While some of those areas can require meaningful time and attention to successfully address, there are three things the audit revealed that practitioners can quickly and easily do to better adhere to HIPAA compliance. In fact, most folks will probably be able to do these three things in about five minutes.
To make sure you’re protecting your clients’ data and running a HIPAA-complaint practice, you should link to your notice of privacy practices, make sure your clients know how to exercise their rights, and keep a log of all record requests you receive.
1. Link to your Notice of Privacy Practices.
The audit exposed just how many providers have problems with their Notice of Privacy Practices (NPP). Only 2% of covered entities had an NPP that actually met all of the requirements of the law. A common area of noncompliance? Providers’ websites.
If you have a website, you must link to your Notice of Privacy Practices on your site’s homepage. The link should be clear and understandable, titled something like “Notice of Privacy Practices.” When you’re choosing a website builder, make sure there’s a quick and easy way for you to include this link and your document, as it’s something your business needs to have.
If you have a web developer or use a more complicated website builder, one way to do this is to have your NPP be a document in a cloud-based service like Google Docs, so that you can easily edit it but other viewers can’t. Make sure your sharing settings allow for public viewing, but not outside editing. Then just link to that document from your website. This way, you can easily edit your NPP in the future without having to make additional changes to your website.
2. Tell your clients how to exercise their rights.
Many of the audited providers told their clients what their rights were under the law, but left out an important component of HIPAA compliance— they neglected to include any information about how clients can actually exercise those rights. In private practice, many practitioners prefer a more informal process where clients simply email you to request records or lodge a privacy-related complaint. In a group practice or larger setting, there may be a more formal process for such requests.
Whatever process is right for you and your practice, you do need to have some kind of documented process for record requests and privacy complaints. And more importantly, clients need to be informed of what that process looks like in your NPP. If this information isn’t in your current NPP, take the time to make the edit to include it.
In the HHS audit, a number of providers did include contact information, but it was contact information for an entirely different provider. This is one of many reasons why it’s never a good idea to simply copy and paste another provider’s NPP in its entirety and use it as your own. If any specific information is incorrect, your clients would be misinformed of how to exercise their rights in your practice. Before posting your NPP publicly or sending it to clients, do a thorough proofread to make sure that all the information is accurate and up-to-date.
In the 2020 HHS audit, a number of providers told HHS that they had no client requests for protected information in the past several years—a claim that auditors said probably represented a misunderstanding of the law. Any time a client requests any portion of their record, that’s considered a record request under HIPAA. Even if a client simply asks you for a copy of their bill, that’s a record request.
You should keep a log that includes all record requests—including the date of the request, the date of your response, and the nature of your response (for example, provided three pages of records in paper format).
Starting this log is a quick and easy process. You can create it in a word processor or a spreadsheet. However, if the log is going to include PHI like client names or other identifiers, you’ll want to provide the same protections you apply to other forms of PHI in your practice.
Keep Your HIPAA Compliance Up-To-Date
If you did all three of these tasks, then in just a few minutes you’ve addressed three of the most common compliance weaknesses identified in the HHS audit. As mentioned before, there were many more areas where providers generally fell short of HIPAA compliance.
The good news here is that the audit process isn’t meant to be punitive or frightening, but rather to inform and educate. Being aware of the common areas of noncompliance and addressing them in your own practice is a good way to ensure you’re protecting your clients’ data—and your business.
The HHS audit report is full of useful takeaways for covered entities. And aside from identifying HIPAA compliance issues in your own practice that might need addressing, you’ll need to think about how new technologies and enforcement actions play into overall compliance. If addressing all these concerns seems overwhelming, you’re not alone. Speaking to mentors, colleagues, or taking an online course can give you a refresher on the basics of HIPAA compliance and also help you look for more advanced ways to improve your overall compliance.
Disclaimer: Though based on a plain-language reading of HIPAA and the December 2020 audit report, none of the above should be considered legal advice. For guidance on how HIPAA applies in your specific situation, please consult with an attorney.
Pollen Magazine examines the health and wellness industry through the lens of the professionals that are redefining private practice. Find inspiration, learn from others, and discover insights on how to build the best version of your practice.
Get the latest stories from your peers right to your inbox.