business of Medicine

toolkit

Onboarding Practice Managers Toolkit

HIPAA

Training your workforce on HIPAA privacy policies

Health care providers are required to comply with the Privacy Rule. Providers may create their own privacy procedures, tailored to fit their size and needs. The privacy official at a small physician practice may be the office manager, who will additionally have many other duties in the scope of his/her position; whereas the privacy official at a large organization may be a full-time position, focused solely on privacy issues. The training requirement may be satisfied by a small physician practice’s providing each new member of the workforce with a copy of its privacy policies and documenting that new members have reviewed the policies; whereas an organization may provide training through live instruction, video presentations, or interactive software programs. In addition, the policies and procedures of small providers may be more limited under the Rule than those of a large hospital or health plan, based on the volume of health information maintained and the number of interactions with those within and outside of the health care system.

It is important that training is provided in a manner that employees understand the privacy issues and are able to comply with the requirements. Training should be provided upon employment, if changes occur to the HIPAA Rules, and ideally on an annual basis. All staff that may have access to PHI either directly or indirectly should be trained. Staff training and development of policies and procedures is intended to prevent the unintended release of PHI.

Final HIPAA Omnibus Rule (2013)

In accordance with the HIPAA Final Rule, medical offices are required to apply appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information (PHI) in any form.1 This means that covered entities must implement reasonable safeguards to limit incidental, and avoid prohibited, uses and disclosures of protected health information (PHI). The same safeguards apply when disposing of PHI. The patient should be afforded privacy in registration, examination, treatment, and discharge areas.

HIPAA does not require hospitals and doctors' offices to be retrofitted to provide private rooms and soundproof walls to avoid any possibility that a conversation is overheard. According to guidance from the Office of Civil Rights (OCR), the enforcement arm of the government for the HIPAA laws,

“The Privacy Rule” does not require that all risk of protected health information disclosure be eliminated. Covered entities must review their own practices and determine what steps are reasonable to safeguard their patient information. In determining what is reasonable, covered entities should assess potential risks to patient privacy, as well as consider such issues as the potential effects on patient care, and any administrative or financial burden to be incurred from implementing particular safeguards.”2

To view answers to frequently asked questions about the HIPAA laws, visit the U.S. Department of Health and Human Services' website at: http://www.hhs.gov/ocr/privacy/hipaa/faq.

The OCR has three educational programs for health care providers on compliance with various aspects of the HIPAA Privacy and Security Rules. Each of these programs is available with free continuing medical education (CME) credits for physicians and continuing education (CE) credits for health care professionals. They are available at: www.medscape.org

  • Patient Privacy: A Guide for Providers
  • HIPAA and You: Building a Culture of Compliance
  • Examining Compliance with the HIPAA Privacy Rule

(HIPAA) Omnibus Final Rule (Privacy Rule) - 2013

In accordance with the HIPAA Omnibus Final Rule 2013, medical offices are required to apply appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information (PHI) in any form.1 This means that covered entities must implement reasonable safeguards to limit incidental, and avoid prohibited, uses and disclosures of protected health information (PHI), including in connection with the disposal of such information. The patient should be afforded privacy in registration, examination, treatment, and discharge areas. Every patient should be provided with a copy of the provider’s Notice of Privacy Practices (NPP). The NPP must explain how protected health information is used and disclosed for treatment, payment, and health care operations, including examples of each.

The NPP should also explain how protected health information may be disclosed without a patient’s knowledge or consent for purposes other than treatment, payment or health care operations, including meeting the various public health reporting obligations imposed on providers or in response to a court order.

The NPP must be posted in a clear and prominent location, with copies of the NPP available for the individual to easily take one. It would not be appropriate for an individual to have to request the full copy of the NPP from the receptionist.

The Privacy Rule does not require hospitals and doctor’s offices to be retrofitted to provide private rooms and soundproof walls to avoid any possibility that a conversation is overheard. According to guidance from the Office of Civil Rights (OCR), the enforcement arm of the government for the HIPAA laws,

“The Privacy Rule” does not require that all risk of protected health information disclosure be eliminated. Covered entities must review their own practices and determine what steps are reasonable to safeguard their patient information. In determining what is reasonable, covered entities should assess potential risks to patient privacy, as well as consider such issues as the potential effects on patient care, and any administrative or financial burden to be incurred from implementing particular safeguards.”2

To view answers to frequently asked questions about the HIPAA laws, visit the U.S. Department of Health and Human Services' website at: http://www.hhs.gov/ocr/privacy/hipaa/faq.

The OCR has three educational programs for health care providers on compliance with various aspects of the HIPAA Privacy and Security Rules. Each of these programs is available with free continuing medical education (CME) credits for physicians and continuing education (CE) credits for health care professionals. They are available at: www.medscape.org.

  • Patient Privacy: A Guide for Providers
  • HIPAA and You: Building a Culture of Compliance
  • Examining Compliance with the HIPAA Privacy Rule

Disclaimer

The information provided in this resource does not constitute legal, medical or any other professional advice, nor does it establish a standard of care. This resource has been created as an aid to you in your practice. The ultimate decision on how to use the information provided rests solely with you, the PolicyOwner.