How to Become a HIPAA Compliant Medical Office
Evaluate existing policies., Minimize security risks associated with new technology., Test compliance policies to ensure effectiveness., Follow phone protocols., Protect workstations., Protect papers., Use HIPAA compliant shredders., Educate.
Step-by-Step Guide
-
Step 1: Evaluate existing policies.
If your office enacted policies regarding the handling of confidential information long ago when HIPAA was first passed, some of those policies may now be out of date, as laws may have changed.
Check the current laws and examine your office's existing policies to be sure they are in compliance with the up-to-date laws.The US Department of Health and Human Services (HHS) provides a fact sheet for providers to learn about how to be compliant with HIPAA—the sheet is available here. -
Step 2: Minimize security risks associated with new technology.
Social media and email, for example, can pose security risks when used by your staff.
It is important your office has policies in effect to keep security breaches from happening as a result of the use of new technology.Consider hiring an information technology specialist who can help ensure security across all types of technology used in your office. , Even when your office policies are up to date, it is a good idea to assess whether they are actually working—this is sometimes called a "self-audit." If your office performs this assessment itself, it will prevent patient complaints or failed audits, which can result in fines from HHS.The University of Wisconsin-Milwaukee has created a test your office can use to self-audit available here.
The questions surround privacy and security.
Answer the questions honestly to identify areas where you could improve. , Your medical office must have specific guidelines for what information is given over the phone.
Certain individuals like health insurance reps or family members might have clearance to be told patient information—with your permission—but other callers should be given only basic information that does not violate HIPAA.
Institute a phone policy that requires identification of callers by way of confirming personal information (birth date, address, etc.) before giving out information.
If you cannot confirm a person's identity, do not give them any information over the phone, and be sure your office staff does the same.
Be sure you have documentation of those who have permission to receive personal personal information for someone other than themselves. , Workstation use is listed under Physical Safeguards of Security Standards in HIPAA.
There are no specifications for protecting workstations, but they do need to be protected in some way.A computer should always be password-locked when the person who uses it is away from the desk.
This is to prevent unauthorized use. , Documents like medical claims and bills should not be left unattended.
Moreover, papers with patient information that need to be stored must be stored in locked cabinets, file drawers, or safes.
Disposing of paper copies of patient information requires shredding., The shredder your office uses to destroy patient information should destroy papers completely so that documents cannot be pieced back together.
The best way to ensure this is the case is by using a cross-cut shredder, which reduces paper to fine pieces that resemble confetti instead of the variety that turn papers into ribbons that—with a little patience—can be reassembled into full documents.Some services are available that will collect documents discarded into a secure bin for shredding offsite.
These services may be expensive and not completely secure, so an HIPAA-compliant shredder may be a better choice. , A well-informed staff will be more adept at following HIPAA regulations, and they'll know why they're doing it.
There are lots of training videos available online, in addition to correspondence courses, continuing education courses, and more that can help get your office's staff educated on HIPAA.
Educating your office's staff is not only a good way to to help with compliance, but also to help avoid violations should the office be audited. -
Step 3: Test compliance policies to ensure effectiveness.
-
Step 4: Follow phone protocols.
-
Step 5: Protect workstations.
-
Step 6: Protect papers.
-
Step 7: Use HIPAA compliant shredders.
-
Step 8: Educate.
Detailed Guide
If your office enacted policies regarding the handling of confidential information long ago when HIPAA was first passed, some of those policies may now be out of date, as laws may have changed.
Check the current laws and examine your office's existing policies to be sure they are in compliance with the up-to-date laws.The US Department of Health and Human Services (HHS) provides a fact sheet for providers to learn about how to be compliant with HIPAA—the sheet is available here.
Social media and email, for example, can pose security risks when used by your staff.
It is important your office has policies in effect to keep security breaches from happening as a result of the use of new technology.Consider hiring an information technology specialist who can help ensure security across all types of technology used in your office. , Even when your office policies are up to date, it is a good idea to assess whether they are actually working—this is sometimes called a "self-audit." If your office performs this assessment itself, it will prevent patient complaints or failed audits, which can result in fines from HHS.The University of Wisconsin-Milwaukee has created a test your office can use to self-audit available here.
The questions surround privacy and security.
Answer the questions honestly to identify areas where you could improve. , Your medical office must have specific guidelines for what information is given over the phone.
Certain individuals like health insurance reps or family members might have clearance to be told patient information—with your permission—but other callers should be given only basic information that does not violate HIPAA.
Institute a phone policy that requires identification of callers by way of confirming personal information (birth date, address, etc.) before giving out information.
If you cannot confirm a person's identity, do not give them any information over the phone, and be sure your office staff does the same.
Be sure you have documentation of those who have permission to receive personal personal information for someone other than themselves. , Workstation use is listed under Physical Safeguards of Security Standards in HIPAA.
There are no specifications for protecting workstations, but they do need to be protected in some way.A computer should always be password-locked when the person who uses it is away from the desk.
This is to prevent unauthorized use. , Documents like medical claims and bills should not be left unattended.
Moreover, papers with patient information that need to be stored must be stored in locked cabinets, file drawers, or safes.
Disposing of paper copies of patient information requires shredding., The shredder your office uses to destroy patient information should destroy papers completely so that documents cannot be pieced back together.
The best way to ensure this is the case is by using a cross-cut shredder, which reduces paper to fine pieces that resemble confetti instead of the variety that turn papers into ribbons that—with a little patience—can be reassembled into full documents.Some services are available that will collect documents discarded into a secure bin for shredding offsite.
These services may be expensive and not completely secure, so an HIPAA-compliant shredder may be a better choice. , A well-informed staff will be more adept at following HIPAA regulations, and they'll know why they're doing it.
There are lots of training videos available online, in addition to correspondence courses, continuing education courses, and more that can help get your office's staff educated on HIPAA.
Educating your office's staff is not only a good way to to help with compliance, but also to help avoid violations should the office be audited.
About the Author
Timothy Rodriguez
Professional writer focused on creating easy-to-follow crafts tutorials.
Rate This Guide
How helpful was this guide? Click to rate: