Model Forms (Free)
Login/Logout
Newsletters & Alerts
Adobe PDF Reader
HIPAA Policy and Procedure Manual
HHS released the final HIPAA privacy and security rules in January, 2013. They make important changes to the rules which affect every optometrist. This page and the HIPAA Policy and Procedure Manual incorporate these changes to ensure compliance with the final rules. Doctors MUST know these new rules, as chief among them is increased fines for even small breaches of privacy by individual doctors!
"An Ounce of Prevention is Worth a Pound of Cure"
This well-known saying has never been more true than when it comes to your patients and the HIPAA Privacy Rule. The last thing anyone wants, or needs, is a disgruntled patient filing a complaint with the Office of Civil Rights (OCR) claiming you violated their privacy rights, leading to an OCR investigation. The HIPAA Policy and Procedure Manual is the only product of its kind prepared by an optometric attorney and which is directed specifically at helping you and your office prevent patient complaints concerning the privacy of their "protected health information," and in defending against any complaint that might be made.
Under the new HIPAA's Privacy Rule, every "Covered Entity" must have a written Policy and Procedure Manual in their office. This manual will satisfy that requirement.
What is in the HIPAA Policy and Procedure Manual?
There is no better way to get a complete sense of what is contained in The HIPAA Policy and Procedure Manual, than to view the Manual's Table of Contents, which also contains links to several sample pages that are found in the Manual.
To view the manual's Table of Contents and samples from the Manual, CLICK HERE.
What Exactly IS the HIPAA Privacy Rule?
The Department of Health an Human Services (HHS) provides an excellent overview of the rule and how it works on its website. To read the HHS overview, just click here. For specific information on what you are required to do as far as giving your patients a Notice of Privacy Practices, click here.
Is This the Same as the HIPAA Security Rule?
No. HIPAA is made up of several component rules, including the Privacy Rule and the Security Rule. These are different, and you are required to comply with both. The HIPAA Policy and Procedure Manual is needed to comply with the Privacy Rule. Compliance with the Security Rule requires that you prepare a written "risk assessment." You can learn more about the how to comply with the Security Rule by clicking here.
What can happen if you violate the HIPAA Privacy Rules?
CMP. That stands for Civil Money Penalty.The HITECH Act was signed into law in 2009 and took effect in 2010. One of the purposes of the HITECH Act was to introduce, at times harsh, civil money penalties for violations of HIPAA Privacy Rules. Before HITECH there were no penalties for violations you didn't know occurred, or where the violation was corrected within 30 days. No longer. Under HITECH civil monetary penalties may be imposed for any HIPAA Privacy Rule violation, even inadvertent violations. An example: you make a backup of your patient EHR data onto a USB drive to keep off-site, and you lose the USB drive. That is a serious Privacy Rule violation which could subject you to large monetary fines. Moreover, under the HITECH Act, you are required by law to report any breach involving 500 patients or more.
Why Should I Purchase the HIPAA Policy and Procedure Manual?
The principle mission of the OCR is protecting civil rights with respect to health care and health care information. Important for optometrists to know is that the OCR is the Federal department charged with enforcing the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. They perform audits, and, more importantly for your purposes, they investigate patient complaints concerning privacy rule violations.
Audits
One of the mandates of the HITECH Act was the initiation of random audits for HIPAA compliance. In 2011-2012 the OCR was directed to perform a sampling of 115 random audits across all sections of health care, from hospitals to small/individual providers, to look for HIPAA privacy violations. (See http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/.) While the initial audit did not include any optometrists, it did include both physicians (MD and DO) and dentists. It is reported that the test program identified a high percentage of HIPAA violations, and that HHS has expanded the program for 2013 to include far more random audits across the United States.
Complaints
Though OCR audits are usually directed at improving compliance and not imposing monetary penalties, the same cannot be said for OCR investigations of complaints from patients. The OCR investigates, and may impose civil monetary penalties, following a complaint if it finds a violation occurred and the "covered entity" has not addressed the problem to the satisfaction of the OCR. Most Privacy Rule patient complaints can be avoided, however, and defended if they and when they happen, by having and using a thorough Policy and Procedure Manual.
The HIPAA Policy and Procedure Manual addresses all aspects of the Privacy Rule as it pertains to patients and patient rights, and has the ready-to-use sample forms you'll need for dealing with all patient requests concerning their protected health information. Reading and using this manual should substantially reduce your risk of a patient complaint and will enable you to respond to a complaint by showing the OCR that you have, in fact, complied with the Privacy Rule.
What are investigators looking for in a HIPAA Audit or Patient Complaint investigation?
Among other things, the specific audit protocol developed by the OCR includes the Privacy Rule requirements for
(1) notice of privacy practices for PHI;
(2) rights to request privacy protection for PHI;
(3) access of individuals to PHI;
(4) administrative requirements;
(5) uses and disclosures of PHI;
(6) amendment of PHI; and
(7) accounting of disclosures.
To comply with these specific privacy requirements under HIPAA, and to be prepared in the event you are the subject of either a random audit or an investigation following a patient complaint directly to the OCR or your State Board, every health care provider should have a HIPAA Policy and Procedure Manual which addresses the seven requirements above. If your office follows the guidelines in the Manual, and uses the sample forms contained in it, you should be well prepared to defend against any complaint and to pass any Privacy Rule audit. (Note: there are separate Security Rule requirements which are also looked at in an audit. Go to http://scap.nist.gov/hipaa/ to obtain free self-assessment software which will assist your office in meeting the Security Rule requirements.)
How do I get a HIPAA Policy and Procedure Manual for my office?
Using his experience as a health care attorney, Dr. Steinberg has prepared and now offers for purchase a model HIPAA Policy and Procedure Manual. This manual meets or exceeds the Federal privacy requirements and satisfies all seven of the audit protocol criteria. This comprehensive model Manual, 100 pages in length, also includes 18 ready-to-use sample forms and covers all required aspects of a HIPAA Policy and Procedure Manual. The manual is available in both PDF and Word formats, and is virtually ready to use by simply selecting your Privacy Officer, inserting that name, printing the Manual out.
To purchase the HIPAA Policy and Procedure Manual just click on the "Buy Now" button below. You can purchase the HIPAA Policy and Procedure Manual alone, for $298, or purchase it together with the Employer's Guide for Optometrists for a total of $498 and save nearly $200 off the total price for both manuals if purchased separately.