HIPAA Documentation Requirements and 8 Considerations for Business Owners

In this last installment of our series on HIPAA compliance and best practices for your business, we’ve detailed the documentation requirements and 8 important considerations every business owner should think about.

Does HIPAA require any specific documents?
As discussed in previous posts, HIPAA provides for a number of “best practices” which include various documents that you should use to help avoid HIPAA violations. Any documents containing protected health information or policies that govern your use and disclosure of protected health information should be stored, either in written or electronic format, for a period of 6 years.

The following is a list of documents you should consider using in your business in order to avoid any inadvertent disclosure or use of protected health information. Having the following policies and procedures in writing is one simple step you can take to protect your business.

  • Training provided, Privacy Official, Contact Person;
  • Complaints to Covered Entity and their disposition, if any;
  • Notice of Privacy Practices, Acknowledgement, and Good Faith efforts to obtain Acknowledgements, and the Notice must include:
    • The ways in which the covered entity may use and disclose protected health information,
    • The ways the entity may use and disclose protected health information,
    • The covered entity’s duties to protect privacy, provide a notice of privacy practices, and abide by the terms of the current notice.
    • Individuals’ rights, including the right to complain to HHS and to the covered entity if they believe their privacy rights have been violated,
    • Contact for further information and for making complaints to the covered entity, and
    • Covered entities must act in accordance with their notices.
  • Authorizations;
  • Business Associate Contracts;
  • Designated records sets that are subject to access by the individual, access contact persons, requests, and responses;
  • Amendment contact persons, requests, denials, disagreements and rebuttals;
  • Information required to be in accounting, accounting contact person, requests, and accountings provided to individual;
  • Restriction Request Agreements;
  • HCC Designations;
  • Affiliated Covered Entity Designations;
  • Certification of Group Health Plan document amendment; and
  • Verification documents of public officials, personal representatives.

8 Considerations for your business

  1. Develop a valid authorization form. Making sure you have a valid authorization form that you require individuals to sign prior to making any disclosure or use of protected health information is one of the most important steps you can take to avoid future HIPAA violations.
  2. Develop and provide a notice and, if necessary, an acknowledgement form. The more you disclose to the individual about your policies and practices pertaining to protected health information the better. Providing each client with a notice and acknowledgement form is one way to maintain transparency with your clients.
  3. Develop a system to track and account for disclosures. It’s difficult to remedy inadvertent disclosures (or purposeful disclosures) if you don’t track what information is being disclosed, or when it is being disclosed. You should develop a simple set of checks and balances in order to track how information can be disclosed and to whom.
  4. Designate a privacy official and contact person. This is required by HIPAA. You should designate a responsible employee of your business to be your point person for any HIPAA-related questions or complaints.
  5. Design and implement policies and procedures. Central to this entire series of posts is the need to develop procedures within your business that account for the protected health information you process and how you and your employees process, use, and disclose this information. If you currently have a procedure in place but are unsure of its reliability, you should consult with someone outside of your business that is well-versed in HIPAA requirements to ensure you’ve taken reasonable steps to avoid any violation.
  6. Develop and implement systems to safeguard PHI. Another key aspect of dealing with protected health information is monitoring where it goes once it is received by your business. There are a number of secure data storage programs you can use to organize your PHI and ensure it isn’t inadvertently disclosed.
  7. Train workforce. HIPAA requires you to implement HIPAA training to your employees. You can find a plethora of training materials here.
  8. Check the rule for changing requirements. As is the case with many statutes, HIPAA’s Privacy Rule is a dynamic, constantly-changing rule. It’s important to keep up-to-date on HIPAA requirements and changes in the law. To do this, you should periodically check the statute to see if any recent changes have been made, and from time to time you should check (or audit) your policies and HIPAA documents to make sure they’re up-to-date.

Keep in mind, the list of documentation requirements and the 8 considerations for business owners are not an exhaustive list of precautions you should take as a business handling protected health information. Rather, the list of documents and considerations are presented to give you an idea of ways you can avoid HIPAA violations and steps you can take to reasonably process, use, and disclose protected health information in the course of business.

If you’re interested in learning more about HIPAA requirements or you’d like to review your business’ policies and procedures, please comment below, contact us, or subscribe to our free Q & A service.


Gavin Johnson

Gavin enjoys craft beer and is learning the art of brewing.

146 N Canal Street, Suite 350   |