Office Guidelines for Complying with HIPAA

As covered entities under HIPAA, medical offices are subject to the HIPAA Privacy Rule and the HIPAA Security Rule.  Below are five office guidelines for complying with HIPAA.

What Are Five Office Guidelines for Complying with HIPAA?

1. Office Guidelines for Complying with HIPAA #1: Provide HIPAA training to employees
2. Office Guidelines for Complying with HIPAA #2: Conduct the annual HIPAA Security Rule Security Risk Assessment
3. Office Guidelines for Complying with HIPAA #3: Follow Privacy Rule and Security Rule best practices
4. Office Guidelines for Complying with HIPAA #4: Develop and Post your Notice of Privacy Practices
5. Office Guidelines for Complying with HIPAA #5: Develop and implement written policies and procedures

What Measures Does Each Guideline Consist of?

Guideline #1: Both the HIPAA Privacy Rule and the HIPAA Security Rule have training requirements. 

The HIPAA Privacy Rule training requirement is at 45 CFR § 164.530(b)(1). Under this provision, a covered entity must train all members of its workforce on the policies and procedures with respect to protected health information (PHI). Under the rule, training must be provided to each new workforce member within a reasonable period of time after the person joins the workforce. Workforce members must also be trained if their functions are affected by a material change in a medical office’s HIPAA Privacy Rule policies and procedures.

The HIPAA Security Rule training requirement is an administrative safeguard at 45 CFR § 164.308(a)(5). The Security Rule requires covered entities to implement a security awareness and training program for all workforce members. 

Guideline #2: Covered entity medical offices must conduct an annual Security Rule Security Risk Assessment. 

The HIPAA Security Rule mandates that healthcare providers have adequate safeguards in place to protect PHI. Healthcare organizations are required to assess their physical, administrative, and technical safeguards annually to ensure that they are properly handling electronic protected health information (ePHI). This is done through a security risk assessment. 

Conducting a security risk assessment identifies gaps in security practices; medical offices must create remediation plans determining how they plan, or are already working, to close those identified gaps.

Guideline #3: Following Privacy Rule and Security Rule best practices consists of a medical office taking a variety of proactive steps to ensure patient privacy.

These steps include (among others) calling patients by first name only when directing them to treatment rooms; providing a private space for patient consultation to prevent the risk of strangers overhearing treatment-related conversations; and leaving documents or files containing information attended and secured. If your medical office’s workforce includes employees who access ePHI, you should take measures to ensure no unauthorized person can see data on employee screens and devices.

Guideline #4: Covered entities must develop and post Notices of Privacy Practices. Notices must be provided to patients in plain language. 

A provider must post the notice in a clear and easy-to-find location where patients are able to see it.

Any covered entity that maintains a website providing information about its customer services or benefits must prominently post and make the notice available on the website.  

Guideline #5: Medical offices should develop written policies and procedures for all workforce members. 

These policies and procedures may be created online, and should include relevant forms, notices, disclosures, and step-by-step procedures, to protect patient privacy. The existence, and following, of written policies and procedures, helps to ensure overall HIPAA compliance.