10 Steps that Businesses should take to Comply with HIPAA
Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal regulation that governs how healthcare providers, insurers, law firms, assisting agencies, and other entities handle Protected Health Information (PHI). This article will go over the steps that businesses should take to comply with HIPAA.
HIPAA Compliance Steps
The steps you need to take vary depending on your business. Both HIPAA Privacy Rules and HIPAA Security Rules require specific actions and documents. From publishing a notice of privacy practices to ensuring a security breach is reported, and investigating it, here's what you need to do:
1. Publication of a Notice of Privacy Practices
The notice must explain the uses and disclosures of PHI for treatment, payment and healthcare operations. It must also inform patients how their PHI can be amended and deleted. The notice should also specify how a patient may complain to the entity, state, or federal government if they feel the covered entity violated their privacy.
2. Implementation of a Security Plan
The security plan will specify what physical, technical, and administrative measures will protect PHI from unauthorized disclosure or destruction. The plan will also specify how PHI security incidents will be reported to the business, recipient, and affected parties.
3. Employee Training
The training must be regularly provided in a language that the employees can understand. The training should include a discussion of the HIPAA Privacy Rules, Security Rules, and Incident Reporting Procedures.
4. Privacy Notice for Health Plans
The notice must explain to patients what procedures are in place to protect information from unauthorized use or disclosure when it is transferred between covered entities or business associates.
5. Privacy Notice for Covered Entities
This document states that individuals have the right to inspect their medical records and request amendments if they feel the information is inaccurate. The notice should state what conditions might deny access to the patient's records. It should also state how a patient may grant authorization for their medical records to be shared with third parties.
6. Privacy Officer
The privacy officer should be appointed or hired by the entity and should have the authority to enforce the Privacy Rules.
7. Security Breach
The breach must be reported within sixty days of discovering the breach. The covered entity must notify individuals whose information was compromised and state if there is a risk to their health and whether they need to change their medical care based on the breach.
8. Right to Request Restriction of Use and Disclosure
This step allows individuals to request that specific uses or disclosures of their PHI be restricted in certain circumstances, such as situations where an individual is involved in litigation or being subjected to stalking or harassment.
9. Accounting of Disclosures
This rule requires covered entities to supply patients with an accounting of disclosures made to carry out treatment, payment, or healthcare operations.
10. Breach Notification
Individuals must be notified if their PHI was breached, and the likelihood of harm must be determined. The individual must also be notified if certain safeguards fail to work, and there is a risk that they may suffer harm due to the breach.
Reference Link:
https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html