Are you doing enough to protect your patients' privacy? Originally created in 1996, the Health Insurance Portability and Accountability Act (HIPAA) was designed for this very purpose: to ensure the sensitive medical information of healthcare patients doesn't end up in the wrong hands. HIPAA's Privacy Rule dictates these requirements, including various administrative requirements that we're going to discuss in greater detail today.
Written Privacy Policies and Procedures
As part of HIPAA compliance, the Department of Health and Human Services (HHS) requires all doctors, hospitals, and other covered entities to develop written privacy policies and procedures that align with the Privacy Rule.
Designate a Privacy Officer
One of the most commonly overlooked administrative requirements of the HIPAA Privacy Rule is the designation of a Privacy Officer. This individual is responsible for both developing and implementing privacy policies and procedures. He or she also serves as a point of contact for privacy complaints and inquiries, should they arise.
The HHS requires all workers, volunteers and trainees to receive formal training on the covered entity's privacy policies and procedures. If a member of the workforce violates these privacy policies, the covered entity my apply “appropriate sanctions” against the the offending member.
Covered entities are also required to mitigate the harmful effects of breaches involving the unauthorized disclosure of Protected Health Information (PHI). If you discover a security breach, for instance, you are required to take immediate action to stop the unauthorized access of PHI, as well as implement new safeguards to prevent future instances from occurring.
Safeguards for Data
What type of safeguards does your healthcare practice have in place to protect patient data? Part of the HIPAA Privacy Rule requires all covered entities to maintain reasonable and appropriate “administrative, technical and physical safeguards” to prevent the unauthorized access or use of PHI. While the HHS doesn't include specific safeguards in the Privacy Rule, it cites several examples of commonly used safeguards, such as shredding paper documents, securing medical records with a lock, encryption, etc.
Hopefully it will never happen, but if you receive a complaint from a patient regarding his or her privacy, you must address it properly. Under the HIPAA Privacy Rule, covered entities must develop procedures that outline how patients can complain about its privacy policies. This information must be explained in the privacy practices notice, which is also required by all covered entities.