HIPAA Compliance Guide and FAQ

“Ignorance of HIPAA regulations is not considered to be a justifiable defense by the Office for Civil Rights of the Department of Health and Human Services.” Quoted from hhs.gov.

 
Download our HIPAA Compliance CheckList



Answers to the most commonly asked HIPAA Compliance questions are listed below:

Does the office have an up-to-date Notice of Privacy Practices that is compliant with Federal and Texas law?

Covered Entities are required to provide a Notice of Privacy Practices for Protected Health Information. Smart Training’s Safelock Certified® package provides your office with a current NPP which incorporates your logo and identifies the Privacy Officer. (45 CFR § 164.520)

Is the Notice of Privacy Practices offered to patients in a printed format, and is a valid, signed Acknowledgement obtained?

A provider who gives the NPP to a patient during an office visit should receive an acknowledgement at that time; if the patient refuses to sign, that fact should be noted in the chart or electronic record. Again, Smart Training’s Safelock Certified® package provides an Acknowledgement of Receipt incorporating your office logo.

Does the office website ‘prominently display’ the Notice of Privacy Practices?

A Covered Entity that maintains a web site must prominently post its Notice and make the Notice available electronically through the site. The Safelock Certified® package’s Notice of Privacy Practices is delivered as a .pdf file that can be easily linked to your existing website. (45 CFR § 164.520(3)(i))

Has the office posted a Notice of Electronic Disclosure?

The Notice of Electronic Disclosure is required by Texas law. Smart Training’s Safelock Certified® package provides the document, incorporating the practice logo and ready for posting in the office waiting area or hallway.

Are office employees trained on patient privacy within 90 days after hire?

Smart Training has trained more than 15,000 dental offices on Texas House Bill 300, which mandates patient privacy training for staff.

Does patient privacy training reflect the latest changes in HIPAA and Texas law?

Because our team of HIPAA compliance experts have developed Smart Training’s HB300 2018 training module, you can be sure your team is getting up-to-date patient privacy training.

If the office provides privacy training, is the training ‘certified?’

Certification requires employees to demonstrate retention and knowledge of training material. Each Smart Training compliance module incorporates a number of quizzes which must be successfully completed before the employee is certified.

Are training records complete for the past two years?

Smart Training’s Learning Management System retains training records in perpetuity.

Does the office have a signed Employee Privacy Policy for each staff member?

The Employee Privacy Policy is an acknowledgement that the employee has read and understands your NPP and other privacy policies. Smart Training’s Safelock Certified® package offers a comprehensive, office-specific Employee Privacy Policy as well as a Visitor Privacy Policy for office visitors. (45 CFR § 164.308(a)(3)(ii)(A))

Does the office have signed Business Associate Agreements with all entities who have access to the practice’s patient information?

Smart Training’s Certified HIPAA Professional provides customized Business Associate Agreements ready for signature. We help your office identify partnering businesses for which a BAA should exist, then we create Agreements for the specific applications required. (45 CFR § 164.502(e), 164.504(e), 164.532(d), and 164.532(e))

Has the office performed a HIPAA Security and Risk Assessment within the past year?

Smart Training’s Safelock Certified® package features an ‘automated’ Risk Assessment with written Response aimed at addressing remediation challenges. The Risk Assessment examines compliance paperwork, Business Associate Agreements, physical safeguards, administrative safeguards and technical safeguards as well. (45 CFR § 164.504(e))

Is the office server secured in a locked environment, not accessible under normal conditions by anyone who is not a member of the office staff?

Our main concern focuses on protecting the server from malicious software and access by unknown or unauthorized individuals (45 CFR § 164.308(a)(5)(ii)(B) and (C). Realistically, it is impossible to be compliant without having the server secured against unauthorized access. (45 CFR §164.308(a)(1)(ii)(A))

Is the office’s electronic patient information encrypted in transit?

While encryption is not a legal requirement, it is a “safe harbor” to guard against some breach situations and is highly recommended for any computer that can access ePHI.. Valid encryption processes for data in transit may be found in NIST Special Publication 800-52 and 800-77.

Is the office’s patient data backed up? Is the backup subject to theft, loss or damage?

Backups are not optional! Smart Training’s Safelock Certified® ‘automated’ Risk Assessment process provides a careful look at your backup methodology and security. (45 CFR § 164.308(7)(ii)(A))

Does each user on the office computer system have a discrete password?

While HHS does not mandate a specific password arrangement, it does mandate that a password policy be in place. Realistically, login monitoring is of limited value when several staff members utilize the same login password, which is often the case in smaller offices. (45 CFR § 164.308(a)(5)(ii)(D))

Is the office proactively monitoring systems and networks for potential issues involving the privacy of patient information?

CorpTek’s proactive monitoring software will alert our staff and your office to potential issues before they emerge as significant problems.

Is login monitoring conducted on a regular basis?

There is no hard or fast guideline as to the frequency of login monitoring. Each office is different, and much depends on the vulnerability of your data. We suggest a minimum of weekly login monitoring; some offices may need to monitor logins on a daily basis. (45 CFR § 164.308(a)(5)(ii)(C))

Does the office install the latest security updates on computers and servers?

CorpTek performs all scheduled maintenance, including software updates, and maintains a log of services performed.

Is the office conducting vulnerability scans on a periodic basis?

Vulnerability scanning is an inspection of potential exploitation points on computers, laptops, servers and networks. The aim of the scan is to identify security challenges.

Has the office appointed a Privacy Officer?

Your office must designate a privacy official who is responsible for the development and implementation of the policies and procedures of the entity. Smart Training’s Safelock Certified® package provides specialized online training for your office Privacy Officer, and, alternatively, can provide a Certified HIPAA Professional to function as Privacy Officer for your office. (45 CFR § 164.530(a)(1)(i))

Has the office developed the written HIPAA Policies and Procedures required for compliance?

Smart Training’s Safelock Certified® provides the written policies essential to privacy security in your office. We work to ensure that the completed document meets the specific needs of your office. (45 CFR § 164.530(i))

Does the office have a written Disaster Recovery Plan?

Our HIPAA Policies and Procedures always include a draft Disaster Recovery Plan that can be fine-tuned to your office environment. (45 CFR 164.308(a)(7)(ii)(B))

Does the office have a Breach Notification Policy?

Smart Training’s Safelock Certified® HIPAA Policies and Procedures package also provides a detailed Breach Notification Policy.

Does the office use a breach detection service?

As cyberattacks grow increasingly sophisticated, anti-virus software alone is no longer sufficient. CorpTek’s breach detection feature proactively searches for the unaddressed techniques that hackers use to access your office systems.

Does the office receive a monthly HIPAA compliance report?

CorpTek’s monthly reporting offers peace of mind and the assurance that your computers and servers are protected.

Contact us for a Free HIPAA Consultation