HIPAA Compliance is a process you must apply to your practice. The most difficult part of attaining compliance is affecting behavioral changes. This change process can be simplified into steps or actions that result in ongoing HIPAA Compliance. Those steps are:

Appoint a Privacy Officer
Even a solo practitioner needs to have a designated Privacy Officer, who will oversee and assist in all the other steps necessary to achieve compliance.

Conduct a Readiness Assessment
A readiness assessment reviews four areas of a practice:

• Contractual Agreements
• Business Practices, Policies, and Procedures
• Systems and Applications
• Map or schematic of where protected health information (PHI) goes

A thorough readiness assessment examines all current contracts and agreements with other individuals or practices that may be considered to have a "Chain of Trust". Patient information provided to you in order to perform your business must be released to you by either the patient or through a contractual agreement from the practice that obtained the information.

The current state of the Business Practices, Policies and Procedures must be reviewed for the entire practice wherever patient information is exposed. This includes both written and non-written policies and procedures.

Computer Systems and Applications must be reviewed that maintain or transmit patient information. They are assessed for their ability to restrict patient information to a "need to know" basis, as well as audit trails for access violation. This includes aspects of data storage, networks, transmission, software design, encryption, password protection, system backup and disaster recovery, physical location, etc.

Develop a Gap Analysis
Information gathered from the Readiness Assessment is compared to the HIPAA requirements on a detailed basis. Once completed a Gap Analysis will provide a detailed list of contracts, policies and procedures, Computer Systems, and Computer Applications that do not meet the HIPAA standards. This includes current contracts, procedures, or systems that do not comply as well as areas of HIPAA for which the practice does not yet have contracts, procedures, or systems.

Develop a Risk Analysis
Two questions are asked for each violation of the Gap Analysis:

• What are the options and associated costs for making the change to reconcile the violation?
• What is the risk to my practice if I do not make the change?

Develop an Implementation Plan
The implementation plan includes a list of tasks, deliverables from completing the tasks, necessary resources, estimated costs, and a timeline for completion. Resources can be in the form of current employees, contract individuals, software products, or hardware products.

Develop a Training Program
A training program is key to a successful compliance program. You need to ensure that everyone who handles Individually Identifiable Healthcare Information (IIHI) is thoroughly trained in all aspects of HIPAA that pertain to the job duties. Additionally you must assure that they understand what they have learned and retain the knowledge. A training program to record and track tests results is recommended.

Training needs to be an ongoing process that encompasses changes and additions to the law and is accomplished on an annual basis. Include successful completion on HIPAA as a criterion for employee evaluation. Don’t forget to make HIPAA training a part of the hiring process and train each new employee prior to beginning his or her function in the practice.

Develop Policies and Procedures that address HIPAA
The Office of Civil Rights, the department within Health and Human Services that have ongoing responsibility for enforcement of the HIPAA rules clearly stated that policies and procedures were one of the chief components of an acceptable compliance program.

Develop Forms
Develop forms for consent and authorization, and for tracking the release or disclosure of protected health information. You also need to develop forms and processes for providing copies and amending your patient’s medical records.

Develop a Notice of Privacy Practices
Using the map or schematic that you prepared in the Readiness Assessment, determine all the possible uses of PHI that fall under treatment, payment, and operations and use it to publish a Notice of Privacy Practices. Make your notice available to anyone who provides you with Protected Health Information - if you have a website it must be posted there as well.

Implement Change
Once a plan has been established and policies and procedures written, resources are gathered to implement the required change. Depending on the size of the practice at least one project manager will be required to assure timely progress and manage problems as they arise. This position may be a responsibility of the Privacy Officer, especially in the case of a small practice. Change will impact all functional areas of the practice. The amount of change necessary will be determined by what is reasonable for the size practice being evaluated.

The largest expense associated with HIPAA compliance is in the assessment, analysis, development and implementation phases. Therefore, it is likely that many practices will utilize outside resources to perform the assessment and implement the change. Once implementation is completed a practice will most likely assign the role of ongoing compliance to an employee.

Maintain HIPAA Compliance
Maintaining Compliance with HIPAA regulations requires three activities:

1. Ongoing and new-hire training
2. Monitoring the adherence to current policies and procedures
3. Modifying policies and procedures to conform to changes in the HIPAA law

Having a procedure in place does not reduce your risk of liability, unless you monitor the activities of the employees who must follow your procedures. Once policy is made it must be communicated, monitored, and actions taken for violations. If an employee violates a company policy and it cannot be determined that they were trained then the employer will be liable. Likewise, if an employee is allowed to continually violate a policy involving HIPAA law without action, the employer will once again be liable.

As the HIPAA policy changes your practice must review and revise (if necessary) their practices or policies to meet those changes. Most software vendors will automatically adapt to changes in the HIPAA law. However, since 70% to 80% of compliance to HIPAA law is based upon company policy and procedures, each company will have to maintain an ongoing awareness of change in HIPAA law. They will have to update their policies and procedures to adapt to changing requirements.

How to Get Started
Start now. The clock is ticking. Any practice is going to have to provide a commitment of funds, time and resources for the HIPAA compliance project to be successful. The task may seem daunting at first because the regulations delve into almost every aspect of the health industry. Performing Gap Analysis alone can be a daunting task due to the volume of HIPAA regulations. Just the Privacy regulation is over 800 pages.

Email your questions about HIPAA compliance or comments about this site to Client Care.