Tech which makes Sense

This information is designed to help you better understand HIPAA and help your office become HIPAA compliant. The information was obtained from a variety of sources and is not intended to be legal advice. If you have difficulty understanding any part of the HIPAA regulations, you should consult your legal counsel.

First, there are no HIPAA policies. No one will come to your office to inspect it to see if it is HIPAA compliant. A complaint must be filed for any action to be taken.

What is HIPAA?

HIPAA stands for Health Insurance Portability and Accountability Act. It was enacted by the federal government in 1996 as part of a health care reform effort. HIPAA is intended to ensure the confidentiality of all patient-related health care information. It is also intended to simplify the administrative processes of health care, thereby reducing the costs and administrative burdens of health care.

One thing to remember is that HIPAA uses the word “reasonable” multiple times. You and your office staff must do everything reasonable to protect your patient’s privacy. For example, smaller medical offices do not have to take the same privacy measures as large hospitals. That would not be reasonable.

Also, there is no “privacy police”. No one is going to walk in and randomly inspect your office. Someone must file a complaint first. Complaints will be handled by the Office for Civil Rights. If someone files a complaint, it will be investigated. The fines are very high, so you’ll want to make sure your office has good privacy practices and that they are followed at all times.

Another thing to keep in mind is that the type of practice can determine the level of privacy you need to purchase. For example, patients in an optometrist’s office may not be as concerned about people knowing they are there as patients in a mental health office.

There are several different components of HIPAA, each with its own implementation date.

Section 2: The Privacy Component: Implementation Date: April 2002

1. You must do everything possible to protect the privacy of your patient.

2. Patient files and information should be kept in a secure section of your office, a section that other patients cannot access.

3. Charts should not be left lying open where someone can read them.

4. If you are making a phone call about a patient or to a patient, you must do so from an area where you will not be heard if you are giving out personal information. For example, if you’re calling your insurance company and you’re going to say the patient’s first and last name, date of birth, ID number, and/or a diagnosis, then you don’t want to do it where others, perhaps in a hospital room. wait, he can hear you.

5. If patient records are ever removed from the office, you must have a policy in place. For example, you should have a checkout sheet that lists the patient’s name, the date it was taken, by whom, and then log back in when the chart is returned.

6. If records are removed, they must be kept in a container marked “confidential – medical records.” If you were ever involved in an accident, or separated from the bag for any reason, you would be assured of the information by authorities or medical personnel. Or at least he would have done everything reasonable to protect that information.

7. If computer screens are in a position where patients can see them, you may want to move them or get a screen cover. A screen cover makes the computer screen only readable when you are directly in front of it.

The above are just a few things you will need to consider when complying with HIPAA. Each office will have their own areas that need to be checked. The above are many of the common areas.

Section 3: Administrative Simplification: Compliance Date: October 2002

This component requires the standardization of data transmissions, or EDI, and procedure/diagnosis codes.

Regarding the standardization of procedure/diagnosis codes, this only means that you should use CPT-4 codes for procedure codes and ICD-9 codes for diagnosis codes.

As for EDI standardization, that refers to your electronic invoicing. To submit your claims electronically, you must submit them in a HIPAA-compliant format.

Section 4: Security Component – ​​Implementation date not yet set

This component requires healthcare professionals, billing services, and clearinghouses to take appropriate security measures to ensure that health information pertaining to an individual remains secure and is not accessible to others.

Things to consider:

Where is your fax machine? Are you in a location where only office staff can access incoming faxes? Is it on 24 hours a day? When you are not in the office (after office hours), can someone else access your fax machine?

Whenever you fax personal information about a patient, you must use a fax cover sheet with a confidentiality statement. The statement must explain that the following fax contains personal medical information and that if the fax is received by someone other than the intended party, the fax must be destroyed and you must be notified that it was received in error.

Do you hire a cleaning person/team? Are they in the office when you are not? Do they have access to the patient’s personal information? You may want to ask them to sign a confidentiality statement.

Do you rent office space? If yes, does your landlord have access to your office? Do they ever walk into your office without you being present? If they do, you can ask them to sign a confidentiality statement.

By asking people who have access to your office to sign a confidentiality statement, you are making a reasonable attempt to protect your patient’s privacy. It is not always reasonable not to allow anyone access to areas that contain private information. If those people sign an agreement and then break it, you will not be held responsible.

If you do any business by email, you will need to use an encryption service. This will ensure that if someone were to intercept your emails, they would not be able to read them.

Section 5: Privacy Officer

All offices must designate a mandatory “Privacy Officer.” This person would be responsible for making sure that all staff are trained on HIPAA and that privacy policies are written and followed. You would also be the person staff members or patients could go to with any concerns or questions about HIPAA compliance. Even if you have a very small practice, you MUST have someone designated as your privacy officer. It can even be the Doctor himself.

Section 6: Release of Information/Patient Consent

You must have the patient’s written consent to release any of their records/information.

(Exception: if the request is due to immediate/urgent care of the patient).

You should review your current consent and authorization forms to ensure they are HIPAA compliant. HIPAA requires that you obtain consent for the use and disclosure of information from each of your patients. You may refuse to treat patients who do not sign the consent form.

Section 7: Unique Identifiers – no implementation date has yet been set

HIPAA will require the use of unique identifiers. More to come in this component. You will most likely have a national provider number, rather than a different provider number for each insurance company.

Section 8: HIPAA Required Policies and Procedures

1. Identify the people on your staff who require access to protected health information.

2. Prevent access to protected health information by unauthorized persons.

3. Ensure that the “minimum necessary” amount of information is disclosed for routine disclosures (only disclose information related to what is requested, not the entire patient record).

4. Verify the identity of the requestor of the information.

5. Provide patients with access to their records, the opportunity to request corrections, and access and accounting of disclosures.

6. Each office must have written policies regarding privacy practices.


Assess your physical office for potential privacy and security risks. One of the best things you can do to be “ready” for HIPAA is to walk (better yet, have someone else stop by) your office as if you were a patient. Look around you ALL. Do you see? Do you see any personal patient information, graphs in sight? Start at the front door and go through all the rooms in your office, especially the rooms that patients have access to. Then continue to perform regular checks to ensure continued compliance.

Make sure you have written policies regarding any privacy practices, such as picking up office records, faxing patient information, reviewing patient complaints, etc. Also, be sure to designate a “privacy officer.”

Make sure all staff members are trained on HIPAA policies. Remember to train all new employees on HIPAA policies. You should also review your current HIPAA policies regularly.

Leave a Reply

Your email address will not be published. Required fields are marked *