Tips for ensuring you’re in compliance with HIPAA

These tips for complying with the Health Insurance Portability and Accountability Act (HIPAA) are offered by Veronica A. Marsich, JD, a shareholder with the law firm of Smith Haughey in East Lansing, MI:

Review your HIPAA authorization form to see that it contains a list of elements for a valid authorization, and allows for revocation. Is it a time specific/situation specific document? It must not condition treatment on the individual providing authorization. Be sure organization policy requires use of the HIPAA-approved form.

Check the content of your HIPAA notice. If a covered entity plans to engage in any of the following activities, specific descriptions must be provided in the notice: contact about appointment reminders or treatment alternatives, fundraising by the covered entity, or health plan disclosure of information to the plan sponsor. The notice also must contain, at a minimum, a list of the following obligations of the covered entity: obligation to protect individual privacy; obligation to abide by terms of the notice; and obligation to provide a revised notice before changing its privacy practices. You must post the notice and have copies available for individuals to take at all times.

Ensure that staff seek acknowledgment from patients. Covered entities are required to make a good-faith effort to obtain a written acknowledgment of receipt of the Notice of Privacy Practices at the first date of service. If the covered entity can’t get the acknowledgment, the staff should document why.

Scan your daily operations for HIPAA pitfalls. Look for physical safeguards that prevent disclosure of PHI, such as how patient charts are stored. Are conversations and telephone calls overheard by patients? Also consider how faxes and letters are protected, computer security, and the proper disposal of medical records.

Make sure you have all the necessary HIPAA policies in place. You should have policies regarding patients’ right to an accounting of disclosures and access and amend their own PHI, their complaints, incidental disclosures, and proper storage and destruction of medical records.

Business associate agreements should clarify permitted uses and disclosures by your attorneys. This includes any use or disclosure needed to carry out their legal obligations, functions or services, including but not limited to disclosures to potential expert witnesses, independent medical examiners, mock juries, courts, co-counsel, opposing counsel, and consultants. It also should include incidental disclosures to vendors such as photocopiers and others who may participate in preparing trial exhibits or other materials.