HIPAA Info, Forms and Checklists
- Here’s a form for a HIPAA risk assessment that is actually a pretty good checklist for your HIPAA program. It is compiled from a ton of sources, such as the HIPAA folks, the ADA, etc. This risk assessment will allow you to analyze your office for possible vulnerabilities and document the results, which should be done regularly to maintain your program. It should be used periodically, (I would do it at least annually) and/or whenever changes are made in your office, to evaluate your procedures related to patients’ private health information.
- Click here for several different samples of HIPAA Authorization Form you can use as starting places to get your forms together in your office.
- HIPAA penalties can now run as high as $1.5 million per incident! Here is some information from the ADA that summarizes the penalties. Make sure you have a HIPAA manual that is completely filled out and current. Also, the program must be constantly maintained and updated, so have regular meetings and risk assessments to ensure that your program is current.
- Here’s information from the HIPAA folks about how to perform and document a risk assessment in your office (they need to be done regularly to ensure compliance with the Security Rule).
- Here’s a sample Notice of Privacy Practices you can configure to use in your office. It is available in Word so you can make changes for your office.
- Here’s a good article with five helpful hints about HIPAA computer security.
- If you make non-routine disclosures allowed by law, you don’t have to get patient authorization, you just have to document the disclosure on an Accounting of Disclosure log (examples: reporting a patient with suspected TB to the health department or complying with a subpoena for a patient’s record).
- If a breach occurs, and it involves less than 500 people in a single geographic area, a log must be kept and electronically submitted at the end of the year. Here is a Breach Notification log to record the breaches during the year.
- This may be helpful for evaluating your computer safety. Here is HIPAA’s security risk assessment tool which can be accessed at this following page.
- Here’s a super short form for HIPAA monthly risk assessment. In order to show that we are regularly maintaining our HIPAA program, it’s a good idea to do a monthly risk assessment to ensure that patients’ information is protected as possible. Every month, see if any changes were made in the office that could affect the privacy of patient information, and document them. Date the form, and place it in the HIPAA notebook so you can show that you are constantly attending to the program.
- To prevent large breaches, make sure your hard drive and all portable devices (smart phones, laptops, backup devices, etc.) are properly encrypted and secured. Here is an article that does a good job of covering the topic.
- Make sure you have a Business Associate Agreement for every entity that has access to your patients’ information as part of their duties they perform for you. Here’s a great HIPAA BAA you can configure for your specific office needs. It’s easy to read and pretty complete, but check with your own attorney to make sure it covers everything you need!
- Here’s a cyber attack checklist for what to do if you have a cyber attack.
- Here’s what to do for a ransomware attack.
- Here’s a great summary guide for the Privacy and Security requirements from the HIPAA folks.
- Here’s a website that allows you sign up for a free newsletter about what’s going on in the world of HIPAA. It’s not just dental stuff, so don’t let it freak you out, but some of the information is very helpful and gives you an idea of what HIPAA is up to.
- If a suspected breach occurs, this HIPAA breach assessment can be used to help determine whether a reportable breach has occurred. Here’s info about handling breaches from the HIPAA folks.
- For specific questions and answers about HIPAA, go to the US Dept of Health & Human Services FAQ web link. This is an AWESOME resource! You can search for a term and they will show questions and answers related to that topic.
- Here’s all kinds of specific info from the HIPAA folks for professionals.
- For a quick reference sheet directly from the HIPAA folks, check this out: HIPAA Fast Facts for Covered Entities
- Here’s a good example you can use for a fax cover sheet for a fax that contains private health information.
- Here are several different types of HIPAA authorization forms that you can configure to work in your office. We run into situations all the time where HIPAA prevents us from disclosing information but, for practical reasons, we need to disclose information so we can get paid (examples: moms who bring in college-age kids for dental work and they’re still paying the bill, divorced parents who don’t want the other parent to get information but they want us to bill them for payment, 40 year olds who are getting their dental work paid for by their parents, etc.)
- Make it a policy in your office that anyone who has a financial interest in another person gets information and then have them sign this Authorization. If a patient doesn’t like this policy he can pay the bill himself or he can choose to go somewhere else. (Please note that you can’t refuse treatment specifically because a patient refuses to sign an authorization, but you can dismiss a patient for violating office policies, so long as you follow state and federal laws and make sure you don’t “abandon” your patient.) Anyway, it takes us out of the middle and will (hopefully!) help reduce our risk of HIPAA violations.
- We all have work and school excuses we hand to patients; they then choose whether to hand that to their employer. However, if a patient wants you to verify what work was done over the phone, personally, or in writing, this authorization will give you permission from the patient to release the information.
- If you use patients’ photos, xrays, videos, or testimonials on social media or on a website you have to have an authorization, NOT a consent. If people are in the background of a picture, or their name is visible on a computer screen, those people will also have to sign an Authorization. Even people who write a testimonial for your website have to sign one! Many offices now have patients sign this as part of their initial paperwork. Here’s a sample authorization for photos/videos and testimonials that you can use as a starting place for your office.
- If you allow the media in your office (to take pictures, have a film crew, take videos in your office), make sure all patients who may be visible have ALREADY signed an authorization. Here’s info from the HIPAA folks about how to handle it.
- This handout provides information on avoiding HIPAA problems on social media.