Bricker & Eckler LLP: Consolidated HIPAA Privacy, Breach and Security Compliance

INDEX TO HIPAA PRIVACY SELF-ASSESSMENT AND COMPLIANCE GUIDE FOR HEALTH FACILITIES

Glossary of HIPAA Terms
A listing of definitions from the regulations of commonly used terms throughout the HIPAA regulations for reference during the self-assessment and compliance process.

Background/Basic Steps
Discussion of some fundamental issues that should be addressed when drafting designing systems and drafting policies.

Determining Your Organizational Arrangements
The regulations allow health care facilities and their medical staffs and others to organize themselves to maximize the ability to share protected health information for the collective operations of the group; this section discusses organizational structure and self-designation.

Contracting with Business Associates
Assistance in analyzing your business associates and sample contract forms.

Patients Consents for Treatment, Payment, Health Care Operations
Patient consents for use and disclosure of information are not a requirement of HIPAA but may be required by state law.

Using the Authorization Form
Step-by-step assistance in developing authorization forms, sample authorization forms, information on when such authorizations are not required and applicable policies.

Controlling Uses and Disclosures for Research Purposes
The regulations put special obligations on health facilities that use and disclose protected health information for research purposes; this section describes the requirements and provides sample forms for controlling research uses and disclosures.

Using Limited Data Sets
The regulations allow covered entities to use and disclose a "limited data set" without authorization under certain circumstances. This section provides information on the limited data set and sample agreements and policies necessary.

Providing Patients Access to Their Health Information
Patients have the right of access to copy and inspect much of their medical information; this section provides implementation procedures, policies, notices and forms required for compliance.

Providing an Accounting of Disclosures
Patients have the right to have an accounting of the disclosures of their protected health information; this section provides implementation procedures, policies, notices and forms required for compliance.

Allowing Patients to Request Amendments to their Health Information
Patients have the right to request amendments to their protected health information; this section provides implementation procedures, policies, notices and forms required for compliance.

Handling Requests by Patients for Restrictions to Uses and Disclosures
Patients have the right to request restrictions on certain uses and disclosures of their protected health information; this section provides implementation procedures, policies, notices and forms required for compliance.

Family and Friends Involved in a Patient's Care
The HIPAA regulations limit how freely you may discuss a member's care with a family member or friend; this section provides policies and instructions for compliance.

Establishing a Complaint Process
Step-by-step requirements for developing a compliance complaint process as required by the regulations.

Controlling Disclosures of Information in the Facility Directory
Patients have the right to opt-out of or place restrictions on information in the facility directory; this section provides step-by-step implementation procedures for making your facility directory compliant with HIPAA.

Fundraising
Step-by-step review and implementation policies for bringing your fundraising efforts into compliance with the regulations.

Marketing Programs
Step-by-step review and implementation policies for bringing your marketing efforts into compliance with the regulations.

Restrictions on Sale of Protected Health Information
The HITECH Act added a provision placing restrictions and prohibitions on sales of protected health information and this section includes the necessary information.

Notification in the Event of a Breach
The HITECH added a new requirement to HIPAA, the notification to individuals whose protected health information has been subject to a breach. This section contains policies and procedures to comply with the notification requirements.

Workforce Training
The HIPAA regulations require that all members of your workforce receive training and this section provides step-by-step implementation.

Preparing the Notice of Privacy Practices
The regulations require specific language in and provision of a Notice of Privacy Practices to each member; this section provides sample notices and policies for assuring the proper notice language and distribution.

Minimum Necessary
The regulations require that most uses and many requests for and disclosures of protected health information be limited to that which is reasonably necessary to accomplish the purpose of the use, request, or disclosure. This section attempts to explain the minimum necessary requirements and provides sample policies and forms.

Workforce General Obligations Policy
Step-by-step assistance in preparing your general workforce policy.

Miscellaneous Tasks and Policies
This section includes miscellaneous policies and tasks that also must be completed before the compliance date. New policies will be added to this section during the coming months.

Index to Forms, Notices, Policies and Checklists for HIPAA Privacy
An index with links directly to each form, notice, policy, checklist and other specialized information in the HIPAA Self-Assessment and Compliance Guide for Health Facilities.