1

Privacy Plan of Action

© HIPAA Pros 2002 All rights reserved

2

Team Assignments

Assign security responsibilities to one or more individuals. 

Record the names and/or job titles of the people who are responsible for addressing requests to view or amend protected health information.

3

Team Assignments

Record the names and/or job titles of the people who are responsible for processing requests for an “accounting of disclosures”.

4

Team Assignments

Designate a privacy official who is responsible for development and implementation of privacy policies and procedures.

Designate a contact person responsible for receiving complaints.

5

Create an inventory of PHI and note the processes in place for handling it.

Determine how PHI is used.

Determine how PHI is disclosed.

Establish Procedures for Handling, Processing and Storing Protected Health

Information (PHI)

6

Establish Procedures for Handling, Processing and Storing Protected Health

Information (PHI)

Determine the kinds of information to which each staff member should have access.

Update your employee manual to include sanctions for any employees who leave a secure area unlocked, or who fail to follow established privacy and security procedures.

7

Prepare a list of all routine and non-routine uses and disclosures.

Establish minimum necessary access policies and procedures for staff.

Establish Procedures for Handling, Processing and Storing Protected Health

Information (PHI)

8

Ensure Adequate Physical Security to Safeguard PHI Keep track of who has keys to the office itself

and to the secure areas inside.

Place door locks on storage rooms where archives are stored.

Develop strategies to handle PHI trash disposal.

Put locks on chart filing cabinets located in public areas.

9

Keep computer servers that contain PHI in rooms that are open only to essential personnel.

Position workstations so that the screens are not easily viewable by passersby.

Ensure Adequate Physical Security to Safeguard PHI

10

Ensure Adequate Physical Security to Safeguard PHI

Develop policies and procedures for backups of data.

Document procedures for bringing hardware and software into and out of the facility.

11

Establish Clear Rules to Ensure Client Privacy

Establish personnel clearance procedures.

Establish personnel termination procedures.

Give each employee a written copy of the client privacy rules for your office.

12

Establish Clear Rules to Ensure Client Privacy

Make sure each employee understands that they are permitted to use or disclose only the minimum amount of PHI necessary to accomplish the intended purpose.

13

Establish Client Amendment Procedures

LOCATION OF PHI TIME LIMIT

PHI that is maintained in the office. Provide approval and access or notice of denial within 30 days of the request.

PHI that is maintained outside the office (i.e., a storage facility).

Provide approval and access or notice of denial within 60 days.

Time Limits in Which You Must Respond to Requests for PHI

14

Establish Client Amendment Procedures

Obtain one 30-day extension.

Will only be granted if you give the client written notice explaining the delay, including a date when the request will be completed.

15

Establish Client Amendment Procedures

A written record of all client requests for PHI.

Identify two “reviewing individuals” who are licensed health care professionals to help address client appeals.

16

Establish Client Amendment Procedures

Establish a process for approvals and denials.

Establish a reasonable fee for copying PHI.

17

Establish Client Amendment Procedures

Incorporate HIPAA compliance into your clinical research consent forms.

Keep psychotherapy “process” notes separate from the rest of the medical record.

18

Establish a Formal Complaint Procedure

Incorporate complaint procedure into your notice of privacy practices.

Develop a system to keep detailed records of all complaints, and document how and when these complaints were addressed.

19

Establish a Formal Complaint Procedure

Make sure that staff understands that they are not allowed to pressure any client to waive their right to file a complaint.

Create a logbook to document all complains.

20

Establish a Formal Complaint Procedure

Be certain that no staff intimidate or retaliate against any individual who files a complaint or exercises any other right guaranteed under HIPAA regulations.

21

Publish a Notice of Privacy Practices and

Adhere To It Write and publish a notice of privacy

practices.

Keep copies of past notices of privacy practices.

Create a written acknowledgement of receipt of the notice of privacy practices.

22

Publish a Notice of Privacy Practices and

Adhere To It Obtain authorization for uses and

disclosures associated with purposes other than treatment, payment, or health care operations.

Retain all acknowledgement forms and authorization forms.

23

Vendor Relationships

Establish a chain of trust agreement with each organization with which you exchange PHI electronically.

24

Vendor Relationships

Establish a business associate agreement with any organization that provides a service that involves the use or disclosure of PHI.

Take steps to cure any known breach of the business associate agreement.

25

Train the Workforce

Make sure all staff receive privacy and security training.

Develop security awareness in the workforce.

Teach physical security habits.

26

Train the Workforce

Ensure that everyone understands policies and procedures.

Use periodic security reminders.