There (could be) Three Levels of Effort in Implementing HIPAA
A lawyer, trying to protect you, is not going to tell you that you don't have to implement every part of the regulations to the maximum extent, but I will. I am not a lawyer so the levels below are just my best guess about what you need to do to not violate the regs (Basic), to be legal and safe (Legal) if investigated (highly unlikely but ...), and to be completely compliant in all aspects (Thorough) and do a superb job, especially for a large or complex practice. My reasoning is this: HIPAA specifically and repeatedly says that you can decide what specific efforts you will make (beyond the Basic) based on what risks you face because of the nature of your practice.
1. These are the BASIC and absolutely minimum efforts you must do to comply (and not be seen as non-compliant). This might be enough for a solo or small practice or you might do these and leave the next levels for future implementation.
a. Identify a privacy officer.
b. Develop an Notice of Privacy Practices (NPP) and give it to all your present and new clients.
c. Reprint the Consent form and get it signed after the NPP was read.
d. Slightly modify your Authorization to Request/Release records to incorporate HIPAA's changes.
e. If you have staff, do and document staff training.
f. Implement elements of the Security Rule as they apply to your practice.
2. These are additional efforts you could make to be in full LEGAL compliance. If you are investigated after a complaint these would show you have made a sincere effort to comply.
a. Implement procedures to assure only Minimum Necessary information is released, complaints are addressed, and clients can access and amend their records.
b. Revise contracts with your business associates.
c. Develop or modify your practice brochure so it addresses and explains all the HIPAA issues.
d. Create a HIPAA Policies and Procedures Manual
e. Do a preemption examination for all items in your practice brochure, your authorizations, and any other paperwork.
f. Document that you have done all of the above.
3. These are the additional efforts you could make to be in THOROUGH compliance in all aspects of your practice and safe from any kind of complaint or investigation.
a. Do a full preemption study for all areas of your practice specializations.
b. Have available for reference and possible use, other forms and guidelines.
Well, Okay, so there could be a fourth:
4. Non-essential but worth considering for the larger practice or the longer term.
a. Develop a complete Policies and Procedures Manual for your MH practice.
b. Computerize your records and billing.
Page revised Dec. 26, 2007