HIPAA 101: Ten Steps Toward HIPAA Compliance

Used by permission from by Paula C. Sandoval, Aspen Behavioral Health

Editor’s Note: We’re all concerned about HIPAA compliance these days . . .and finding sources for clear, succinct information isn’t always easy.  One such source, though, is the website at Aspen Behavioral Health.  Paula Sandoval graciously gave us permission to share her ten steps toward compliance.  We hope you find it helpful!

1. Be committed to abiding by HIPAA regulations.
   Non-compliance may result in legal and financial consequence. The Department of Health and Human Services (HHS) appointed the Office of Civil Rights (OCR) to enforce HIPAA regulations. See http://www.hhs.gov/ocr/hipaa/finalmaster.html.
   
   
2. Become familiar with current information about HIPAA.
   For an excellent resource on understanding HIPAA regulations and how to address some implementation issues, see the HIPAA Desk Reference at http://www.wedi.org/snip/public/articles/2002_0510_1.2.pdf
   
   
3. Get a complete list of policies and procedures.
   Go to http://www.wedi.org/snip/public/articles/2002_0510_1.2.pdf Appendix VI: Policy Manual.
   
   
4. Start a notebook for your HIPAA policies, procedures and forms.
   The North Carolina Healthcare Information and Communication Alliance, Inc. has a number of checklists which address the various components of the Privacy Rule, Security and other documents.  For this information go to http://www.nchica.org/HIPAA/sampledocuments.asp
   
   
5. Submit compliance extensions when they become available.
   
   
6. Put business associate agreements in place now.
   If there are services you contract out (e.g. billing, courier services, file storing entities, professional legal services, transcription and/or copy services, janitorial services) find out what they are doing about HIPAA compliance.  For information about business associate agreements between you and those entities go to http://www.nchica.org/HIPAA/sampledocuments.asp . Click “ Agree” on the HIPAA sample document disclaimer for access to their sample documents.  Select ‘Business Associate Agreement (Contract)’ to download as an MS Word document.  There are various sample documents you can download or copy.
   
   
7. Review your consent forms for compliance with HIPAA regulations .
   See sample forms at http://hpc.state.nm.us/hipaaap/deskreference.pdf .
   
   
8. Meet with people in your organization who are involved in managing information both technically and non-technically.  Include as many people as you can with different job functions and responsibilities so that everyone feels it is a team effort.  People will be more likely to comply and invest if they feel their ideas and active participation is needed in order to accomplish the implementation of HIPAA compliance.
   
   Find local groups working on HIPAA compliance as they may already have developed tools to help you identify gaps, develop policies, procedures and practices.  For an example of a local working group, see the New Mexico Coalition for Healthcare Information Leadership Initiatives (NM CHILI) See their web site at www.healthlinknm.org/nmchili .
   
   
9. Do a privacy and security walk through of your facility.
   For an example of a preliminary privacy and security audit see WEDI – SNIP Appendix I: Model HIPAA Privacy And Security Audit For Small Practices, pp.16-20 on the PDF file: http://snip.wedi.org/public/articles/2002_0510_1.2.pdf . Try to identify all the possible ways an unauthorized individual might gain access to paper and electronic confidential health information (e.g. client sign in sheet, client access to unauthorized areas).  Review the list and describe how each non-compliant area will be addressed.  In recording how you will address these gaps, include actions to be taken, target date of completion, person responsible for completing the task(s), and the resources it will take to comply.
   
   
10. Develop and implement a staff training plan.
    Plan how all persons in your organization will be trained on HIPAA and how to show evidence of the training. Document large and small things you have done to comply with HIPAA regulations and include HIPAA issues as a regular part of your staff meeting agenda.