIPAA program must be on-going and constantly changing.If you are a HIPAA Covered Entity (CEs) you have more extensive requirements than HIPAA Business Associates (BAs). However, many of the requirements are the same.Often CEs mistakenly believe they have HIPAA "covered" because they did the Privacy Rule requirements and they use a certified EHR application. That is not correct, Privacy, Security, and Breach Rule requirements fall way beyond that assumption.BAs mistakenly believe that they only have to worry about the Security Rule requirements. That is also not correct. They must worry about certain elements of the Privacy Rule relating to Uses and Disclosures, Breach Notification requirements plus other concerns based on what is in the Business Associate Agreements (BAAs) they signed.Both BAs and CEs do require:Regularly trained compliance officer(s) who's job is clearly defined to include compliance responsibilitiesDocumentation Management plan (you must prove you are doing the work required by HIPAA with extensive documentation)Business Associate Agreement Management plan (BAs must manage many more agreements than CEs because they have BAAs with all their CE clients, BA clients, BA vendors and BA subcontractors. That doesn't mean that CEs don't have plenty to do on their own list, though.)Documented Security Risk Analysis and Security Assessment Reports within a reasonable time frame (Not one done in 2005 and nothing since)Documented Risk Mitigation and Management planWritten Policies relating to the Security Rule, Privacy Rule, and Breach Notification requirements that address those requirements in a manner that is reasonable and appropriate in your environment.Written Procedures explaining how the policies will be implemented, enforced, regularly assessed and audited.Fully documented HIPAA workforce training programSecurity awareness workforce training programRegular evaluation plan and updates of Security Risk Analysis based on business needs and changesOf course, the elements of this list are broad as is the requirements of the HIPAA law. But, if you worked from this list to make sure your program had all these elements covered it could certainly be argued it is a robust HIPAA compliance program that is addressing your obligation to comply in a reasonable and appropriate manner for your environment.