Transcription
HIPAA Privacy & Security Compliance Module ImplementationInstructionsThis lesson will direct the doctor and team members in the steps necessary to begin the process of becomingcompliant with HIPAA. The final outcomes upon completion of this lesson are: Knowledge and application of guidance concerning the HIPAA Compliance Program for Individual and SmallGroup Physician PracticesHIPAA compliance concerning Business AssociatesDevelopment and implementation of minimum necessary policyDevelopment and implementation of Privacy Plan & ProceduresAcquisition and development of necessary HIPAA related formsDeveloping Internal Privacy Audit policy and proceduresProcess of Training EmployeesUnderstanding the role of the HIPAA Privacy & Security OfficerDesignating a Privacy & Security Officer in your practiceClear understanding of HIPAA Privacy & Security terminologyKnowledge concerning the rules of HIPAA Privacy & SecurityCompletion of Risk AnalysisDevelopment of safeguards for workforce member accessibilityEmployee management regarding SecurityDevelopment of customized contingency planCustomization of emergency access proceduresUnderstanding of necessary steps for Security breach incidentsSystems for ongoing monitoring of your HIPAA Security ProgramPolicy and SOP creation concerning the HIPAA SecurityDISCLOSURE: All forms, policies, and samples in this lesson are meant to be samples only and any final drafts made byyou or your office should be reviewed by your attorney for inclusiveness and accuracy.HIPAA Privacy Step 1: In order to have a better understanding of the project you’re about to undertake, view the Topical OverviewTraining titled, Have You Been HIPAA-fied: HIPAA Overview and Updates. It’s recommended that everyone in theoffice view this training, perhaps during a team meeting, so that everyone is aware of the scope of this project. Step 2: Download the Support Tool (ST) titled, Privacy Officer Job Description and customize for your office. Includeyour business name and make any changes that you believe are needed. Read this form in its entirety to understandwhat will be expected of the Privacy Officer (PO) in your office. After selecting an individual to be the Privacy Officerof your practice, have this individual review the Privacy Officer Job Description in full. When the individual acceptsthe responsibilities of Privacy Officer, have them acknowledge their role by signing the Privacy Officer JobDescription. Print and customize the Support Tool (ST) titled, Privacy Officer Certificate to be presented to yourPrivacy Officer. It is appropriate to display this certificate in your PO’s office or another prominent place in theoffice, distinguishing this individual as the person who handles all HIPAA Privacy concerns in your office.
Step 3: Watch the Rapid Tutorial (RT) titled, HIPAA Privacy Officer with your chosen staff member to fullyunderstand their duties and responsibilities as well as the process of implementing the HIPAA Privacy complianceprogram in your office. Download and review the Sample Policy titled, Privacy Officer. Based on what you’velearned, customize this policy for your office and complete the implementation process to add it to your HIPAAmanual. Step 4: Read the Fact Sheet titled, Minimum Necessary to fully understand the definition and expectations of thisstandard. Print the Quick Questionnaire titled, Minimum Necessary Standards Evaluation and work through eachstep to help you determine what standards your office will use and document for developing your MinimumNecessary Policy as required by HIPAA. Step 5: Using the information developed by using the Quick Questionnaire in the step above, write out yourMinimum Necessary Policy for your office. Step 6: Download and review the Fact Sheet titled, Treatment, Payment, and Healthcare Operations (TPO) to fullyunderstand how HIPAA recognizes these functions in your office. Step 7: Download and review the Fact Sheet titled, Incidental Uses and Disclosures to understand what isconsidered incidental to your practice’s function and what procedures and safeguards must be in place concerningthese disclosures. Step 8: Use the Quick Questionnaire titled, Incidental Uses and Disclosures Evaluation to determine whatcircumstances in your office could or do create a disclosure of PHI. Work through the Quick Questionnaire todetermine what policies and practices can be put in place to better protect PHI concerning these circumstances, ifneeded. Step 9: Download and review the Fact Sheet titled, HIPAA Business Associates to fully understand the requirementsthat HIPAA sets forth concerning those you do business with who have access to your patient’s PHI. Step 10: Print out the Support Tool titled, Business Associate Log and fill in each column with the pertinentinformation requested. If you do not have, or are unsure if you have, a BA Agreement with each one, leave thatcolumn blank. You’ll have a chance to fill this in later. Step 11: Print out the Support Tools titled, Business Associate Agreement Template and Sample Business AssociateLetter and review general text for pertinence to your office. Customize these documents as needed. (It is stronglyrecommended that you have an attorney review all final documents as HIPAA is a regulatory law in the business ofhealthcare) Save a digital copy to access as you acquire new business associates. Step 12: Using the list of associates in your Business Associate Log from the steps above, customize a BusinessAssociate Agreement regarding PHI use for each individual Business Associate, as needed, and print a copy to besigned by each Business Associate. Mark your log as signed agreements are received. House this log in your HIPAACompliance Manual to notate your ongoing compliance with this procedure. Step 13: Download and review the Fact Sheet titled, Worker’s Compensation Disclosures-HIPAA to fully understandHIPAA’s role within this system.
Step 14: Download and review the Fact Sheet titled, Faxes, Emails and HIPAA Regulations to learn what disclaimersmust be on communications from your office. Immediately add necessary disclaimers to all fax cover letters andemail addresses sending business/healthcare communications from your office. Remember to include individual aswell as general office fax cover letters and email addresses. Step 15: You are required to have written HIPAA Policies and Procedures in place for a valid HIPAA ComplianceProgram in your office. KMC University has prepared a sample for you to work from if you do not have one in place.Download the Support Tool titled, Sample Privacy Policies and Procedures Template. Read through these policiesand procedures in their entirety. Customize these policies and procedures to suit your office, adding procedures thatare to be used in your office and removing those that are not applicable. Be sure that your customized HIPAA PrivacyPlan Policies and Procedures are inclusive of all necessary rules and regulations that govern HIPAA. Step 16: Download and review the Fact Sheet (FS) titled, Notice of Privacy Practices for PHI. There are very specificrules that govern the creation and distribution of your NPP. Step 17: Download the Support Tool titled, Sample Notice of Privacy Practices Template and read in its entirety.Please note that all required elements of the Notice of Privacy Practices are in place and should not be removed,(such as patient’s rights and how to file a complaint) though they can be customized. Customize this notice to youroffice, including all information on how patient health information is used in your office. Remove any portion of thissample that does not apply to privacy practices in your office. Carefully review beginning on page four the optionalparagraphs. If any apply to your office, include them. Delete the rest. Print and include a copy of NPP in your HIPAAcompliance notebook or save it digitally. Step 18: HIPAA requires that you make every attempt to obtain a signed acknowledgement that your patient hasreceived your NPP. Download the Support Tool titled, Sample NPP Acknowledgement. Personalize this for youroffice. Develop a plan to implement the NPP distribution to established patients, if never received, and to newpatients as required. Include in your plan the procedure for acquiring signed acknowledgements from bothestablished and new patients going forward. Step 19: Download the additional HIPAA Support Tools titled, Request for Restrictions of Use, PHI Use Authorization,Request of PHI Disclosure, PHI Disclosure Log, Request to Amend Patient Record, Request to Inspect/Copy PatientInformation, and Revocation of Authorization of Use. Customize each form with your office information. Have amaster of each form available for copy in your HIPAA Compliance Notebook, or digitally, should the need arise fortheir use in accordance with your HIPAA Privacy Plan and Procedures or HIPAA requirements. Step 20: Watch the Rapid Tutorial titled How to Conduct an Internal Privacy Audit to better understand the reasonsthese internal audits are of such high importance as well as how to conduct these audits for optimal results. Be sureto have a pen and paper or digital outlet available to take notes. Step 21: Download and print the Support Tool titled, HIPAA Privacy Program Audit and work through the process ofconducting a self-audit concerning the completeness of your HIPAA Privacy Program. Step 22: Download the Support Tools titled Reasonable Safeguards Checklist Audit and Health Record Privacy Auditand review the information on each form. Keep a master of each of these support tools in your HIPAA PrivacyManual for use when completing your ongoing HIPAA Privacy Audits periodically in your practice.
Step 23: Once you have completed creating and installing your HIPAA Privacy Program, you will need to furthercreate a policy on ongoing periodic audits of your HIPAA Privacy Program. Download the Sample Policy titledInternal HIPAA Privacy Audits Sample Policy and customize for your office. House a copy of your Internal HIPAAPrivacy Audit Policy in your HIPAA Privacy Manual, either digital or physical. Step 24: Download the Support Tool titled, Employee Disciplinary Sanctions and customize it with your office name.Determine, with the provider, what sanctions for disciplinary issues will be implemented in your office. You willnotice there are sample sanctions already in place on this Support Tool. If your office sanctions differ, customize thesanctions portion of this form accordingly. Once a customized copy is completed, make a master copy for yourHIPAA Manual. Step 25: Download the Support Tool titled, Employee Disciplinary Action Form, and customize it for your office. Oncecustomized, make a master copy for your HIPAA Manual. Use this form as needed in your office when dealing withHIPAA related disciplinary issues. Should an issue arise and this form has been appropriately filled-out and signed, itshould be housed in the employee file. Step 26: Download and review the Fact Sheet titled, Training Employees on HIPAA Privacy to better understand yourrole in the training process. Next, download and customize the Support Tool titled, Employee Non-DisclosureConfidentiality Agreement and have all employees sign and acknowledge after HIPAA training has taken place.Download the Support Tool titled, HIPAA Training Attendance Log to notate the date of training and who waspresent. Step 27: Using the Sample Policy titled HIPAA Employee Training Policy customize a written policy to include in yourHIPAA manual (digital or physical) regarding the Employee HIPAA Training in your office.HIPAA Security Step1: Download the Support Tool titled, Security Officer Description and customize for your office. Include yourbusiness name and make any changes that you believe are needed. Read this support tool in its entirety tounderstand what will be expected of the Security Officer (SO) in your office. Using the description of responsibilitiesdescribed in the Security Officer Description determine who in your office will be assigned the role of SecurityOfficer. After selecting an individual to be the Security Officer of your practice, have this individual review theSecurity Officer Description in full and sign. Using the Sample Policy titled Sample HIPAA Security Officer Policycustomize a written policy to include in your HIPAA manual (digital or physical) regarding the Security Officer in youroffice. Step 2: Download and watch the Topical Overview Training titled, Implementing the Other HIPAA – Security Rules toProtect Your Office for an overview of your HIPAA Security Compliance program implementation process. Downloadand print the Fact Sheet titled, HIPAA Security Introduction to fully understand the purpose of your HIPAA SecurityProgram and how it relates to your HIPAA Privacy program. It is important to understand the rules and how HIPAASecurity is set-up to be customized to the size and scale of the needs in your specific chiropractic office. Step 3: Watch the Rapid Tutorial titled, HIPAA Security – Risk Analysis to fully understand the steps to conducting therequired Risk Analysis to discover the threats and vulnerability to the ePHI in your office. Step 4: Download and Print the Support Tool titled, HIPAA Risk Analysis and Risk Management and read it in full tobetter understand the expectations for protection of ePHI. The first step to conducting a risk analysis for protectionof your patient’s ePHI is to determine what ePHI your office houses, and then perform a thorough risk analysis based
on this information. Fill in this Support Tool to identify where ePHI is stored, received, maintained or transmittedand to finalize the 6 steps to the risk analysis and management for your HIPAA Security Program. Step 5: Download and read the Fact Sheet titled, Workforce Security Standard to understand the requirements fordeveloping policies and procedures concerning workforce security. Step 6: Download and print the Support Tool titled, Job Position Access Rights and work through this document todetermine each position your office has an employee or independent contractor hired to fill and the access levels foreach of these positions in your office. Download and print the Support Tool titled, Job Position Access Rights perIndividual Position and customize a form for EACH position that is applicable to your office. Step 7: Download and complete the Support Tool titled, Workforce IT Access List to begin to assign ePHI clearance toindividuals working in or for your office. Step 8: Download and print the Support Tool titled, Employment Termination Checklist and customize to the securityaccesses you make available in your office. Use this checklist upon the termination of any workforce member whohas been granted any access to ePHI. Download and print the Sample Policy titled, Sample Termination Policy andcustomize for your office. Step 9: Download and read the Fact Sheet titled, Contingency Plan Standard to begin to understand therequirements of contingency planning for emergencies or natural disasters. For your contingency plan, you musthave a list of all sources where ePHI may be maintained. Download and print the Support Tool titled, Equipment andInformation Technology Inventory and use this form to take a thorough inventory of all information systems in youroffice. Step 10: Download and print the Sample Policy titled, Sample Contingency Plan. Use this sample to complete aContingency Plan that works for your office environment. Step 11: Download and Print the Support Tool titled, Emergency Access Procedures and customize this tool for youroffice. In the event of an emergency you may need to allow access to ePHI to an individual who doesn’t normallyhave the authority to access this information. Should these situations occur, you need a written plan for properhandling of emergency access. You further need to list anyone who may need to be contacted in the event of anemergency, including the business owner, IT specialist, etc. Step 12: Download and print the Support Tool titled, Breach Notification Checklist and Breach Notification SampleLetter to keep on hand in your office should a security breach occur. This checklist will walk you through thenecessary steps concerning a breach of PHI in your office. Customize the Breach Notification Letter to your office,and house a copy of both forms in your HIPAA Security manual, either physical or digital. Step 13: To ensure your security plans and procedures continue to adequately protect your ePHI you mustimplement an ongoing monitoring and evaluation plan. Download the Support Tool titled, Monitoring OngoingSecurity Process and work through this tool to develop your evaluation plan. Step 14: There may be several information systems that provide logs and reports concerning HIPAA securityincidents, access, and audits in your office. Download and print the Quick Questionnaire titled, Information SystemsActivity Review and fill in the table with appropriate information from your office.
Step 15: Download and print the Support Tool Sample HIPAA Security Policies and Procedures Checklist. Pulling allthe information you’ve learned together with all the customized standards you’ve created for your office whileworking through the steps above, customize your HIPAA Security Policies and Procedures including both your policyand procedures for each area of focus. Step 16: Ensuring all new and existing employees are trained in HIPAA Security is critical to an active and viableHIPAA program. Make sure all employees are aware of policies and procedures, access rights and sanctionsconcerning HIPAA Security and have each sign a training log that they have received this instruction.
signed by each Business Associate. Mark your log as signed agreements are received. House this log in your HIPAA Compliance Manual to notate your ongoing compliance with this procedure. Step 13: Download and review the Fact Sheet titled, Worker's Compensation Disclosures-HIPAA to fully understand HIPAA's role within this system.
