For the healthcare industry to successfully transmit electronic files, HHS recognized that consumers would want the reassurance that health records are kept confidential. The Privacy Rule requires that employers who have access to Protected Health Information protect the information when it is at rest (in storage) and in movement (spoken, electronically transmitted, or written).

The Privacy Rule is divided into three key components: Administrative Requirements, Patient Rights, and Use and Disclosure of Protected Health Information.

These requirements apply not only to healthcare providers, but also to health plans, clearinghouses, or others identified as a covered entity.

• Appoint a Privacy Official.
• Establish policies and procedures that identify how you will use and disclose protected health information, including sanctions when an employee disregards office policies.
• Train your staff on your policies and procedures.
• Develop and implement physical, administrative and technical safeguards.
• Develop a documentation process.
• Develop a process for complaints.
• Mitigate breaches.
• Do not allow intimidation or retaliation.
• Do not ask patients to waive rights.

• Right to access and make copies of medical records
• Request amendment to medical and billing records
• Request an accounting of disclosures
• Request to be contacted at an alternate location
• Request further restrictions to prevent other’s access to medical records
• File a complaint with Secretary of HHS

HIPAA mandates that each employee who views, uses or discloses protected health information become familiar with the Privacy Rule requirements. It also mandates that you assign leadership and implementation duties to a Privacy Officer. To lighten the load for the Privacy Officer we recommend you organize a “privacy team” led by your Privacy Officer who will then delegate implementation tasks.

Your office will be required to adopt policies and procedures and integrate new privacy activities into your workflow. You will need to create a policies and procedures handbook that describes how your practice will comply with the Privacy Rule. Here are a few of the items you will need in order to meet compliance.

• Notice of Privacy Practices – describes how your health plan may use and disclose employee PHI (protected health information)
• Minimum necessary – describes how your company ensures that employees and others view only the minimum necessary PHI
• Authorization form – form employees sign to give your health benefits plan permission to use their PHI
• Business associate agreement – a contract that assures you that your business partners respect and protect the privacy of PHI
• Administrative procedures, technical and physical safeguards - assures the security of PHI that your company stores and transmits

Generic policies and procedures, agreements, and more than 35 forms and documents are available from Simplified Training. These generic documents can be customized and give you a solid foundation to start a HIPAA compliance program.