Want to be HIPAA Compliant start here. 7 Simple Steps to Become HIPAA Compliant.

1. At My Desk Training
7 SIMPLE STEPS TO
MAKE YOUR PRACTICE
HIPAA COMPLIANT

2. First things first you will need to select someone
in your office to become the Privacy and
Security Officer.
The HIPAA (Health Insurance Portability and
Accountability Act) of 1996 made a privacy
officer’s job imperative for medical practices,
dental practices, organizations, health
information clearing houses, etc. Under the
HIPAA guidelines, every organization that
practices or manages health care information
must designate a privacy officer who oversees
the development; implementation and
monitoring of privacy policies and ensures they
are in accordance with federal and state
guidelines.
✓Evaluate the company’s current privacy policy if
there is one. If there is not a privacy policy, the
1.0 The Privacy Officer

3. Privacy Officer is responsible for creating one in
accordance with the HIPAA guidelines.
✓Establish and Implement New Policies
✓Update Policies and Procedures to meet current
state and federal regulation and accreditation
✓Create the following documents: Notice of
Privacy Practices, HIPAA authorization form,
Disclosure of PHI (Protected Health
Information), Request for Access to PHI
(Protected Health Information).
✓Training employees on privacy policies and
practices
✓Conduct periodic internal HIPAA audit to ensure
100% compliance with policies and procedures
In larger organizations the Privacy Officer is one
person only responsible for HIPAA Privacy Policy
Compliance. Smaller organizations usually have the
Privacy Officer wear more than one hat. The
Privacy Officer can be the receptionist, Office
Manager, Doctor, or Dentist. One of the first things
a HHS auditor will ask, is to speak with the Privacy
Officer, so preparation is key.

4. HIPAA compliance requires that organizations
large and small have a Security Officer in
addition to a Privacy Officer. This can be the
same person in small and medium sized
organizations. The Security Officer is
responsible for managing information security
policies and procedures. These policies and
procedures must ensure confidentiality,
integrity, and availability of PHI (Protected
Health Information). It is the responsibility that
the organization’s PHI can’t be accessed by
unauthorized persons. In addition, the Security
Officer has to make sure that administrative,
technical, and physical safeguards to protect
PHI. This includes virus protection, automatic
patches, privacy screens, malware protection,
IDS (Intrusion Detection System), IPS (Intrusion
Prevention System, etc.
2.0 The Security Officer

5. Ok now you have selected your Privacy and
Security Officers the next step is to conduct a
Risk Assessment.
A Risk Assessment includes, but is not
limited to, the following activities:
✓Identify where PHI is stored, received,
maintained or transmitted.
✓Identify and document potential threats and
vulnerabilities.
✓Assess current security measures used to
safeguard PHI.
✓Assess whether the current security
measures are used properly.
✓Determine the likelihood of a “reasonably
anticipated” threat.
✓Determine the potential impact of a breach
of PHI.
3.0 Risk Assessment

6. ✓Assign risk levels for vulnerability and
impact combinations.
✓Document the assessment and take action
where necessary.
Each vulnerability or risk should be assigned a
risk level. By assigning a risk level an
organization will be able to determine which
risks and vulnerabilities need immediate
attention and remediation.
Risk Assessments, due to constantly changing
technology and threats, should be reviewed
periodically to assess risk and vulnerabilities.

7. Now that you have a Privacy and Security
Officer and have conducted a Risk
Assessment, it’s time to complete your Policy &
Procedures Manual. This Policy and Procedure
Manual will spell out the when, why, who, and
how to protect Protected Health Information
(PHI) and Electronic Protected Health
Information (ePHI). The Policy and Procedure
Manual should be based, in part on the results
of the Risk Assessment. If the Risk
Assessment identifies weakness in a certain
area of the practice, the Policy and Procedure
Manual should spell out a policy or procedure to
protect Protected Health Information (PHI).
4.0 Policy & Procedures

8. Employee Training when it comes to HIPAA
Compliance is another very important
requirement. Many breaches have been
caused by internal factors and most can be
prevented. Employees should know and
understand the importance of HIPAA
Compliance and the protection of Protected
Health Information (PHI). Annual training is
necessary to ensure employees understand
what HIPAA is, who is responsible for
complying with HIPAA regulations, what a
breach is and how to report it, who can access
Protected Health Information(PHI), and more.
5.0 Employee Training

9. After the HITECH and the Final Omnibus Rule
were implemented, Business Associates are
required to adhere to HIPAA Compliance rules.
Business Associates are any person, company,
vendor, etc. with access to Protected Health
Information (PHI). A Business Associate could
be the attorney for the practice or IT vendor as
long as they have access to Protected Health
Information. Business associates should be
identified in your Risk Assessment and
depending on the size and complexity of your
organization the number of Business
Associates could be lengthy.
6.0 Business Associates

10. Penalties for not being HIPAA Compliant can
be expensive and avoidable. When HIPAA was
first enacted HIPAA Compliance audits
conducted by HHS (Health and Human
Services) were few and focused on larger
organizations. That is no longer true and
smaller practices have seen an increase in
audits and penalties. The best suggestion is to
be proactive and not reactive. Don’t wait until
you have a HIPAA audit to complete step
above. This will show auditors that your
practice or organization takes HIPAA
Compliance seriously and you have taken the
appropriate steps to protect PHI (Protected
Health Information).
7.0 Don’t Receive a Penalty$$$...
Go Over the Steps Again

11. For a limited time get a Free Risk Assessment
and Policy & Procedures Manual Template with
the purchase of HIPAA Training Class. Must be
a organization or business.
Atmydesktraining.net