Although the privacy regulation gives you some flexibility for determining what is reasonable for protecting PHI in your office, you will be required to do the following:
- Adopt clear privacy policies and procedures for your practice.
- Designate someone to be responsible for seeing that the privacy policies and procedures are followed.
- Train employees so that they understand the privacy policies and procedures.
- Secure patient records containing PHI so that they are not accessible to those who don’t need them.
- Provide information to patients about their privacy rights and how their information can be used.
How you satisfy each of these requirements will vary according to the size of your practice. For example, every covered entity must have a privacy officer. In a large organization, this may be someone’s sole job responsibility, but in a solo or small private practice, it may be a physician or office manager serving in a dual role. Staff training regarding privacy policies and procedures may also vary depending on the size of your organization. A small practice may satisfy this requirement by providing staff members with a privacy policies and procedures handbook and documenting that they have received and reviewed it. Larger organizations with bigger budgets may actually conduct HIPAA compliance classes.