HIPAA Compliance must be planned and executed by at least one leader.
There is much to oversee, including:
-
Development and updating of policies and procedures for protecting information
-
Protocol for receiving complaints and responding to breaches
-
Periodic risk assessments, followed by security measures, to protect against breaches, both electronically and in physical locations
-
Designation of staff members who can access Protected Health Information (PHI), based on work-related need
-
Execution of Business Associate Agreements (BAAs) with outside providers with access to PHI via your organization
HIPAA rules distinguish between privacy and security, although the two are related. You need both a Privacy Official and a Security Official, although the same person may fill both roles, depending on the size of your organization.
A Privacy Official (or office) is in charge of developing and implementing privacy policies and procedures. This is also the contact person (or contact office) for receiving complaints, as well as for disseminating information on your organization’s privacy practices.
The Security Official (or office) is responsible for developing and implementing security policies and procedures, so your organization. It is up to this person (or office) to analyze potential risks, and figure out how to secure information to the greatest reasonable extent.
Tools and Resources for Step 2
The two overviews below, in downloadable form, can help Privacy and Security Officers understand their responsibilities.
This 7-page overview, issued in May 2015 and titled HIPAA Basics for Providers, includes:
-
Examples of Records to Retain
-
Breach notification timelines and resources
-
An overview of who must comply with HIPAA rules
The 62-page Guide to Privacy and Security of Electronic Information, issued by HHS in April 2015, includes sections on:
-
Understanding patients’ health information rights
-
Breach notification, HIPAA enforcement, and civil and criminal penalties
-
A chart with examples of potential information security risks with different types of EHR hosts
-
A list titled “Low-Cost, Highly Effective Safeguards”
-
A table on examples of risks and how they might be mitigated
-
Links to games and videos for training workforce
-
Tools for achieving Meaningful Use