Hipaa Policy Examples and Guidance for Covered Entities

As a covered entity, it's essential to have a clear and comprehensive HIPAA policy in place. This policy should be tailored to your organization's specific needs and requirements.

A HIPAA policy should include a clear statement of compliance, which acknowledges that the organization is subject to the HIPAA regulations and will comply with them. This statement should be signed by the organization's highest authority.

The policy should also outline the procedures for handling protected health information (PHI). For example, the policy may specify that PHI can only be accessed by authorized personnel, and that all access must be documented.

Organizations must also have a policy for breach notification, which outlines the procedures for reporting and responding to a breach of PHI.

Protected health information (PHI) is any demographic information that can be used to identify a patient or client of a HIPAA-beholden entity. This can include names, addresses, phone numbers, Social Security numbers, medical records, financial information, and full facial photos.

PHI transmitted, stored, or accessed electronically also falls under HIPAA regulatory standards and is known as electronic protected health information, or ePHI.

The HIPAA Security Rule regulates ePHI and was enacted to account for changes in medical technology.

Broaden your view: Bcbs Medical Policy Lookup

HIPAA compliance is a must for organizations that handle Protected Health Information (PHI). To be compliant, you need to understand who needs to be HIPAA compliant.

Two types of organizations must be HIPAA compliant: Covered Entities and Business Associates. Covered Entities include healthcare providers, health insurance providers, and healthcare clearinghouses. Business Associates are organizations that encounter PHI as part of their work for a Covered Entity.

Some examples of Business Associates include billing companies, practice management firms, and IT providers.

To ensure compliance, you need to implement an effective compliance program. This includes the Seven Elements of an Effective Compliance Program created by the HHS Office of Inspector General.

Here are the Seven Elements:

If you're wondering who needs to be HIPAA compliant, let's start with the basics. Covered entities are any organizations that collect, create, or transmit Protected Health Information (PHI) electronically.

Healthcare providers, health care clearinghouses, and health insurance providers are all considered covered entities. This means that if your organization falls into one of these categories, you're required to be HIPAA compliant.

For another approach, see: What Is Not Covered by an Umbrella Policy

Business associates, on the other hand, are organizations that work with covered entities to handle, transmit, or process PHI. This can include a wide range of service providers, such as billing companies, practice management firms, and IT providers.

Examples of business associates include:

These are just a few examples of the many types of business associates that may be affected by HIPAA rules.

The Seven Elements of an Effective Compliance Program are the barebones, absolute minimum requirements that an organization must address to ensure its compliance program is effective.

These elements were created by the HHS Office of Inspector General (OIG) to give guidance for organizations to vet compliance solutions or create their own compliance programs.

Here are the Seven Elements:

Federal HIPAA auditors will compare your organization's compliance program against these Seven Elements to judge its effectiveness.

HIPAA Requirements are in place to ensure the confidentiality, integrity, and availability of ePHI. HIPAA requires covered entities to retain HIPAA-related documents for six years from the date they were created, and for policies, six years from when they were last in effect.

A hospital in South Carolina must retain medical records for 11 years after the discharge date, while in Florida, medical records must be retained by physicians for five years after the last patient contact and hospitals for seven years after the discharge date.

HIPAA regulations are made up of several rules, including the HIPAA Privacy Rule, which sets national standards for patients' rights to PHI, and the HIPAA Security Rule, which sets national standards for the secure maintenance, transmission, and handling of ePHI.

Covered entities and business associates must conduct annual self-audits to assess Administrative, Technical, and Physical gaps in compliance with HIPAA Privacy and Security standards. These audits must be fully documented and include calendar dates by which gaps will be remedied.

HIPAA-beholden organizations must document all efforts they take to become HIPAA compliant, including policies and procedures, employee training, and remediation plans. This documentation is critical during a HIPAA investigation with HHS OCR to pass strict HIPAA audits.

Here are some key HIPAA requirements:

Covered entities and business associates must also have a process to document the breach and notify patients that their data has been compromised in accordance with the HIPAA Breach Notification Rule.

HIPAA Violations can be costly and damaging to a healthcare organization's reputation. A HIPAA violation is the failure to comply with any applicable provisions of the HIPAA Rules, and can lead to fines up to $68,928 per violation, up to a maximum of $2,067,813 per year for violations of an identical type.

The most common HIPAA violations include breaches in an organization's compliance program that compromise the integrity of Protected Health Information (PHI) or Electronic Protected Health Information (ePHI). These violations can be the result of an ineffective, incomplete, or outdated HIPAA compliance program or a direct violation of an organization's HIPAA policies.

If a data breach occurs, it doesn't necessarily mean a HIPAA violation has occurred, but if the breach is the result of a HIPAA non-compliance issue, it can be considered a HIPAA violation. For example, if a company's laptop with medical records is stolen, but the company doesn't have a policy in place requiring encryption, it's a HIPAA violation.

Worth a look: Hipaa Compliance Software Development

A HIPAA violation is any breach in an organization's compliance program that compromises the integrity of PHI or ePHI.

A HIPAA violation is different from a data breach, and not all data breaches are HIPAA violations. A data breach becomes a HIPAA violation when the breach is the result of an ineffective, incomplete, or outdated HIPAA compliance program or a direct violation of an organization's HIPAA policies.

A company that doesn't have a policy in place barring laptops being taken offsite or requiring them to be encrypted, and then has one of those laptops stolen, is a prime example of a HIPAA violation.

The HIPAA Breach Notification Rule outlines how covered entities and business associates must respond in the event of a breach, including gathering data on smaller breaches and reporting them to HHS OCR within 60 days of the end of the calendar year.

Breaches affecting 500 or more individuals in a single jurisdiction must be reported to HHS OCR within 60 days of the discovery of the breach, and affected individuals must be notified immediately.

Federal HIPAA auditors levy fines on a sliding scale, ranging between $100-$50,000 per incident, depending on the level of perceived negligence.

With over $40 million levied in fines since 2016, HIPAA compliance is more important now than ever before.

For another approach, see: Hipaa Data Classification

A HIPAA violation is the failure to comply with any applicable provisions of the HIPAA Rules.

Data breaches can occur when employees take unencrypted company laptops with access to medical records offsite, which is a common HIPAA violation.

Ten of the most common HIPAA violations have been discovered by OCR during investigations of data breaches and complaints filed through the OCR complaints portal.

These violations include, but are not limited to, unauthorized disclosure of PHI, failure to implement adequate security measures, and failure to provide timely breach notifications.

Implementing policies developed from HIPAA policy templates can significantly reduce the likelihood of HIPAA violations, but many organizations still fail to do so.

According to OCR, fines for non-compliance can range from $100 to $50,000 per incident, depending on the level of perceived negligence.

In some cases, fines can become astronomical if auditors detect that the organization under investigation has neglected to perform a "good faith effort" toward HIPAA compliance.

A unique perspective: Hipaa Compliance Plan

The HIPAA Breach Notification Rule requires notifications to be issued after a breach of unsecured protected health information, and these notifications must be issued within 60 days of the discovery of the breach.

Notifications must include a brief description of the security breach, the types of information exposed, and what is being done to mitigate harm and prevent future breaches.

A media notice must also be issued if the breach impacts more than 500 individuals, which is a common threshold for triggering a HIPAA violation.

By clearly defining security rules and implementing policies, organizations can minimize errors and oversights that would lead to breaches of patient confidentiality and costly penalties.

Suggestion: Information Literacy

HIPAA security is a top priority for healthcare organizations, and it's essential to understand the requirements and guidelines set forth by the HIPAA Security Rule.

The HIPAA Security Rule lists conditions, or safeguards, that must be in place for HIPAA-compliant storage and communication of ePHI. These safeguards are referred to as either "required" or "addressable", but practically every safeguard is required unless there's a justifiable rationale not to implement it.

You might enjoy: What Is the Goal of the Hipaa Security Rule

A risk assessment is necessary to determine whether encryption is necessary for email containing ePHI, and if not, the decision must be documented in writing. This includes considering the organization's risk mitigation strategy and other security measures put in place to secure the integrity of PHI.

HIPAA-covered entities must implement a security awareness training program for all members of the workforce, including management, and provide regular training based on a risk analysis.

Broaden your view: Hipaa Training

HIPAA requires that all security measures be in place, unless there is a justifiable rationale not to implement them or an alternative safeguard is put in place that achieves the same objective and provides an equivalent level of protection.

The HIPAA Security Rule lists conditions that must be met for HIPAA-compliant storage and communication of ePHI, with all security measures generally required.

Encryption is an important safeguard, but it's only an addressable specification, meaning it's not mandatory for ePHI to be encrypted at rest or in transit.

Here's an interesting read: Which of the following Is Not a Purpose of Hipaa

HIPAA-covered entities must consider using encryption, especially on portable devices that are frequently taken off site, as it renders ePHI unreadable and undecipherable.

To determine whether encryption is necessary, HIPAA-covered entities should conduct a risk analysis and determine which safeguards are the most appropriate given the level of risk and their workflow.

If the decision is taken not to use encryption, an alternative safeguard must be used in its place, provided it's reasonable and appropriate and provides an equivalent level of protection.

If encryption is not used, the decision not to encrypt must be documented along with the reasons why encryption was not used and the alternative safeguards that were used in its place.

The National Institute of Standards and Technology (NIST) recommends Advanced Encryption Standard (AES) 128, 192 or 256-bit encryption, OpenPGP, and S/MIME for encrypting data.

Email encryption is only necessary if emails containing ePHI are shared beyond a firewalled, internal server.

A risk assessment and documentation of the decision not to use email encryption are required.

Consider reading: Which of the following Is Not an Example of Scaffolding?

Password Requirements are a bit of a gray area in HIPAA, but NIST has some great advice on how to keep your passwords secure.

HIPAA doesn't specify any specific password requirements, but it does say that covered entities should have procedures for creating, changing, and safeguarding passwords.

To create a strong password, it should be at least 8 characters long, but no longer than 64 characters. If you're using a passphrase, it can be even longer.

One thing to avoid is storing password hints, as they can be accessed by unauthorized individuals and used to guess your password.

A good password policy should prevent commonly used weak passwords, such as 'password', '12345678', or 'letmein'.

It's also recommended not to force users to change their passwords frequently, unless there's a good reason to do so, like after a security breach.

Multi-factor authentication is also a must-have to add an extra layer of security.

Here are some general guidelines for password requirements:

HIPAA Breach Notification is a crucial aspect of maintaining patient trust and upholding the law.

You need to have a clear Breach Notification Policy in place, which outlines the procedures for responding to potential breaches of protected health information.

In the event of a data breach, notifications must be issued to affected individuals without unreasonable delay.

Breach notifications must be issued no later than 60 days from the date of discovery of the breach, giving you a tight deadline to act.

HIPAA Business Associates are responsible for safeguarding Protected Health Information (PHI).

A business associate is an organization or individual that handles PHI on behalf of a covered entity, such as a healthcare provider.

To establish a relationship with a business associate, a covered entity must enter into a written agreement, known as a Business Associate Agreement (BAA).

The BAA outlines the business associate's responsibilities to protect PHI, including permissible uses and disclosures.

Covered entities must identify all parties handling PHI, including business associates, and clearly outline their responsibilities under HIPAA security policies.

Business associates must enter into a BAA prior to disclosing PHI, ensuring they understand their responsibilities to safeguard PHI.

The scope of HIPAA policies includes any information in medical records and other documents that can be used to identify an individual.

You might enjoy: Business Venture Examples

Access is a crucial aspect of HIPAA policy, and it's essential to understand the procedures for approving or denying patient access requests. This can be seen in the example of the Access Policy, which defines patients' right to access their Protected Health Information (PHI).

Patients have the right to access their medical records, and healthcare organizations must provide them with a copy whenever they request it. This is stated in the example of Explaining HIPAA to Patients, which mentions that patients can request their medical records at any time.

To ensure that patients' rights are respected, healthcare organizations must establish clear procedures for responding to access requests. This includes informing patients about their right to access their records and providing them with a copy in a timely manner.

Check this out: Gofundme Medical Examples

The HIPAA policy templates emphasize access control, which means that healthcare organizations must define which covered entities have access to PHI, under what circumstances, and through what means. This is done to minimize the risk of unauthorized access to sensitive patient information.

Here are some key points to keep in mind when it comes to access:

By following these procedures and guidelines, healthcare organizations can ensure that patients' rights are respected and that their PHI is protected.

HIPAA Record Management is crucial for healthcare providers, as it ensures the secure retention of Protected Health Information.

HIPAA requires covered entities to retain HIPAA-related documents for six years from the date they were created, as stated in CFR §164.316(b)(2)(i). This includes policies, which must be retained for six years from when they were last in effect.

Healthcare providers must also retain medical records for varying periods depending on the state, with South Carolina requiring 11 years after discharge and Florida requiring five years after the last patient contact.

HIPAA requires covered entities to retain HIPAA-related documents for six years from the date they were created. This includes policies, which must be retained for six years from when the policy was last in effect.

A hospital in South Carolina must retain medical records for 11 years after the discharge date. In contrast, hospitals in Florida must retain medical records for seven years after the discharge date.

Physicians in Florida must retain medical records for five years after the last patient contact. Insurance companies may be subject to FINRA laws, which cover the retention of certain records.

The Centers for Medicare & Medicaid Services (CMS) requires healthcare providers to retain cost reports for five years after the closure of the cost report. Medicare managed care program providers must retain records for ten years.

HIPAA requires covered entities to implement appropriate administrative, technical, and physical safeguards to ensure the confidentiality, integrity, and availability of ePHI. This includes securing medical records at all times.

If this caught your attention, see: Hipaa Release Date

De-identification is a crucial step in protecting patient privacy under HIPAA. This process involves converting individually identifiable Protected Health Information (PHI) into information that no longer reveals the identity of any patient.

The de-identification policy sets forth the process for converting PHI into anonymous information. This policy is essential for organizations handling sensitive health data.

To de-identify PHI, the process must be systematic and thorough. This approach ensures that all identifiable information is removed or altered to protect patient identities.

A sample de-identification policy is provided to guide organizations in this process. This policy outlines the steps necessary to convert PHI into anonymous data.

HIPAA Communication is a critical aspect of healthcare policy, ensuring that patients' sensitive information is protected and communicated in a secure manner.

To establish a clear procedure for alternative communication, a healthcare organization should have an Alternative Communication Policy in place. This policy should outline the process for patients to request alternative means of communication, such as phone or email, and for delivering PHI at alternate locations.

Individuals can request confidential communication with their physician through specified means or at specified locations, as outlined in the Confidential Communication Policy. This policy should describe the process for making such requests and ensuring confidentiality.

Having a clear Alternative Communication Policy and Confidential Communication Policy in place helps healthcare organizations meet HIPAA requirements and maintain patient trust.

Implementing effective HIPAA training is crucial for organizations to ensure compliance. Training programs should emphasize privacy practices and protecting Protected Health Information (PHI).

HIPAA requires covered entities and business associates to implement a security awareness training program for all members of the workforce. This includes management. Regular training is essential, and the frequency should be determined by a risk analysis.

The Seven Elements of an Effective Compliance Program are a great framework for organizations to follow. These elements include implementing written policies, procedures, and standards of conduct, as well as conducting effective training and education.

Recommended read: Hipaa Training Requirements

Conducting internal monitoring and auditing is also a key element of an effective compliance program. This involves regularly reviewing and assessing an organization's compliance with HIPAA policies and procedures.

Organizations must develop privacy and security policies for all members of the workforce and enforce a sanctions policy for staff who do not comply with the organization's policies and procedures.

A good approach to explaining HIPAA to employees is through special compliance training tutorials. These sessions should be short and frequent, rather than trying to cram everything into a single four-hour training session.

Here are the Seven Elements of an Effective Compliance Program:

Conducting thorough risk analyses is fundamental to HIPAA compliance.

Regular risk analyses allow healthcare entities to adapt to new threats and ensure the ongoing protection of patient information.

Failure to perform a comprehensive, organization-wide risk analysis is one of the most common HIPAA violations discovered by OCR.

HIPAA requires covered entities and their business associates to conduct regular risk analyses to identify vulnerabilities to the confidentiality, integrity, and availability of PHI.

All risks identified during the risk analysis must be subjected to a HIPAA-compliant risk management process.

Reducing risks to a reasonable and appropriate level is critical to the security of ePHI and PHI, and is a fundamental requirement of the HIPAA Security Rule.

By implementing a robust risk management process, healthcare entities can minimize the risk of HIPAA violations and protect sensitive patient information.

Patients have the right to request their medical records at any time. This is a fundamental right under HIPAA, and healthcare organizations are required to provide patients with access to their records in a timely manner.

To exercise this right, patients can simply request a copy of their medical records. This can be done in person, by phone, or in writing, and healthcare organizations are required to provide patients with the information they need to access their records.

Patients also have the right to request that errors in their medical records be corrected. This is another important right under HIPAA, and healthcare organizations are required to respond to patient requests in a timely manner.

Here are some key patient rights under HIPAA:

By understanding these patient rights, patients can take an active role in managing their healthcare and ensuring that their rights are protected under HIPAA.

As a patient, you have the right to designate a personal representative to act on your behalf when it comes to your protected health information (PHI).

Your personal representative can be a family member, friend, or anyone you trust to make decisions about your care.

This person has the authority to receive and review your medical records, including your PHI.

A personal representative policy defines when and what PHI may be disclosed to your designated representative.

This policy typically outlines the procedures for verifying the identity of your representative and ensuring they have the necessary authorization to access your PHI.

Your personal representative may be able to receive updates on your condition, participate in decision-making, or even make decisions on your behalf if you're unable to do so.

As a patient, you have the right to access your medical records at any time, and you can request a copy of them whenever you like. You can also ask to amend your medical records to correct any errors.

You have the right to limit who has access to your personal health information, and you can choose how your healthcare providers communicate with you. This means you can decide whether you want to receive emails, phone calls, or letters.

If you're concerned about unauthorized disclosure of your PHI, you have the right to complain to the HHS' Office for Civil Rights. Your healthcare provider must respond to your request in a timely manner, or they may face a compliance investigation.

Here are some key patient rights to keep in mind:

Remember, your healthcare provider is required by law to give you a notice of their privacy practices and get you to sign a document confirming you received it. They must also post this notice in a prominent place in their office and on their website.