hipaa privacy compliance checkliststatic.aapc.com/3f227f64-019f-488a-b5a2-e864a522ee...hipaa privacy...

Copyright © 2011 Physician Reimbursement Services, LLC. All Rights Reserved www.aapcps.com

HIPAA Privacy Compliance Checklist

A Compliance Self-Assessment Tool


HIPAA PRIVACY CHECKLIST

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) sets forth standards for the protection of certain health information. The Privacy Rule standards under HIPAA have been established to address the use and disclosure of individual’s health information by organizations such as medical practices and also define the patient’s privacy rights to understand and control how their information is used. Each standard is a requirement that the covered entity must comply with respect to an individual’s protected health information. Within each standard are implementation specifications that outline details regarding how the standard is to be implemented by the covered entity.

How to Use the HIPAA Privacy Checklist The checklist provides a detailed review of each of the compliance requirements under the HIPAA Privacy Rule. The check list has been designed to help practices easily understand what is required of them and evaluate if they are compliant. Each section includes:

Review of required standards

Implementation specifications under each standard

Guidance and easy to understand explanations

Assessment guidelines to ensure appropriate compliance

Reference for applicable forms. The complete AAPC Physician Service Compliance Toolkit contains over 70 forms that are ready to use or can be customized for your specific medical practice. Forms referenced in the checklist correspond to the applicable forms provided in the Compliance Toolkit.

Legal Notice

The HIPAA Compliance Checklist does not constitute legal advice, and we are not

acting as your attorney. The materials being provided are for informational purposes

only and should not be used as a substitute for the advice of competent legal counsel.


Notification of Privacy Practice HIPAA Regulation: 164.520(a)(1)

An individual has a right to adequate notice of the uses and disclosures of protected health information that may be made by the medical practice and of the individual's rights and the practice's legal duties with respect to protected health information.

Implementation Specification Guidance Assessment Y / N Comments

Required elements 164.520 (b)(1) Every practice is required to provide its patients with a written Notice of Privacy Practice (NPP). The NPP must be written in plain language that is easy to understand and must contain certain required elements according to the HIPAA Privacy Rule. Applicable Forms: Notice of Privacy Practices Notice of Privacy Practice Acknowledgement

The NPP is required to notify the patient how the clinic may use and disclose their information. This should include:

A description and one example of the types of uses and disclosures allowed by the practice.

A description of each of the purposes allowed by the practice to use or disclose PHI without the individual's written authorization.

A statement that other uses and disclosures will be

made only with the individual's written authorization and

they may revoke such authorization.

The NPP contains the necessary

information to meet the use and disclosure

Privacy Rule requirements.

The NPP is required to include information regarding the patient’s rights. Patient rights that should be specified include:

Right to receive a copy of the NPP

Right to request a restriction on the use / disclosure of PHI

Right to know that the clinic is not required to agree with a request to restrict PHI

Right to inspect and copy their PHI

Right to request an amendment of their PHI

Right to request an accounting of PHI disclosures

Right to request confidential communication

The NPP contains the necessary information to meet the Privacy Rule requirements to notify patients of their rights.

The NPP must also include information regarding the practice’s legal duties with respect to protecting patient information. Elements must include:

Information regarding the practice’s legal duties to protect PHI

Statement indicating the practice is required to abide by the NPP

A statement that the practice may revise the NPP and how they will notify patients of any revisions

A statement that individuals may file a complaint regarding privacy, how to file, and that the practice will not retaliate for such actions.

Contact information of the practice

Effective date of the NPP

The NPP contains the necessary information to meet the covered entities duties for Privacy Rule requirements.



The NPP must contain the following statement as a header or otherwise prominently displayed: “THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.”

The NPP contains an appropriate header.

Provision of notice 164.520 (c)(2) Practices are required to provide a good faith effort to obtain a written acknowledgement of each patient that they have received a copy of the NPP.

The notice may also be provided by email if requested by the patient.

The practice has a written Notice of Privacy Practice that is provided on or prior to the first delivery of service.

A copy of the NPP is prominently displayed in the clinic.

A copy of the NPP is posted on the practice’s website (if applicable).

Documentation 164.520 (e) The practice must document compliance with the notice requirements by retaining copies of the notices issued to patients or any written acknowledgments of good faith efforts to obtain such written acknowledgment.

If the patient refuses to sign the NPP, a clinic may NOT withhold treatment. In these cases, the clinic should note in the chart the patient declined and reason. If NPPs are emailed an electronic return receipt can serve as the signature. If NPPs are mailed to patients, the practice should use a return receipt and have the patient mail back the signed NPP or bring it to the practice at the next appointment.

The practice maintains a copy of written acknowledgement of the NPP by the patients.

Use and Disclosure of PHI Requiring Patient Authorization HIPAA Regulation: 164.508

Practices are required to obtain a signed authorization to release protected health information for uses other than treatment, payment, healthcare operations, or as required by law.


Elements required to be included in an authorization form 164.508 (c) Applicable Forms: PHI Use and Disclosure Authorization Psychotherapy Use and Disclosure Authorization Revocation of Authorization to Use PHI

Authorizations must be documented on a form that includes specific elements required by HIPAA. Elements required to be on an authorization form include:

A description of PHI authorized for release

Name of the clinic or individuals authorized to release the PHI

Name of the clinic or individual authorized to receive the PHI

Purpose of releasing the PHI

Indication the patient may revoke the authorization

Indication that treatment is not conditional on signing the authorization (except for research participation or if approval is needed prior to providing insurance coverage)

The practice uses an authorization form to obtain approval to use or disclose PHI for all non-TPO related purposes.

Authorization forms contain each of the required elements specified by the HIPAA Privacy Rule and is written in plain easy to understand language.



Patient signature and date

Expiration dates of authorization

Providing copies to patients 164.508 (C)(3), (4) Copies of any authorization document are required to be provided to the patient.

Patients are provided copies of their signed authorizations forms.

Revoking an authorization 164.508(b)(5) Patients are allowed to revoke their authorization at any time. This must be done in writing.

The practice uses a revocation of authorization form to document any patient requests to revoke authorization to use or disclose PHI.

Psychotherapy notes 164.508 (a)(2)

A practice must obtain authorization to use or disclose Psychotherapy Notes unless they are used for treatment by the originator of the notes, for training purposes, or for defense in legal cases. Authorization for psychotherapy notes must be obtained in writing using a separate form from any other authorizations.

Authorizations for psychotherapy notes are obtained in writing using a unique form.

Marketing 164.508 (a)(3)

Marketing is defined as communication about a product or service that encourages the recipient to buy something. Authorization is required for any use or disclosure of PHI related to market efforts. Some marketing activities do not require authorization. These include:

Face-to-face communication with the patient

Reminders of prescription refills

General health promotional things such as (but not limited to) annual mammogram reminders, cholesterol screening etc.

Appropriate authorization is obtained from the patient in writing prior to using PHI for marketing efforts.

Fundraising activities 164.514 (f)

Practices must obtain authorization before using PHI for any fundraising related activities. An exception to this is granted for practices conducting fundraising activities on their own behalf, as long as the information is limited to demographic information and the practice notifies the patient that they may opt out of any such solicitations.

Appropriate authorization is obtained from the patient in writing prior to using PHI for any fundraising efforts.


Use and Disclosure of PHI Requiring an Opportunity to Agree or Object HIPAA Regulation: 164.510

HIPAA Privacy Rules allows a medical practice to make certain uses or disclosures of PHI without obtaining a written authorization, provided that the individual is informed in advance of the use or disclosure and has the opportunity to agree to or object to the use. Agreement can be communicated verbally.


Facility directories 164.510 (a)

A practice may use patient information to maintain an inpatient directory. The only information that is allowed to be disclosed in the facility’s directory is the patient name, general condition, religious affiliation and physical location. This standard typically applies to inpatient settings

The patient directory (if applicable) only lists appropriate information allowed under HIPAA Privacy.

Disclosing PHI to family members and friends 164.510 (b)

A practice is allowed to share PHI with family members, relatives, close friends or any other person indentified by the patient to the extent the information is necessary for the patients care or payment related to services. Providers and clinical staff should not assume that PHI can be disclosed because the person(s) came with the patient for appointment. It’s best practice to ask the patient’s permission prior to exam. Patient PHI may also be used in order to help identify, locate or notify family members or their care taker to inform them of the patient’s location, general condition or death.

Providers only share patient PHI with family members, relatives or close friends after receiving appropriate consent from the patient.

Disaster relief efforts 164.510 (b)(4)

PHI may also be disclosed to public or private organizations which are authorized to assist in disaster relief efforts. Information is only to be used for the purposes of locating family members or person’s responsible for care of the individual. The only information that is allowed to be disclosed is the patient name, general condition, religious affiliation and physical location.

Patient PHI disclosed for purposes of disaster relief efforts is limited to only what is allowed under HIPAA Privacy.

Limitations on information that can be shared when the patient is not present. 164.510(b)(3)

In situations where a patient is not able to agree or object (e.g. the patient is not present, incapacitated or in an emergency) the provider is allowed to disclose PHI, but it must be based on their professional judgment to determine if disclosing PHI is appropriate and in the best interest of the patient.

Information shared under circumstance where the patient is not present is based on the physician’s judgment and strictly limited to information relevant to the other person’s involvement with the patient.


Use and Disclosure of PHI That Do Not Require Authorization or an Opportunity to Agree or Object. HIPAA Regulation: 164.506, 164.512

HIPAA Privacy Regulations allows medical practices to use and disclose a patient’s protected health information under a number of circumstances that do not require authorization from the patient. The following section outlines these allowable uses and disclosures.


Use and Disclosure to Carry Out Treatment, Payment or Healthcare Operations (TPO) 164.506 A practice may use and disclose PHI for treatment, payment or healthcare operations without the consent or authorization of their patient.

Treatment: Treatment includes employees of the practice or individuals who work for the practice that use PHI in order to treat the patient or assist in treatment of the patient such as ordering or interpreting lab tests, prescribing medications, communicating with a hospital or others who may assist in the care of the patient.

Disclosure of PHI for non-treatment related reasons is not allowed without appropriate authorization.

Payment: Payment includes disclosing PHI in order to bill and collect payment for medical services. Activities include, but are not limited to:

Establishing insurance eligibility and coverage

Billing and collections

Review of PHI for medical necessity

Disclosing PHI to third party agencies for billing services or collections.

Disclosure of PHI for non-payment related reasons is not allowed without appropriate authorization.

Operations: Practice can use and disclose PHI that is necessary to operate their business. For example, scheduling appointments, healthcare training, evaluating quality of care.

Disclosure of PHI for non-operational related reasons is not allowed without appropriate authorization.

Other non-TPO allowances 164.512 HIPAA privacy regulations allow practices to use or disclose PHI for the following purposes without a signed authorization or opportunity for the patient to reject. HIPAA requires each of these uses be identified in the practice’s Notice of Privacy Practice. Applicable Forms: Notice of Privacy Practices

Non-TPO Allowances:

The disclosure is required by law (a)

To public health organizations responsible for collecting data (e.g. disease, injuries, birth, death, public health surveillance, public health investigations) (2)

To report child abuse or neglect cases to appropriate authorities

To report or track FDA related events such as drug recalls (b)(1)

To monitor workplace medical surveillance or other OSHA activities (b)(2)

To report suspected abuse, neglect or domestic violence to appropriate authorities. In most cases the practice is required to information the patient that they have reported or intend to report this information. (c)(2)

For health oversight activities required by law (e.g. licensure, government benefit programs, inspections) (d)

In response to judicial proceedings or other law

As required by HIPAA, the practice has included these uses in its Notice of Privacy Practices to patients.



enforcement purposes such as subpoenas, warrants or other lawful purposes (e), (f)

For cadaveric organ or tissue donations (g)

For research subject to approval by an institutional review board (j)

To report serious threat to public health and safety

For workers compensation cases

For specialized government functions deemed appropriate by government authorities (k)

Other Requirements Relating to Uses and Disclosures of Protected Health Information HIPAA Regulation: 164.514

Additional restrictions related to how a practice can use patient protected health information includes the following:


De-identification of PHI 164.514(a) A practice may use PHI to create information that is not individually identifiable. This is referred to as de-identified information. Once information has been de-identified, it is no longer subject to HIPAA regulation.

For information to be considered de-identify, a practice must remove the following identifiers:

Names

Street address, county, city, and zip code details.

Any specific dates related to birth, death or medical care. (the year is permitted to be retained).

Phone, fax numbers, and email addresses

Social Security Numbers

Any other identifying element such as (but not limited to) certificate or license numbers, IP addresses, biometric identifiers such as fingerprints, photographs etc.

The practice removes all specified data elements required by HIPAA before using or disclosing de-identified information. i.e. 45 year old non-smoker.

Minimum necessary disclosure 164.514(d) General compliance to the HIPAA Privacy standard requires that a practice restricts the use or disclosure of patient protect health information to the minimum necessary amount of information needed to accomplish the intended purpose of the request.

As part of fulfilling the implementation of the minimum necessary standard, practices are required to identify and document those staff within the practice that need access to PHI based on their job responsibilities and the categories or type of information those individuals or job positions require.

Job descriptions for each position of the clinic identify the type of PHI necessary in order to fulfill that job responsibility.

Each staff is given access to PHI based on their assigned job responsibility according to their job description.

Non-routine requests for PHI need to be reviewed on an individual basis and should be limited accordingly. The practice may rely on the judgment of the individual making the request to determine the minimum necessary information.

The practice has a formal process in place to review and approve all non-routine requests for disclosure of PHI.



Use of limited data sets 164.514(e) Practices may disclose PHI for research or other public health purposes using a limited data set. The limited data may be used in lieu of an authorization from the patient. Applicable Forms: Data Use Agreement

For data to qualify as a “limited data set” it must have all direct identifiers removed that fall under the de-identification standard, with the exception of the following elements that are allowed to be retained:

Town or City, state, and zip code

Birth date, admission date, discharge date, date of death.

If researchers need more information than what is provided

in a limited data set, they may submit a waiver of

authorization to the practice.

Prior to disclosing a limited data set, the practice has obtained a Data Use Agreement with the entity who will be receiving the limited data set.

Beyond the use of appropriate limited data sets, the practice does not disclose any PHI for research purposes without an authorized waiver from an IRB (institutional review board).

Patient Rights to Request Restrictions of Their Protected Health Information HIPAA Regulation: 164.522

Patients have the right to request restrictions on how their PHI can be used by the practice or how a practice should communicate with a patient. However, practices may not be required to agree to the restrictions. The following section outlines key elements associated with the practice’s responsibilities regarding restriction requests.


Patient requests for restrictions of use and disclosures 164.522(a)(1) Patients may request restrictions on the use of their personal health information. These restrictions must be followed if agreed upon by the provider. However, practices are not required to agree to such restrictions under certain circumstance. Applicable Forms: Request for Restriction of PHI Response to Request for Restrictions of PHI

Patients may not make requests to restrict use and disclosures that are required by law or for worker compensation cases. If the provider, using professional judgment, feels a request is not in the best interest of the patient the practice is not required to comply with the request. All requests for restrictions of use and disclosure should be documented and approved by the practice.

All requests by patients for restrictions related to their protected health information are done in writing and signed by the patient.

Denied requests by the practice are made in writing and provided to the patient. The practice retains a copy on file.

Beginning in February 2010, patients may request PHI be withheld from insurance companies if it is related to payment and healthcare operations. The practice must comply with the request as long as the patient has paid for the complete service out-of-pocket and no payment is being made by the insurance company. Note: A patient may no longer request PHI be withheld from an insurer if it is related to treatment purposes.

Handling of patient requests for restrictions is in accordance with the updated HIPAA standards as of Feb 2010.

Terminating a request for restrictions 164.522(a)(2)

A practice may terminate its agreement to restrict the use and disclosure of patient information under the following:

The patient agrees to the termination in writing

The patient agrees to the termination verbally (the oral agreement must be documented).

The practice notifies the patient it is terminating the agreement. In this case, the termination is only effective with respect to PHI received after the patient has been informed.

Termination agreements are documented and kept on file.



Confidential communications 164.522(b)(1) A practice must permit and accommodate reasonable requests by individuals to receive communications of PHI from the provider by alternative means or at alternative locations. Applicable Forms: Request for Confidential Communication Response to Requests for Confidential Communication

Patients have the right to request that a provider’s communication with them is conducted in a specified and confidential manner. For example, this may include communicating with patients by phone at work instead of at home or communicating through email. Requests that are unreasonable or may result in added costs to the practice can be denied. The practice is not allowed to inquire as to the reason for the request by the patient. All requests for confidential communication must be documented and approved by the practice.

All requests by patients for confidential communication are done in writing and signed by the patient.

Denied requests by the practice are made in writing and provided to the patient. The practice retains a copy on file.

Patients Rights to Access Protected Health Information HIPAA Regulation: 164.524


Patients right of access 164.524(a) An individual has a right to access, inspect and obtain a copy of protected health information about the individual in a designated record set, for as long as the protected health information is maintained in the designated record. Applicable Forms: Request to copy or inspect PHI

A designated record set is entails records maintained by the practice that include medical or billing information, information maintained by a health plan (e.g. enrollment, payment, claims, and case management files), and information used to make decisions about the patient. Note: Information maintained, but not used to make decisions about the patient, falls outside of the designated record set and is exempt from access. The practice is required to document individual requests for access to PHI including the designated record sets and title of the person responsible for receiving and processing the request.

The practice requires a patient to submit a written request to access patient information.

Timely access 164.524(2) When a patient requests in writing the opportunity to inspect or copy their PHI the practice must act upon the request in a timely manner.

The practice must act upon a request for access to a patient’s PHI within 30 days if the PHI is accessible on-site. If the PHI is not located on-site the practice has to respond within 60 days. If the practice cannot comply with the time frame, it may extend the time by 30 days by providing a written notice to the patient prior to the 30 or 60 day deadline.

All written requests for access to PHI are addressed within the prescribed time requirements under HIPAA Privacy Rules.

Patients have a right to inspect and or obtain copies of the requested PHI. A summary of the PHI may be provided in lieu of the actual information as long as the patient has agreed in advance to receive a summary.

NA



Fees 164.524(4)

The practice may charge reasonable fees for the following:

Copying costs such as supplies and labor time

Postage (if the request is to be mailed)

Time required preparing an explanation or summary (only if a summary is being provided in lieu of the actual information).

Note: States may impose legal maximums allowed by medical practices. You should check with your State to ensure compliance.

Fees charged are appropriate under HIPAA Privacy Regulations and do not exceed State legislated maximums.

Denying Access 164.524(a), (d) The practice may deny an individual’s request to access their PHI. Applicable Forms: Response to Request to Inspect PHI Review of Denial To Inspect PHI

154.524(a)(2) In some cases a denial falls under the category of what is known as “unreviewable” grounds for denial. In other words, the practice does not have to provide access to the information, and the patient does not have the right to a review of the decision to withhold the information. Information that can be withheld on grounds of unreviewable denial includes the following:

Psychotherapy notes

Any information related to civil, criminal or administrative proceedings

Information subject to Clinical Laboratory Improvement Amendments

Information acquired under a promise of confidentiality

Information related to research that includes treatment may be temporarily suspended for as long as the research is in progress.

A correctional institution has restricted the request believing it would jeopardize the health or safety of the individual or other inmates.

The practice appropriately denies access to

PHI that would be required under

“unreviewable” grounds.

154.524(a)(4) Denial for information may also fall under “reviewable” grounds. In these cases, the practice may withhold information, but the patient may request a review of the decision. If the decision is reversed based upon the review, the practice is required to provide access to the requested information. A practice is required to have a process in place for an independent review of decisions to withhold information. This review must be conducted by a licensed healthcare professional who was not involved in the original decision to withhold the information.

The practice has a formal policy in place for independent reviews of denials for requests to access patient information.

The practice promptly provides written notice to the individual regarding the determination of the review.



154.524(a)(3) Information that can be withheld on grounds of reviewable denial includes the following:

Any PHI a licensed healthcare professional has determined that accessing may endanger the life or safety of the individual or another person.

Information that makes reference to another person (that is not a healthcare provider) and it is deemed that access may cause harm to the other person.

The practice does not provide access to requests for PHI under circumstances allowed by the HIPAA Privacy Rule.

154.524(d)(2) Any denials must be provided to the patient in writing and include a description of how the patient or individual may complain to the practice or to the Secretary of Health and Human Services. The document must include the name, title and contact information of the designated contact for the clinic to handle complaints.

Patients are informed in writing if access to any part of their medical record information has been withheld. The form includes the necessary contact information and explanation of how to submit a complaint.

Accounting for Disclosures HIPAA Regulation: 164.528

Patient’s have the right to request and receive an accounting of how their health information has been disclosed by the practice, or by the practice’s business associates.


Provisions of Accounting 164.528(c)

If requested by a patient, a practice is required to provide an accounting for certain disclosures of PHI. The accounting does not need to include disclosures related to Treatment, Payment or Healthcare Operations (TPO). Note: Under 2009 health reform, a practice is now required to include ALL non-oral disclosures for (treatment and payment) in its accounting of disclosures. This only applies to practices utilizing electronic medical records and electronic data.

The practice must provide one free accounting per 12-month period. Beyond this, the practice may charge a reasonable fee for administrative effort.

The accounting must be provided with-in 60 days after receipt of the initial request.

The request may go back as far as 6 years from the date of the request.

The practice has an established policy regarding accounting disclosures. Patients are given access according to the established policy.



Content of the accounting 164.528(b)

The accounting provided to the patient must include the following information:

Date of the disclosure

The name and address of the entity information was disclosed to

A description of information shared

The purpose of the disclosure

The frequency of the disclosure

Date of the last disclosure during the accounting period

The report of PHI disclosures provided to a patient contains the required information by HIPAA Privacy standards.

Right to an Accounting 164.528(a) Applicable Forms: Report of PHI Disclosures

A practice is required to keep a recorded accounting of its disclosures of PHI. Some disclosures are not required to by logged / recorded. These include:

To carry out treatment, payment and health care operations as providers

Disclosures pursuant to an authorization

For reporting neglect or abuse

For national security purposes

PHI that is part of a limited data set for research

Disclosures that occurred prior to April 14, 2003

In addition, a practice may temporarily exclude logging a disclosure of PHI made to a health oversight agency or law enforcement agency as long as the entity has provided a written request to exclude the disclosure for a set period of time. Once the requested exclusion date has passed, the practice must record the disclosure.

The practice maintains a record of disclosures that are required by HIPAA Privacy standards.

Exceptions to reporting disclosures are clearly noted in the practices policy and procedures and are in compliance with the Privacy Rule standards.

Accidental disclosures may occur such as faxing PHI to the wrong number. In these cases, the practice is required to log the disclosure and may need to notify the patient if the disclosure is potentially harmful to the patient.

Accidental disclosures of PHI that the practice is made aware of are documented in the disclosure log including what actions were made by the practice to mitigate the incident.

Documentation 164.528(d) Applicable Forms: Request for Accounting of Disclosure of PHI

The practice must document and retain a written accounting of disclosures provided to an individual along with the name and title of the employee who was responsible for receiving and processing the request for disclosure.

All requests for an accounting of disclosure are submitted in writing. The practice maintains these requests as required by HIPAA.


Amendment of Protected Health Information HIPAA Regulation: 164.526

An individual has the right to request and have a practice amend their protected health information.


Timely action 164.526(b) Applicable Forms: Request to Amend Patient Records

A practice is required to act upon a request within 60 days. If the practice cannot complete the amendment within the 60 days, it must include a copy of the request in the patient’s designated record.

The Practice has policy allowing an individual to request an amendment to PHI. Requests are required in written and kept in the patient’s medical record.

Denying a request 164.526(b) Applicable Forms: Response to Request to Amend Patient Records

A practice may review and deny an individual's request for amendment if the information:

Was not created by the practice

Is not part of the records maintained by the practice

Is determined to be accurate and complete All denials must be provided in writing to the patient and include the reason for the denial along with an explanation of the patient’s rights to submit a written statement of disagreement. The patient may request their letter of disagreement be included as a part of the designated medical record.

Any denial of requests is provided in writing to the patient and a copy retained in the patient medical record.

When applicable, the practice includes the statement of disagreement in any disclosure of PHI with which the disagreement relates.

Accepting a request 164.526(c) Applicable Forms: Response to Request to Amend Patient Records

If a practice accepts the requested amendment, in whole or in part, they must comply with the following requirements:

Make the appropriate amendment

Inform the individual that the amendment is accepted

Make reasonable efforts to inform and provide the amendment within a reasonable time to other entities or practices who received the PHI.

Approval of requests is provided in writing to the patient and a copy retained in the patient medical record.

Notice of an amendment 164.526(e)

If your practice is informed by another entity of an amendment to an individual's PHI, you must amend the protected health information in your designated record sets.

Amendment requests received by the practice have been properly corrected in the patient records. All applicable documentation is retained by the practice.


Administrative Requirements HIPAA Regulation: 164.530


Designation of a Security Official 164.530(a)(1) Applicable Forms: Privacy Officer Job Description

A practice must designate a privacy official who is responsible for the development and implementation of HIPAA policies and procedures. The privacy officer is responsible for overseeing all activities related to developing and implementing policies and procedures associated with HIPAA compliance for the practice and ensuring the practice stays current with any changes.

The practice has an assigned Privacy Officer

Managing Complaints 164.530(a), (d), (g) Applicable Forms: Patient Complaint Form Handling of Patient HIPAA Complaints

164.530 (a),(d) A practice must provide a process for individuals or patients to make complaints concerning HIPAA privacy issues. The practice is also required to have a designated contact person responsible for receiving and managing the complaints.

All complaints received must be documented along with

their disposition, if any.

The practice has established an individual for receiving and responding to patient complaints.

The practice has a formal process in place to receive and respond to patient complaints.

The practice maintains appropriate documentation of all patient complaints and actions taken by the clinic.

164.530(g) A practice may not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against any individual who files a complaint. Tip: The practice may consider implementing an anonymous reporting system that can be used by employees or others to notify the practice of any HIPAA privacy issues or concerns. Such a system may include a drop box or contracted service for a compliance hotline.

The practice has stated in its policy and procedures clear guidelines to ensure individuals are assured no retaliatory action for good-faith reports of noncompliance.

Employee Training 164.530(b)(1) A practice must train all members of its workforce on the policies and procedures with respect to PHI as necessary and appropriate for the members of the workforce to carry out their functions within the practice. Applicable Forms: Employee Compliance Training Log

All employees are required to be trained on the provisions of the HIPAA Privacy Rule. Note: There is no current training standard required by HIPAA. Training may be conducted in a formal classroom setting, reading and signing materials, computer-based, distance learning or other methods deemed appropriate by the clinic.

Standard training and review of associated clinic policy and procedures on HIPAA privacy rules has been provided to all employees of the clinic.

164.530(b)(2)(A-C) All new employees are required to be trained on HIPAA shortly after employment begins.

Annual refresher training is conducted by the clinic as appropriate.



Employees whose job functions are affected by any material change to HIPAA regulations or changes to the clinic’s policies or procedures (associated with HIPAA) are required to receive updated training.

New employees receive HIPAA training shortly after being hired.

164.530(b)(2)(C) (ii) All HIPAA training is required to be documented by the practice.

The practice maintains a log documenting all employees training.

Disciplinary Policy 164.530(e) Applicable Forms: Employee Disciplinary Action Employee Confidentiality Agreement

164.530(g) A practice must have a sanctions policy in place that applies appropriate disciplinary action against members of its workforce who fail to comply with the privacy policies and procedures of the covered entity. The practice must document any sanctions that are applied to an employee.

The clinic has an established sanctions policy outlining disciplinary actions based on the severity of the HIPAA violation.

Any sanctions or actions imposed by the practice on an employee have been documented, signed and dated. A copy is maintained in the employees file.

All employees should receive, read and sign a confidentiality agreement indicating the employee’s responsibilities and expectations for maintaining patient privacy of PHI.

All employees of the clinic have signed a Nondisclosure / Confidentiality Agreement.

Mitigation of Inappropriate Disclosure 164.530(f) A practice is required by HIPAA to mitigate, to the extent practicable, any harmful effect that is known to the practice resulting from an inappropriate disclosure of PHI. Applicable Forms: HIPAA Incident & Resolution

If a violation occurs, practices are required to implement a corrective action plan that outlines the specifics of the violation, what the practice did to mitigate any damage/harm, any disciplinary action taken, and what action was taken to prevent any future incidents.

The practice maintains a corrective action plan.

Policy and Procedures 164.530(i)(1) A practice must implement policies and procedures to protect PHI in accordance with the HIPAA Privacy Rule standards.

The policies and procedures should be reasonably designed, taking into account the size and the type of activities of the practice to ensure compliance. The policies and procedures may be maintained in paper or electronic form.

The practice maintains a set of policy and procedures related to HIPAA Privacy.



Changes to policies and procedures 164.530(i)(2)(ii), (i)(3) Practices are required to change its policies and procedures as necessary and appropriate to comply with changes to HIPAA laws. The appointed privacy officer for the practice should be responsible for being aware of all HIPAA laws and staying abreast of any changes. If these changes materially affect the content of the Notice of Privacy Practice (NPP), the practice is required to make appropriate revisions to the NPP.

The practice regularly reviews its HIPAA privacy policy and procedures and updates them as necessary.

Documentation and Retention Requirements 164.530(j)(1) Practices must maintain all HIPAA related records, documents and communication.

A practice is required to documents its policies, procedures, forms, training and any problems and resolutions related to HIPAA Privacy. The retention period required by HIPAA for all related documentation is six (6) years from the date of its creation or the date when it last was in effect, whichever is later. This requirement does not apply to medical record retention. State laws determine retention standards for medical records.

All HIPAA related records required to be maintained are retained by the practice for a minimum of 6 years.

Business Associates A practice may permit a business associate to create, receive, maintain, or transmit protected health information on the practice’s behalf only if the practice obtains satisfactory assurances that the business associate will appropriately safeguard the information. Applicable Forms: Business Associate Agreement Business Associate Checklist Note: Additional information regarding Business Associates can be found in the HIPAA Security Rules (164.308)

A business associate is any business or individual that is not a part of the practice’s workforce that provides a service for, or on behalf of the practice where PHI is shared or may be accessed. For example, this may include billing companies, consultants, EMR vendors, clearinghouses, accountants etc.

The practice maintains a list of all Business Associates.

A practice is required to have each business associate sign a written contract that allows them access to PHI. The contract must outline the obligations of the business associate regarding assurances for HIPAA compliance and termination provisions for the agreement. Business associate agreements are not required for the following:

Treatment or payment purposes

Research conducted by the practice, with the patients authorization or under an IRB (institutional review board)

Courier or mail services

Janitorial services provided to your practice

All Business Associates of the medical practice have signed a business associate agreement.


Practice Safeguards

The HIPAA Privacy Rule requires practices to ensure the safeguard of Protected Health Information (PHI). Practices are expected to make “good faith, reasonable and appropriate” effort to establish the necessary safeguards to comply with the Privacy Rule requirements. The following section outlines safeguards that a practice should have in place to help maintain compliance and ensure protection of patient information.


Patient Sign In Sheets Sign in sheets are permitted under HIPAA as long as they have limited information about the patient and do not have any identifying information, other than the patient name.

Patient Sign-in sheets are limited to patient name, appointment time, and time of arrival.

Verifying Patient Identities 164.514 (h)

The practice is required to verify the identity of any patient requesting his/her own protected health information. Examples of information that can be used to identify a patient includes, but is not limited to:

Date of birth

Zip code

Address

Mother’s maiden name

Last 4 digits of social security number

Driver license

Patients who call over the phone are required to provide 2 identifying pieces of information.

Phone Message and Appointment Reminders

Appointment reminders can still be mailed to patients, but any information should be limited to the patient’s name and date / time of the appointment. No other information should be used.

Appointment reminder cards contain only the patient name and date and time of an appointment.

The practice may leave phone messages with patients regarding test results, appointment reminders or to schedule an appointment. Information left on a phone message should be limited to the patient’s name, their doctor’s name and phone number and date / time of the appointment.

Phone messages left by the clinic are limited to the patient’s name, physician contact information and date/time for an appointment.

Patient Privacy A practice should make reasonable precautions to prevent inadvertent disclosure of PHI. These safeguards are not specifically mandatory, but should be considered when evaluating if they are reasonable to implement.

Exam rooms or clinic doors are closed before engaging in any discussion of PHI.

Fax and telephone answering machines are place in a secure area where patients can not readily access them.

If possible, use cubicles or dividers to help promote confidentiality when registering or checking out patients.

When sending EOBs (explanation of benefits) to secondary carriers, any PHI that is not applicable to the claim is blacked out.



Photographs The use of photographs of patients is permitted by HIPAA as long as these are kept away from public view or appropriate patient authorization has been obtained. OB providers may hang new baby photos in a specific area, but must have written consent by their parents. Baby names should be removed from all pictures prior to displaying for public view.

The practice maintains any pictures of patients in a secure file, not accessible to the public.

Faxes Applicable Forms: Fax and Email Disclaimer Statement Fax Transmission Log

Faxes and emails are allowed to contain PHI for treatment, payment and healthcare operation (TPO) purposes. Practices are required to be able to account for where PHI has been faxed. In addition, fax cover sheets are required to have a privacy disclaimer on them.

Tip: Best practice is to use a fax confirmation sheet that is

maintained in the patient record that shows the front page

with the faxed to information.

All faxes containing PHI have a privacy disclaimer on the cover sheet.

The practice maintains a fax log which is used to track / document faxes containing PHI.

Emails Applicable Forms: Fax and Email Disclaimer Statement

A confidentiality disclaimer is included at the bottom of all emails sent by the practice.

Electronic Transaction Code Set Rules

Under HIPAA, practices are required to use standard transactions and standard code sets for electronic transmission of patient health information. The following section highlights the requirements and compliance steps for your practice.


Standards for Electronic Data Interchange HIPAA adopted certain standard transactions for Electronic Data Interchange (EDI) of health care data. Under HIPAA, if a practice conducts one of the adopted transactions electronically, they must use the adopted standard. This means that they must adhere to the content and format requirements of each standard. Applicable Forms: Transaction and Code Set (TCS) Checklist

The following standards apply to EDI transactions:

X12N 837 (health claims or equivalent encounter information)

X12N837 (Coordination of Benefits)

X12N835 (Payment and Remittance Advice)

X12N834 (Health Plan Enrollment and Disenrollment)

X12N820 (Health Plan Premiums)

X12N 270/271 (Eligibility for Health Plan Inquiry / Response)

X12N 278 (Referral Certification and Authorization)

X12N 276/277 (Healthcare Claim Status Inquiry / Response)

In general most practices depend on their software vendors and clearinghouses when it comes to compliance with these standards.

Software used by the practice manages electronic transactions using the HIPAA compliant format.



Diagnosis and Procedure Codes HIPAA also adopted specific code sets for diagnosis and procedures to be used in all transactions.

The following are the adopted code sets for procedures, diagnoses, and drugs which are to be used by all providers.

HCPCS (Ancillary Services/Procedures),

CPT-4 (Physicians Procedures)

CDT (Dental Terminology)

ICD-9 (Diagnosis and hospital inpatient Procedures)

ICD-10 (As of October 1, 2013)

NDC (National Drug Codes)

The practice conducts regular coding and documentation audits to ensure appropriate use of HIPAA diagnosis and code sets.

Upcoming Changes Recent health reform has resulted in several modifications to HIPAA as it relates to Electronic Transaction Standards. These changes adopt new transaction standards to be used for Medicaid pharmacy subrogation and also 2 new standards for billing retail pharmacy supplies and professional services.

Upcoming changes include:

Update ASC X12 Version to 5010 (Jan 2012)

Update NCPDP to Version D.0 (Jan 2012)

New standards for Medicaid subrogation for pharmacy claims, NPDP Version 3.0 for small health plans beginning Jan 2013.

ICD-10-CM (October 2013)

N/A

National Provider Identifier HIPAA adopted standards for unique identifiers for Employers and Providers. The purpose of the National Provider Identifier (NPI) is to standardize the way of identifying the provider of services being rendered to patients. In general, practices need only be concerned with ensuring proper use of the standard identifier on insurance forms when required.


National Provider Identifier The NPI is a 10 digit number used as an identifier for all payers and all HIPAA transactions. Centers for Medicare and Medicaid are responsible for implementing and enforcing the use of NPIs. Information can be obtained from CMS on how to apply for an NPI.

There are 2 types of NPIs. One for individuals such as doctors and nurse practitioners; the other is for healthcare organizations such as hospitals, labs and group practices. Any individual provider who is a sole proprietor must have both types of NPIs. Non solo practices may need to obtain separate NPIs depending if they have subparts (such as satellite offices or pharmacy).

NPIs may not be changed, however, information such as names, addresses, ownership etc. may change.

When a new NPI is established all partners (e.g. health plans, vendors, and business associates) must be notified of the new NPI.

Each provider requiring and NPI has obtained one.

Information / Documentation of the NPI have been retained and are readily available.

National Employer Identifier

The purpose of the National Employer Identifier is to standardize the way of identifying employers of each patient. The identifier is the tax id number provided and maintained by the IRS (EIN). All business entities are required to utilize the National Employer Identifier.

The practice has obtained an appropriate EIN from the IRS.

Information / Documentation of the EIN have been retained and are readily available.

hipaa privacy compliance checkliststatic.aapc.com/3f227f64-019f-488a-b5a2-e864a522ee...hipaa privacy...

Documents