HIPAA Policy/Procedure Manual

"An Ounce of Prevention is Worth a Pound of Cure"

This well-known saying has never been more true than when it comes to your patients and the HIPAA Privacy Rule. The last thing anyone wants, or needs, is a disgruntled patient filing a complaint with the Office of Civil Rights (OCR) claiming you violated their privacy rights, leading to an OCR investigation. The HIPAA Policy and Procedure Manual is the only product of its kind prepared by an optometric attorney which is directed specifically at helping you and your office prevent patient complaints concerning the privacy of their "protected health information," and, most importantly, in defending against any complaint that might be made or civil monetary penalty the government may try to impose. 

EXPERT ADVICE: Under the HIPAA Privacy Rule, every "Covered Entity" (which includes every optometry office) must have a written HIPAA Policy and Procedure Manual in their office or face civil fines and penalties. This manual satisfies that requirement.

What is in the HIPAA Policy and Procedure Manual?

There is no better way to get a complete sense of what is contained in The HIPAA Policy and Procedure Manual, than by looking at the Manual's Table of Contents:

What Exactly IS the HIPAA Privacy Rule?

The Department of Health an Human Services (HHS) provides an excellent overview of the rule and how it works on its website. To read the HHS overview, just click here.

For specific information on what you are required to do as far as giving your patients a Notice of Privacy Practices, click here.

Is This the Same as the HIPAA Security Rule?

No. HIPAA is made up of several component rules, including the Privacy Rule and the Security Rule. These are different, and you are required to comply with both. The HIPAA Policy and Procedure Manual is needed to comply with the Privacy Rule. Compliance with the Security Rule requires that you prepare a written "risk assessment."

You can learn more about the how to comply with the Security Rule by clicking here.

What can happen if you violate the HIPAA Privacy Rules?

CMP. That stands for Civil Money Penalty.The HITECH Act was signed into law in 2009 and took effect in 2010. One of the purposes of the HITECH Act was to introduce, at times harsh, civil money penalties for violations of HIPAA Privacy Rules.

Before HITECH there were no penalties for violations you didn't know occurred, or where the violation was corrected within 30 days. No longer. Under HITECH civil monetary penalties may be imposed for any HIPAA Privacy Rule violation, even inadvertent violations. An example: you make a backup of your patient EHR data onto a USB drive to keep off-site, and you lose the USB drive. That is a serious Privacy Rule violation which could subject you to large monetary fines. Moreover, under the HITECH Act, you are required by law to report any breach involving 500 patients or more.

Why Should I Purchase the HIPAA Policy and Procedure Manual?

The principle mission of the OCR is protecting civil rights with respect to health care and health care information. Important for optometrists to know is that the OCR is the Federal department charged with enforcing the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. They perform audits, and, more importantly for your purposes, they investigate patient complaints concerning privacy rule violations.

Audits

One of the mandates of the HITECH Act was the initiation of random audits for HIPAA compliance. In the prior decade the OCR was directed to perform a sampling of 115 random audits across all sections of health care, from hospitals to small/individual providers, to look for HIPAA privacy violations. (See http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/.) While the initial audit did not include any optometrists, it did include both physicians (MD and DO) and dentists. It is reported that the test program identified a high percentage of HIPAA violations, and that HHS has expanded the program to include far more random audits across the United States. 

Complaints

Though OCR audits are usually directed at improving compliance and not imposing monetary penalties, the same cannot be said for OCR investigations of complaints from patients. The OCR investigates, and may impose civil monetary penalties, following a complaint if it finds a violation occurred and the "covered entity" has not addressed the problem to the satisfaction of the OCR. Most Privacy Rule patient complaints can be avoided, however, and defended if they and when they happen, by having and using a thorough Policy and Procedure Manual. 

The HIPAA Policy and Procedure Manual addresses all aspects of the Privacy Rule as it pertains to patients and patient rights, and has the ready-to-use sample forms you'll need for dealing with all patient requests concerning their protected health information. Reading and using this manual should substantially reduce your risk of a patient complaint and will enable you to respond to a complaint by showing the OCR that you have, in fact, complied with the Privacy Rule.

What are investigators looking for in a HIPAA Audit or Patient Complaint investigation?

Among other things, the specific audit protocol developed by the OCR includes the Privacy Rule requirements for:

• Notice of privacy practices for PHI;
• Rights to request privacy protection for PHI;
• Access of individuals to PHI;
• Administrative requirements;
• Uses and disclosures of PHI;
• Amendment of PHI; and
• Accounting of disclosures. 

To comply with these specific privacy requirements under HIPAA, and to be prepared in the event you are the subject of either a random audit or an investigation following a patient complaint directly to the OCR or your State Board, every health care provider should have a HIPAA Policy and Procedure Manual which addresses the seven requirements above. If your office follows the guidelines in the Manual, and uses the sample forms contained in it, you should be well prepared to defend against any complaint and to pass any Privacy Rule audit. (Note: there are separate Security Rule requirements which are also looked at in an audit. Go to http://scap.nist.gov/hipaa/ to obtain free self-assessment software which will assist your office in meeting the Security Rule requirements.) 

Cost, Use, and Ordering

Using his experience as a health care attorney, Dr. Steinberg has prepared and now offers for purchase a model HIPAA Policy and Procedure Manual. This manual meets or exceeds the Federal privacy requirements and satisfies all seven of the audit protocol criteria. This comprehensive model Manual, 100 pages in length, also includes 18 ready-to-use sample forms and covers all required aspects of a HIPAA Policy and Procedure Manual. The manual is available in Microsoft Word format and is virtually ready to use by simply selecting your Privacy Officer, inserting that name in the blank space, and printing the Manual out. That's it. 

The HIPAA Policy and Procedure Manual can be purchased alone for $298*, or purchased together with the Employer's Guide for Optometrists, saving several hundred dollars off the total price for all the documents the Employer's Guide includes if there were purchased separately. 

* Note that there is a 3% credit card processing fee added to your total, shown by PayPal as a tax.