HIPAA Privacy – 6 Steps an Employer Must Take to Ensure Compliance

The Health Insurance Portability and Accountability Act (HIPAA) introduced Privacy Rules a few years after the Act which contained stringent provisions for safeguarding protected health information (PHI) of the patients. To contain the rising threat to such sensitive data in the changing scenario HIPAA has made considerable amendments to such rules and have given it more teeth by prescribing monetary and even criminal penalties on covered entities for breach of privacy. As an employer of any of the covered entities you must take all possible measures to ensure compliance at all times.The 6 steps given below will help you in the matters of HIPAA Privacy.• Disclosure of PHI: The HIPAA Privacy Rules revolve around PHI and you must give it due consideration too. The best way is to follow the dictum of minimum disclosure where only the bare minimum information is released to the concerned parties for the purpose of treatment and insurance payment only. In addition, also completely understand when such disclosures can be made without authorizations, law enforcement and public interest for example.• Importance of Authorization: Besides the permitted disclosure of PHI which is approved by HIPAA laws you must safeguard the information at all times against any unauthorized and unnecessary access. And disclosure for any purpose or to any person even if there are members of the family must be supported by a written authorization provided by the patient.• Safety from Business Associates: At times the covered entities contract certain functions to their business associates who are not covered entities themselves. You as an employer must ask these associates to sign a suitable contract to ensure that all the security and privacy measures are taken to safeguard the personal information shared with them.• Remove Identity Information: In certain circumstances the covered entity is permitted to disclose private information for the purpose of research or certain kinds of marketing. However before parting with such data you must remove all information that will identify the particular patient. Such information includes name, social security number, address and contact numbers. Also you must ask the research or marketing personnel to take the required measures to protect the information from unauthorized access.• Distribute the Notice of Privacy Practices (NOPP): You must provide your patients with a copy of the NOPP which will explain how you are managing their PHI including the ways in which the information is protected. The notice must also mention the situations where a disclosure can be made without the patient’s permission. Furthermore it must have the names and contacts of the personnel within and outside the covered entities whom the patient can approach for any matter.• Policy and Training: Finally you must have an in-house policy which is in line with the HIPAA laws and must provide the adequate training to your employees so that both the laws and your own policies are well understood.The above points will not only help smoother working within your organization but also aid in better compliance of the HIPAA Privacy Rules by curtailing possibilities of any breach.