Chiropractic HIPAA Manual

Chiropractic HIPAA Manual

As a HIPAA covered entity (CE), chiropractors are required to comply with the standards set forth by HIPAA. In the past, it was common to use a HIPAA manual to implement a HIPAA chiropractic compliance program. However, a chiropractic HIPAA manual is no longer considered an effective way to address your HIPAA compliance.

How to Become HIPAA Compliant Without a Chiropractic HIPAA Manual

Your HIPAA chiropractic compliance program should be customized to the way your chiropractic practice operates. As such, instead of using a chiropractic HIPAA manual, you should develop a HIPAA compliance program with the following guidelines:

  • Self-audits: the Department of Health and Human Services (HHS) requires organizations working with protected health information (PHI) to complete self-audits annually to assess their safeguards securing PHI. HIPAA covered entities (CEs) are required to complete six annual audits, while HIPAA business associates (BAs) and managed service providers (MSPs) are required to complete five.
  • Gap identification and remediation plans: an essential component of HIPAA compliance is identifying your gaps and addressing those gaps with remediation plans. Once you have completed your self-audits in our HIPAA platform, gaps are automatically identified. Then our Compliance Coaches create remediation plans for you to implement, allowing you to close your gaps.
  • Policies and procedures:  policies and procedures dictate the proper uses and disclosures of PHI by staff members. They also describe what safeguards you have in place securing PHI. 
    • Administrative safeguards: relate to your policies and procedures that dictate proper uses and disclosures of PHI. HIPAA requires covered entities to only access the minimum necessary PHI to perform their job functions. This is to prevent PHI from being accessed without cause, mitigating the risk of insider breaches. Administrative safeguards also include employee training. All employees that have access to PHI must be trained annually on HIPAA standards as well as your practice’s policies and procedures.
    • Physical safeguards: relate to the security surrounding your office.  Areas containing PHI must not be accessible to unauthorized individuals. As such, paper files containing PHI should be stored in locked cabinets or rooms. In addition, it is recommended that you install an alarm system or security cameras to prevent unauthorized access to your office.
    • Technical safeguards: relate to the security measures that secure your technology, (i.e. desktop computers, laptops, mobile devices). Devices should be password protected, with automatic logoff setup, ensuring that when left unattended, they lock preventing unauthorized access. However, even with automatic logoff procedures set up, employees should still lock their computers when leaving them unattended. In addition, it is important to have access controls in place. Access controls designate different levels of access to PHI based on an employee’s job role, ensuring that the minimum necessary standard is upheld. Devices should also be secured with encryption, firewalls, and data backup.

Policies and procedures also identify your Privacy Officer, Security Officer, and Compliance Officer. Within your policies and procedures should be a section discussing how to report a suspected breach, and who to report a breach to.

  • Employee training: also required to be completed annually, employees must be trained on HIPAA standards, as well as your organization’s policies and procedures. Employee training educates staff members on HIPAA requirements, the proper uses and disclosures of PHI, how to recognize a possible breach, who breaches should be reported to, and how social media is permitted to be used.
  • Business associate management: to be HIPAA compliant, organizations must vet their vendors to ensure that they are adequately protecting the PHI that they create, maintain, store, or transmit on the organization’s behalf. Once vendors have been vetted, the next step is to send them business associate agreements (BAAs). A BAA is a legal document that dictates the safeguards the business associate must have in place. It also limits the liability for both signing parties in the event of a breach as it states that each party is responsible for maintaining their own compliance. Lastly, a BAA determines which party is responsible for reporting a breach, should one occur.
  • Incident management: organizations that experience a healthcare breach, whether it is internal or external, are required to report the incident. Employees must have the ability to report suspected breaches anonymously. 

Need Assistance with HIPAA Chiropractic Compliance?

Compliancy Group can help! Our cloud-based compliance software, the Guard™, gives you the flexibility to work on your HIPAA compliance from anywhere that has an internet connection. Our software will guide you through our implementation process enabling you to Achieve, Illustrate, and Maintain™ HIPAA compliance.

Schedule a Demo

See the software that makes tracking compliance a breeze!

Healthcare Compliance Software - CG