Some say trouble comes in threes. The day the fire alarm went off was the same day a new receptionist started and the internet went down. It was also Michelle’s first day on the job as the HIPAA compliance manager. What else could go wrong?
Compliance is a process and it takes time. Review the basics, set priorities, and if your workday becomes chaotic your Risk Management plan will get you through.
Here are some real world HIPAA questions from healthcare professionals and compliance managers like you, with practical answers from us. If you have a question not answered here, let us know.
HIPAA Compliance Program Basics
Question: When I began working as a HIPAA compliance manager at our medical practice in January, I inherited policies and procedures of the person who handled it for years before. What should be my top priority to make sure we are current and doing what’s required?
Answer: There are two top priorities and they’re equally important (this applies to both covered entities and business associates): Policies and a Risk Analysis. Whether you are a health care provider, a health plan, or a third-party vendor in a contract with a covered entity, make sure you have up-to-date policies that meet the requirements of the HIPAA Privacy, Security and Breach Notification Rules. Find out when the last Risk Analysis was completed. Get started on refreshing one that’s already been done, or start on a new one. A HIPAA Risk Analysis should be completed at least once a year.
Question: Where can I find a Risk Management plan that fits our practice?
Answer: You cannot buy or borrow a cookie cutter Risk Management plan. Your Risk Management is unique to your organization and is built upon your own Risk Analysis. The Risk Analysis should uncover your own gaps and risks, and the Risk Management plan will address those specific issues. Work on Risk Management year-round.
Question: I have heard that HIPAA requires us to name both a Privacy Official and a Security Official to manage compliance. Does that need to be two separate people, or could one person serve in both roles?
Answer: One person may serve in both roles. The responsibilities are slightly different, so the person in the role should understand what is required and be prepared to meet the responsibilities. The Privacy Official is more general in nature, required by the HIPAA Privacy Rule and includes responsibility for the Breach Notification Rule. The Security Official responsibilities relate to policies and procedures to protect electronic protected health information (PHI), and is often undertaken by an IT staff person. If resources and staffing allow for it, have at least two people responsible for HIPAA. A team approach can strengthen compliance.
Question: What kind of HIPAA training should we provide to staff? Does everyone need training, or only those staff who see patients or handle medical records?
Answer: Every member of the workforce who sees or handles PHI, including those who interact with patients, must receive HIPAA training. But training should be relevant to their job responsibility, so the training may vary depending on their roles. Cybersecurity issues are ever present today at work and at home, so everyone should receive cybersecurity awareness training to help them recognize and fight back against phishing attacks.
The requirement to provide training applies to all workforce members, whether they are employees (who have a W-2 form), independent contractors (who receive a 1099 form), volunteers, or interns.
Social Media and HIPAA
Question: Many of our new patients come through referrals from existing patients who post on social media. Since they are publicizing their own treatment, haven’t they given up their HIPAA privacy rights? May we use their testimonial on our website?
Answer: No and no. If a person discloses their own health information they have not waived their HIPAA rights. Patients are not required to follow HIPAA, but their providers are. Providers may not disclose any protected health information (PHI), including names, on their websites or social media without a valid written HIPAA authorization from the patient in advance.
Breach Notification Requirements
Question: We sent a mailing containing personal medical information to all of our patients in our database. Unfortunately, 86 (out of 720) letters were sent to the wrong (out of date) address. Is this a reportable HIPAA breach? What do we do next?
Answer: This sounds like a HIPAA reportable breach. However, not every loss or disclosure of PHI is reportable, but is considered a “potential breach” and you need to do a breach risk assessment to decide your next steps. Investigate the specifics to determine if it is a true HIPAA breach; then document your findings, and if you believe it’s a reportable breach, notify the affected individuals within 60 days, and finally report it to HHS. For more see The ABCs of Breach Notification. Some states have their own reporting requirements also, so be sure to follow your state’s breach reporting law.
Improvement Not Perfection
Every organization, large and small, has room for improvement. Review and refresh your Risk Analysis and make sure you’re following a Risk Management plan to track your improvements. The best compliance program is one you work on every day, year-round to stay aware of your responsibilities and do more as time and resources permit. If you have questions, write us at The HIPAA E-Tool®.