HIPAA Administrative Requirements and Best Practices
To follow up last week’s blog post about HIPAA’s Privacy Rule, we’ve boiled down some of the most important administrative requirements for maintaining compliance with HIPAA. Below is a non-exhaustive list of best practices for your business.
- Carefully develop and implement policies and procedures regarding any protected health information (PHI) that are designed to comply with the Privacy Rule. If you’re not sure about your current policies or are in the process of developing new policies for your business, you should contact a qualified attorney to review your policies.
- Implement appropriate administrative, technical, and physical safeguards to protect the privacy of PHI. With the increasing reliance on electronic data storage and processing, it’s becoming more and more important to have a comprehensive set of safeguards to govern the processing, use, and storage of PHI.
- Mitigate any harmful effect of a use or disclosure of PHI in violation of its policies and procedures or the Privacy Rule that is known to the covered entity. No covered entity is perfect, and there’s a good chance there may be a mistake every now and again. However, you can protect your business by having already established a procedure to mitigate any harmful effects.
- Provide privacy training to all of your workforce, as necessary and appropriate to their functions. This is perhaps one of the most important administrative requirements for your business. In order to reduce your risks and liabilities, it’s important to provide ample training to your employees.
- Develop and apply sanctions for employees who violate your business’ policies or the requirements of the Privacy Rule. Included in your employee training program should be information about what will happen if an employee violates your internal policies or the Privacy Rule in general.
- Designate a privacy official who will be responsible for developing and overseeing your privacy policies and procedures. You should take the time to carefully consider what characteristics are important for an ideal privacy official because this person should be your go-to-person for any HIPAA-related inquiries.
- Designate a contact person or office where individuals can direct complaints. Generally complaints should be directed to the privacy official, but some businesses create an entirely separate phone line or email address for HIPAA complaints.
- Provide a complaint process. You should have a process that is easy to use and available for any individual that has a complaint against your business.
As we noted above, no business is perfect and there will be occasional slip ups. However, adhering to the administrative requirements of the Privacy Rule will help reduce your business’ liabilities for any unintentional violations of HIPAA.
Stay tuned for documentation requirements under HIPAA and eight additional considerations every covered entity should think about.