HIPAA Requirements for a Small Clinic
-
Privacy Officer
-
Small clinics do not have the luxury of hiring someone to be their privacy officer. In most cases, the office manager is also the privacy officer. It is the privacy officer's responsibility to make sure that all the patients' records are kept in a secure place and only authorized personnel are allowed to access the records. It is also his or her responsibility to study the Privacy Rule thoroughly and make sure that every staff member is informed and in compliance with the rule. Documentation signed by all staff members stating that the Privacy Rule was read and understood will satisfy the Department of Health and Human Services compliance requirement.
Risk Analysis
-
If the clinic is using a computer to store the patients' information, the privacy officer should perform a risk analysis to determine whether there is a possibility that the electronically-protected health information can be compromised in any way. An access policy should be created to monitor and verify who can access information. The files should also be backed up in case of electronic failures. In the event the clinic has to send the information to other facilities, the information should be properly protected.The information should be disposed of properly if it is no longer needed.
Patient Notification
-
No matter how small the clinic is, the HIPAA Privacy Act requires that every patient be informed about their privacy rights. A written notice is enough as long as the patient is instructed to read it and acknowledge that a copy was provided to him. Always secure the patient's signature.
Posting of the Privacy Notice
-
HIPAA requires that covered entities such as clinics and hospitals that maintain an office or any physical site and provide direct health services to individuals should post the entire privacy notice in the facility. It should be placed where the notice is visible to everyone. It should also be accessible for anyone to read. Provide a copy for anyone who may ask for it.
-