APAC: A subsidiary of FPIC Insurance Group, Inc.
Committed to bringing exceptional education, service, and peace of mind























• Satisfy basic requirements.
• Create a HIPAA Reference Manual.
• Assign a Privacy Officer.
• Implement staff/employee training – document all sessions.
• Incorporate HIPAA training in new-hire orientation material and training.
• Develop a Privacy Policy – stress patient confidentiality to current and new employees – emphasize compliance in subsequent training sessions.
• Incorporate Privacy Policy in the Employee Manual or Policy & Procedures Guidelines – outline expectations and the consequences of non-compliance
• Obtain a signed Confidentiality Agreement from every workplace employee.
• Review routine practices pertaining to the physical handling and location of patient charts.
• Determine when, to whom, and for how long charts are taken out of the record filing area.
• Utilize sign-out procedures in order to track individual patient charts.
• Determine if charts are left in non-secure areas whereby unauthorized viewing is possible.
• Secure access from unauthorized individuals and initiate multi-peril physical safeguards.
• Develop and adhere to specific policy and procedures pertaining to disclosure/release of PHI. Document all employees understand the policy and procedures.
• Ensure that all procedures comply with federal and state laws pertaining to PHI retention, access and release.
• Ensure security measures are in place for computerized PHI pertaining to access – both internal and external. Utilize passwords.
• Confirm that no unencrypted, unsecured patient information is available over the Internet.
• Utilize employee/staff safeguards such as log-ins and passwords.
• Back-up PHI computer files regularly. Document a disaster recover plan outlining security measures.
• Determine the level of PHI access and extent of information each employee needs to have.
• Audit measures should built into electronic systems to record user access, date, time and path to ensure compliance with privacy measures and comply with patient’ rights to be furnished an accounting of all disclosures.
• Position PC screens away from public reviewing.
• Keep charts out of view and access to only those in need.
• Ensure that all telephone, fax, e-mail, and paper communication is HIPAA compliant.
• Maintain a Business Associate Agreement and Contract file.
• Consider adding indemnification or hold harmless language in business agreements or contracts to protect against privacy breach.
• Do not have arriving patients write the nature of the illness or complaint on the sign-in sheet if viewable by other patients or visitors.
• Assure that all conversations, including telephone calls, entailing protected health information are not audible to other patients or visitors.
• Do not allow telephone calls of a clinical nature about another patient to be taken when in the examining room or in the presence of others.
• Verify the validity of subpoenas and legal documents requesting protected health information.
• Shred or destroy medical records and protected health information to ensure confidentiality.
• Verify posting of the required Privacy Notice.
• Determine if multilingual notices, forms and documents are indicated.
• Confirm that accommodations required under the American with Disabilities Act (ADA) are in HIPAA compliance.
• Maintain a current HIPAA reference and resource file or manual.
• Confirm that all authorizations and forms utilized in the practice are updated or modified to comply with HIPAA requirements.
• Comply with state statutes that are more stringent than HIPAA privacy regulations.

Disclaimer
NOTE: APAC provides HIPAA guidance as a benefit to its policyholders for educational and informational purposes only. Any representations or written reports rendered in conjunction with this benefit should not be considered a certification of HIPAA compliance nor should it be interpreted as offering legal, financial, or other professional services. Policyholders that are developing policies and procedures to comply with HIPAA’s Privacy Rule should seek legal and/or professional assistance to be sure that an appropriate compliance plan is implemented for their particular practice.

BACK TO HIPAA