Read How We Are Serving Our Clients During The Covid-19 Outbreak

Connect With Us @hurricanemed

Compliance Program Development

All medical practices, regardless of size, must be in compliance with the following federal and state compliance programs. Failure to implement the regulations mandated under these compliance programs could result in exclusion from the Medicare Program; exposure to civil lawsuits; audits by the Department of Health and Human Services and/or state governmental agencies, and/or substantial fines and penalties, including imprisonment;

HIPAA Privacy & Security Rule Compliance

The regulations implementing the Health Insurance Portability and Accountability Act of 1996 (HIPAA) were established to protect the privacy and security of patient health and medical records. Any health or medical records that directly identify a patient or can be traced to a patient using identity-laced information such as (but not limited to) a name, address, phone number or social security number is included in the class of information covered by the HIPAA regulations.With few exceptions, HIPAA regulations cover all medical practices (and other covered entities) and include three major components: transaction regulations, privacy regulations and security regulations. The transactions regulations became effective October 16, 2003 and concern the transmission of data (i.e., protected health information). However, unless the practice had created its own proprietary software, compliance with this set of regulations is principally a responsibility of the practice’s software vendor as opposed to the medical practice.

The privacy regulations which became effective on April 14, 2003 require all medical practices to establish reasonable safeguards for handling all means of “protected health information” (PHI). The privacy standards require the adoption and implementation of formal policies and procedures to protect individually identifiable health information and to effectively manage the personnel who come in contact with the information through education and enforcement of policy guidelines.

The required elements for compliance under HIPAA’s privacy standards include the following:

The third component of the HIPAA legislation is the security regulations which became effective on April 21, 2005. The security standards take the privacy regulations one step further by expanding the practice’s obligations in the area of how the practice maintains its electronic protected health information (ePHI).

The security regulations generally require medical practices to:

Like the privacy regulations, the security regulations are scalable, in that they incorporate a sliding scale of expected compliance. The regulations explicitly permit a medical practice to “use any security measures that reasonably and appropriately implement” the security standards. Thus, a small practice is not held to the same standard as a large medical group or clinic.

HIPAA’s Security Rule establishes 22 security safeguard standards that apply to information that a medical practice receives, transmits, or stores electronically. These standards are grouped under the headings of administrative safeguards, physical safeguards, and technical safeguards. The 22 security safeguard standards define 42 implementation specifications, which are more detailed statements of what must be done to comply with the standards.

The Security Rule distinguishes between “required” and “addressable” implementation specifications. Of the 42 specifications, 20 are “required” and 22 are “addressable.” All medical practices must implement the “required” implementation specifications but are given more flexibility with the “addressable” implementation specifications. A medical practice may take into consideration the below-listed four factors in deciding how to comply with the “addressable” implementation specifications. Unfortunately, the Security Rule does not provide any guidance that will assist a practice in weighing these various factors:

Upon completion of this “mini” assessment, Hurricane Med will:

Hurricane Med will prepare a HIPAA Compliance Manual tailored to your practice which meets all requirements under HIPAA’s Privacy and Security Rules. The Privacy Compliance Plan will address all of the required core elements. The Security Compliance Plan will address all of the 22 security safeguard standards including the key requirement to “conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of ePHI. The risk analysis, will identify and assess the risks in your practice and provide recommendations to reduce these risks to a reasonable and appropriate level. This process will enable practice management to understand your organization’s risks associated with ePHI, and to allocate appropriate resources to reduce and correct potential losses.

Talk To Us

Please complete the form and we’ll get back to you as soon as possible. We look forward to working with you.