POLICY: HIPPA Compliance
Date of Origin: 2-14-97
Date of Revision: 2-12-07
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) regulates health care providers (Covered Entities) that electronically maintain or transmit protected health information (PHI) in connection with a covered transaction. HIPAA requires each covered entity (CE) to maintain reasonable and appropriate administrative, technical and physical safeguards for privacy and security. Entities or individuals who contract to perform services for a CE with access to protected health information (Business Associates) are also required to comply with the HIPAA privacy and security standards.
This policy reflects the Agencies commitment to comply with HIPAA.
This policy applies to all Abbott House Covered Entities and Business Associates. The policy’s scope includes the four (4) areas of the HIPAA regulations: Standards for Electronic Transactions and Code Sets, National Provider and Employer Identifiers, Security Standards, and Privacy Standards.
The Covered Entity must:
- Appoint a HIPAA compliance officer or officers.
- Implement policies and procedures with respect to protected health information that comply with HIPAA regulations including, but not limited to, ensuring compliance with and enforcement of PHI security, use and disclosure with other employees as well as external third parties.
- Maintain the policies and procedures it implements in written (paper or electronic) form.
- Maintain a written (paper or electronic) record of actions, activities or assessments required to be documented by the HIPAA regulations. Such records may include, but are not limited to:
- Committee minutes
- Committee/task force charters
- Executive memorandums
- Quality improvement evaluations
- Corrective action plans
- Retain such required documentation for six (6) years from the date of its creation or the date when it was last in effect, whichever is later, and in accordance with the Abbott House Records Retention and Disposition Schedule.
- Make the required documentation available to all staff responsible for implementing the policies and procedures to which the documentation applies.
- Implement a training program that informs all of the organization’s staff, including management, of all policies and procedures that apply to them in their individual roles.
- Inform patients of the Covered Entity’s HIPAA policies and procedures and the patient’s rights and responsibilities, and receive and maintain written acknowledgement of receipt of such information.
- Promptly document and process any complaints of alleged HIPAA violations, mitigate any damages, investigate and address any violations.
- Perform regular, ongoing monitoring, assessment, and revision, as necessary, to ensure continued compliance and enforcement of HIPAA standards.
- Perform regular, ongoing monitoring, assessment and revision, as necessary, of HIPAA policies and procedures and documentation in response to environmental, operational, staff, technical, or legal changes including, but not limited to those aspects of the CE affecting the confidentiality, integrity or availability of its PHI.
- Provide periodic written reports to the Abbott House HIPAA Privacy and Security officers as requested.
Responsibility for implementation of this policy resides with the HIPAA Compliance Officer(s) in each CE. The Abbott House HIPAA Privacy and Security Officers have overall responsibility for compliance with the HIPAA regulations.
The Board of Directors has approved this HIPAA Compliance Policy. This policy will be reviewed and updated periodically as appropriate.