HIPAA covered entities have strict regulatory requirements outlined in by the Department of Health and Human Services (HHS) Office for Civil Rights (OCR).
HIPAA covered entities are clearly defined in the regulation as any health plan, health care clearinghouse, or health care provider who transmits any protected health information (PHI). PHI is any demographic information collected by a covered entity that can be used to identify a patient. That includes names, addresses, dates of birth, social security numbers, and medical information, to name a few examples.
That means that all health care providers, including behavioral health specialists, necessarily fall under HIPAA regulation as a covered entity.
But what does that mean for your practice? Below, we discuss the regulatory requirements that all HIPAA covered entities are mandated to address in order to keep PHI private and secure.
HIPAA Compliance for Covered Entities
A HIPAA covered entity must address all of the regulatory standards set out in the HIPAA Privacy Rule, HIPAA Security Rule, HIPAA Omnibus Rule, and the HIPAA Breach Notification Rule.
An effective HIPAA compliance program must address:
- Self-Audits – HIPAA requires you to conduct annual audits of your practice to assess Administrative, Technical, and Physical gaps in compliance with HIPAA Privacy and Security standards.
- Remediation Plans – Once you’ve identified gaps, you must implement remediation plans to reverse any potential HIPAA violations.
- Policies, Procedures, Employee Training – To avoid HIPAA violations in the future, you’ll need to develop Policies and Procedures corresponding to HIPAA regulatory standards. Annual staff training on these Policies and Procedures is also required.
- Documentation – Your practice must document efforts you take to become HIPAA compliant. This documentation is critical during a HIPAA investigation with HHS.
- Business Associate Management – You must document all vendors with whom you share PHI, and execute Business Associate Agreements to ensure PHI is handled securely and mitigate liability.
- Incident Management – If your practice has a data breach, you must have a process to document the breach and notify patients that their data has been compromised.