Part of being successful with the HIPAA regulations is understanding what is needed for compliance. Definitely easier said than done. The HIPAA Protocol that was published in 2016 is a great tool to evaluate your HIPAA Compliance and understand the areas that you need to work on. The HIPAA audit protocol definitely is the answer key that you can use to take the HIPAA Compliance test!
In 2016, Planet HIPAA wrote a blog “Could Your Organization’s Website Reveal Your HIPAA Non-compliance?” This blog focused on the need to look at your website to determine if your Notice of Privacy Practices is posted and current. The response to that post was amazing and many organizations reached out for more guidance and additional information regarding the Notice of Privacy Practices.
For some fun, I recently did an audit of 18 different websites to determine how the Notice of Privacy Practices was coming along and if organizations were actually posting it on their website. The findings were a little bit shocking, but at the same time something I expected.
Results of the 18 Notice of Privacy Practices Reviews from the Websites:
- 11 of the 18 Practices DID NOT have their Notice of Privacy Practices posted on their website
- 7 of the 18 Practices DID have the Notice of Privacy Practices posted; however, none of them met the requirements of the HIPAA regulations
- 4 had HIPAA spelled incorrect as HIPPA
- 2 had charging practices defined that exceeded HIPAA and State Law Requirements
- 3 had a Notice of Privacy Practices that was effective in 2003 and was not updated
- 3 had Notice of Privacy Practices that were effective after the Omnibus Rule (YEAH)
- 7 of the organization were missing one or more of the required elements on the Notice of Privacy Practices
The findings of the 18 practices that I reviewed revealed that NOT ONE organization was compliant with the HIPAA Notice of Privacy Practices requirement. Part of the reason that this was shocking is the HIPAA Audit Protocol specifically defines out the requirements of the Notice of Privacy Practices and is available for free. Additionally, the U.S. Department of Health and Human Services has created a sample Notice of Privacy Practices that can downloaded and used (for free) to meet the requirements – https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/model-notices-privacy-practices/.
The Notice of Privacy Practices needs to contain all the requirements as defined by the HIPAA Regulations. The core areas of the Notice of Privacy Practices are:
- Permitted Uses and Disclosures
- Uses and Disclosures Requiring an Opportunity to Agree or Object
- Uses and Disclosures Requiring an Authorization
- Individuals Rights to PHI
- Covered Entity’s Duties
- Right to Complain and Description of How
- Contact at the Covered Entity
- State Law Preemption (If Applicable)
Each of these areas will have detailed information that must be included in the organization’s Notice of Privacy Practices. Planet HIPAA is exited to provide you a FREE Notice of Privacy Practices Self-Evaluation Tool. This is a tool that you can use to evaluate the current level of compliance with your Notice of Privacy Practices. This tool is created to help you evaluate your current Notice of Privacy Practices with the requirements of the HIPAA Privacy Rule and the HIPAA Audit Protocol. If areas are missing, the Notice of Privacy Practices Self Evaluation Tool will provide you additional information on how you can become compliant. Check it out!
Please Remember: To be fully compliant with this regulation, the following items should be established:
- Organization’s Notice of Privacy Practices
- Notice of Privacy Practices Policy and Procedure
- Acknowledge Form of the Notice of Privacy Practices (for signatures)
- Making the notice available on the organization’s website
- Posting the notice in your organization’s physical location(s)
Don’t be caught out of compliance with a part of HIPAA that straight forward. Remember – the expectations to the Notice of Privacy Practices are clear and available to your organization easily!
Until next time,
PS – Let me know in the comments below if you have any questions.