Private Practice HIPAA Compliance

What Your Practice Needs to Know

Figuring out what your private practice needs for HIPAA compliance can be a difficult task. This is because HIPAA applies to a variety of healthcare organizations, small and large. So how do you know what is right for your practice? Read more to find out about private practice HIPAA compliance, and what your organization can implement now.

What is Required for Private Practice HIPAA Compliance?

Private Practice HIPAA Compliance

HIPAA requires the same basic things from healthcare organizations, regardless of their size. 

  1. Annual self-audits
  2. Remediation plans
  3. HIPAA policies and procedures
  4. Employee HIPAA training
  5. Business associate agreements
  6. Incident management

The differences come down to the details. For instance, you must ensure that you are adequately securing patient information, but the measures you take to do so may differ from another organization. A security protection that is appropriate for a large hospital is not necessarily appropriate for a private practice. This is why it is important to partner with an experienced HIPAA solution provider. Compliancy Group provides clients with the guidance they need to implement an effective HIPAA compliance that is appropriate for your specific needs.

See how we helped this sole practitioner become HIPAA compliant!

What is Protected Health Information?

A key component of understanding HIPAA is understanding what protected health information (PHI) is. This is because much of the regulation revolves around how you handle PHI, how PHI is protected, and what to do if PHI is compromised in a breach.

The Department of Health and Human Services (HHS), which is responsible for creating HIPAA laws, defines PHI as any individually identifiable health information that relates to the past, present, or future provision of healthcare.

PHI is classified into these 18 identifiers:

  1. Name
  2. Address (including subdivisions smaller than state such as street address, city, county, or zip code)
  3. Any dates (except years) that are directly related to an individual, including birthday, date of admission or discharge, date of death, or the exact age of individuals older than 89
  4. Telephone number
  5. Fax number
  6. Email address
  7. Social Security number
  8. Medical record number
  9. Health plan beneficiary number
  10. Account number
  11. Certificate/license number
  12. Vehicle identifiers, serial numbers, or license plate numbers
  13. Device identifiers or serial numbers
  14. Web URLs
  15. IP address
  16. Biometric identifiers such as fingerprints or voice prints
  17. Full-face photos
  18. Any other unique identifying numbers, characteristics, or codes

Are You Properly Using and Disclosing PHI?

HIPAA has strict requirements for the use and disclosure of PHI. The HIPAA minimum necessary standard states that PHI can only be used and disclosed with a specific intention. As such, PHI access must be limited to only those employees that need access to it. For instance, a receptionist should not have the same level of access to PHI as a doctor requires. Receptionists need minimal information such as patient names, contact information, insurance information, but they do not need access to the patient’s treatment history. 

To comply with this standard, it is important to have access controls that limit access to PHI based on an employee’s job role, and audit logs that track access to PHI.

Are You Adequately Securing PHI?

The HIPAA Security Rule requires that the confidentiality, integrity, and availability of PHI is maintained. To do so, your organization must implement safeguards. There are different ways of doing so depending on how and where PHI is stored.

  • Physical Safeguards. These are the safeguards that are in place to secure your physical office space, as well as any paper patient records. This may include installing locks, alarms systems, and video surveillance. 
  • Administrative Safeguards. These are your HIPAA policies and procedures. This should include how you use and disclose PHI, how PHI is secured, and how to report a PHI breach.
  • Technical Safeguards. These are the safeguards that are in place to secure your electronic PHI. This may include installing antivirus, firewalls, and encrypting your devices.

Are Your Business Associates Securing the PHI You Share with Them?

Even as a private practice, you will have business associates. What are business associates? These are the organizations that you contract to perform a service for you, giving them the potential to access PHI. These may include your EHR, billing software, appointment scheduling providers, answering services, email providers, and many more. 

For more examples of business associates, click here.

An essential part of HIPAA compliance is ensuring that your business associates are keeping the PHI you share with them secure. This can be accomplished by sending them a vendor questionnaire, which is essentially a list of yes/no questions assessing their safeguards. You must also have signed business associate agreements (BAAs) with all of your business associates. A BAA is a legal document that limits your liability as it requires each signing party to be HIPAA compliant, and be responsible for maintaining their compliance.

Are You Providing Patients with Timely Access to Their PHI?

This last one is very important. The HHS’ Office for Civil Rights (OCR) has come down hard on practices that fail to comply with the Right of Access standard, issuing fines to several organizations of late. The HIPAA Right of Access requires healthcare organizations to provide patients access to their records upon request. This request must be met within 30 days, and the files must be supplied in the format requested by the patient (i.e. printed records, CD, USB).

Modernize Your Compliance

Say goodbye to spreadsheets and hello to automated software!

Global CTAs Image