New York CommunitiesFeaturesToolsPhysician DirectoryWeb Design

SITE FEATURES

News Desk

Practis Forms

HIPAA Center

Compliance Center

Medical Informatics

Supply Cabinet

Spotlight

 
 

HIPAA Administrative To Do List

Our HIPAA Administrative To Do List is designed to help you plan for and implement the practices and policies necessary to comply with the privacy regulations outlined in HIPAA. This is not an all encompassing list, but some useful ideas on where and how to begin your compliance efforts.

Perform Gap Analysis - Practice Walk Through 

Perform a Gap Analysis to determine what's in violation of HIPAA regs

Implement safeguards 

Begin or Update Data Mapping 

Begin mapping where your data resides, how and where it moves to as well as who, in and out of your practice, has access to it. Document it's "path". 

Prepare Practice Privacy Policy

Prepare, post and have available privacy policy notice in practice, on practice web site. Notice must be in plain language. Include effective date of notice.

Provide name and contact information of privacy officer on notice, 

Provide instructions how to file a complaint within the practice and with the DHHS.

List the practice's responsibilities under HIPAA and explain all of the patient's privacy rights.

Prepare Authorization Forms

Secure Business Associate Agreements

Develop comprehensive list of those vendors or entities who work with your practice and have access to PHI. Examples are billing firms, collection agencies, auditors, consulting, transcription and cleaning companies. 

Understand what PHI is the minimum amount necessary for those individuals/entities to accomplish their intended purpose. (Note: Clarification of "minimum necessary" to be further clarified)

Develop HIPAA compliant agreements for business associates (BA) that ensure that the BA will safeguard PHI, have assess to only what is minimally necessary to carry out their function, BA must destroy or return information to CE upon contact term, and that the contract will terminate if the BA violates the stipulations of the contract.

Obtain signed written agreements from BAs who have access to personal identifiable data from your practice. 

Eliminate all existing verbal contacts with BAs.

Develop & Distribute Employee Confidentiality Agreements

Obtain signed confidentiality statements with employees. Retain in employee files.

Establish employee training programs on confidentiality and document that training.

Include what training materials were distributed. Every course should be documented. Keep materials as proof.

Don't give a new employee access to confidential health information until s/he completes security and privacy training and that completed training is documented in the employee record.

Consider Temporary Staff

Create and assign a generic system user name for temporary workers for the day, week or duration of assignment.

Keep password unique, however, to the temporary worker. The password should expire at the end of the day, week or duration of assignment.

Keep a written record of the temporary worker's user name and password. This will allow you to audit/monitor that staff's usage of practice systems.

Appoint a Practice Privacy Officer

Monitor Systems and Document Policies
 

PLEASE NOTE: Information is provided as a service to our visitors. Practis takes no responsibility for it's content.  It is provided with the understanding that Practis is not engaged in rendering legal, accounting, or other professional services. If legal advice or other expert assistance is required, the services of a competent professional should be sought. Links and information are provided as a service to our visitors. Practis takes no responsibility for their content nor connectivity.
 
GLOSSARY
HIPAA Glossary of Terms 
provided by WEDI-SNIP

Covered Entity

All healthcare providers are considered to be "covered entities" under HIPAA.

PHI - Protected Health Information

Protected Health Information, or PHI, is any information, or data, that is personally identifiable and is transmitted or maintained in electronic or any other form or medium. 

Examples include: Age, Sex, Social Security Number, Etc.

Use vs Disclosure

USE:  Refers to day to day workflow (or operation) - specifically the sharing, utilizing and analyzing of personal identifiable information inside the organization that maintains that data.

Requires a separate agreement, or authorization, where release, transfer or condition of access to personal identifiable information outside the organization.

More information on Use & Disclosure

Data Mapping

Mapping where your data resides, where it moves to as well as who, in and out of your practice, has access to it. 

Gap Analysis

The process of looking at your current process today and comparing it to the new HIPAA guidelines. This process helps to determine the differential, or specifically what's in violation and develop plans for addressing the risk areas you discover. 

Click for step-by-step instructions on a risk assessment and gap analysis

Business Associate

A business associate are entities that have a business relationship with the CE that allows them access to PHI.

Use Y2K Resources as A Place to Start for HIPAA Compliance

  • Use many of the same staff as you used for Y2K. They are already familiar with the process of managing a large project and maintain a high level perspective on your practice operations.

  • Utilize your Y2K technology inventory as a starting point for your HIPAA inventory process, adding new devices that have been added since your Y2K inventory.

  • Use your inventory of data interfaces as a basis for your data mapping.

  • Use your Y2K gap analysis as a baseline for your security risk analysis.

  • Utilize your Y2K backup contingency plans.

 

 
 
About Practis | Our Services | Contact Us | Employment | Privacy Policy

© Copyright 1998-2006 Practis, Inc. All rights reserved.
1851 Stone Rd, Suite 101 - Rochester, NY 14615 - (585) 225-3340