The HIPAA Privacy Rule and the HIPAA Security Rule make up the foundation of the HIPAA regulations. While a Security Rule checklist can be found on the web, many healthcare professionals wonder if there is a HIPAA Privacy Rule checklist too. This article includes a HIPAA Privacy Rule checklist which will help healthcare professionals to adhere to HIPAA’s regulations.
The HIPAA Privacy Rule in a flash
The HIPAA Privacy Rule sets the national standard for protecting an individual’s medical record and other personal health-related information. This Rule applies to HIPAA-covered entities, which includes health plans, healthcare clearinghouses, and those healthcare providers that conduct standard electronic healthcare transactions.
The Privacy Rule requires organizations to implement appropriate safeguards for protecting the privacy of Protected Health Information (PHI) and limit the use and disclosure of information that may be used without a patient’s consent. In short, it explains how healthcare professionals, lawyers, or anyone who has access to PHI, can or cannot use the data. Furthermore, the Rule allows patients to access their medical records, make copies, and corrections upon request.
For example, if a patient wants to share their information with someone else, the law requires a HIPAA PHI release form to be signed in order for the physician’s office to share the information. These are the kinds of scenarios that the HIPAA Privacy Rule covers.
The HIPAA Privacy Rule Checklist
This HIPAA Privacy Rule checklist will ensure that the PHI is properly protected while also allowing authorized parties to share and transmit information while delivering proper care:
- Privacy policies and procedures
- Develop and implement written privacy policies and procedures for your practice in accordance with the HIPAA Privacy Rule. Develop guidelines stating who, when, how and under what circumstances the PHI be accessed, disclosed, or used.
- Privacy officer
- Appoint a privacy officer to develop and implement the privacy policies. Assign a contact person who will be responsible for dealing with complaints and provide information to individuals about privacy practices.
- Business Associate Agreement (BAA)
- Create and execute a BAA with all of the business associates who have access to the PHI.
- Training and management of the workforce
- Training on privacy policies is required to be provided to everyone in the workforce, including physicians, volunteers, staff members, and others. Place appropriate disciplinary actions in place for anyone who violates the standards.
- Apply reasonable and appropriate technical, physical, and administrative safeguards to regulate proper use and disclosure of PHI. Appropriate safeguards can also ensure data is protected from security breaches. Methods may include proper shredding of documents, limiting access to authorized individuals, applying passwords, and implementing a biometric patient identification platform.
- Anti-Retaliation and waiver policy
- There should be a solid guideline stating that your practice will not retaliate or intimidate any person who files a complaint or provides information regarding a HIPAA violation, or anyone who exercises his/her Privacy Rule rights. You do not have the right to ask individuals to waive their Privacy Rule rights as a condition for receiving treatments, payments, or enrollment aptness.
- De-identification of PHI
- Have a de-identification policy in place. Under the HIPAA Privacy Rule, de-identification is the removal of specific identifiers that can be used alone or in combination with other information to identify a patient. Covered entities often wish to de-identify PHI for conducting research and participate in comparative studies. Once the PHI is de-identified, HIPAA Privacy Rule restrictions no longer apply.
- Policies for handling complaints
- Set up procedures for individuals so that they can file complaints about its HIPAA practices, and inform everyone that complaints may also be reported to the Health Department (HHS).
- Documentation trail
- Store and maintain documents that address all aspects of HIPAA, including policies, training, disposition of complaints, and other actions for at least a minimum of 6 years from their creation. A document trail also helps organizations when officials perform HIPAA audits.
Why worry when there is HIPAA Ready?
Invest in HIPAA Ready to ensure you meet your compliance requirements from one single platform. HIPAA Ready is HIPAA compliance software designed to ease your compliance management efforts, where you store and customize your policies, manage training efficiently, and keep track of all other compliance areas.
HIPAA Ready makes maintaining your HIPAA Privacy checklist easier. Start a free trial now and see how HIPAA Ready can work for your organization.
Published by Riyan N. Alam