Are You HIPAA Healthy?

Have you updated your Business Associate agreements?

The deadline for updating Business Associate Agreements (BAA) was October 23, 2013.  BAAs must now contain specific language regarding the duties of subcontractors, as well as other specific requirements.  If your BAA does not contain this specific language, we can review your BAA and assist you with ensuring that your BAA is compliant with all requirements.

Have you revised your Notice of Privacy Practices?

Notice of Privacy Practices must now reflect the patient’s ability to limit a covered entity’s communications regarding fundraising.  Notices must also inform patients of their rights to inspect and copy records or to obtain electronic copies of medical records.  If your Notice does not contain all of these requirements, we can review and update your Notice for compliance.  

Have you changed your billing protocols for patients paying in full?

New regulations require that patients be afforded the right to ensure that their health insurance carrier is not provided any information about care and treatment that is paid in full by patients.  As such, covered entities must ensure that their billing protocols allow for separate bills for this type of care.  We can review your billing protocols to assist you with compliance with this part of the regulations.  

Are you familiar with the “minimum necessary” requirement?

The HIPAA Privacy Rule requires covered entities to take reasonable steps to limit the use and disclosure of protected health information to the minimum necessary to accomplish the intended purpose.  Covered entities are required to develop and implement policies and procedures regarding this standard.  If you do not have policies or procedures regarding the minimum necessary standard, we can prepare those so that they reflect your business practices and workforce.  

Have you changed the way you investigate potential breaches?

The impermissible acquisition, access, use, or disclosure of protected health information is now presumed to be a breach unless the covered entity demonstrates that there is a low probability that the protected health information has been compromised.  How does a covered entity make that determination?  We can help you set up policies and procedures to perform this necessary probability analysis.

Have you conducted staff training within the last 12 months?

HIPAA now requires staff training, for your entire workforce, at least annually.  A system of sanctions for employees who violate a covered entity’s policies or the requirements of the Privacy Rule is also required.  We can help train your staff and implement policies and procedures regarding protected health information that is designed to comply with all of the changes to the Privacy Rule.  We can also help you implement appropriate administrative, technical, and physical safeguards to protect your patients’ protected health information.  

By offering document review, system and procedure analysis, policy drafting and updating, as well as staff training on evolving HIPAA regulations, WLJ’s dedicated team help covered entities and business associates comply with the Health Insurance Portability and Accountability Act of 1996 and its amendments.

As a Certified HIPAA Professional and Certified HIPAA Security Compliance Specialist, Hayden W. Shurgar offers on-site training as well as policy and procedure review to help manage risk.