Assign someone the primary responsibility for HIPAA compliance including the privacy, security and breach notification requirements.  Have a written plan for levels of authorization and supervision when it comes to HIPAA.  You might want to include the Security Official's name and level of access to patient records along with all employees and their levels of access when it comes to patients' PHI.

Outline your policies and procedures.  Make sure they reflect the realities of your practice and meet the requirements of the current HIPAA law.

Have a documented policy on how to handle patient requests.  

1. Medical Record Access and copy requests:  When a patient asks you to provide the opportunity to look at their records or obtain a copy of their records, especially requests for electronic PHI.  

2. Disclosure Restrictions Requests: when a patient asks you to limit sharing their medical information.

3. Amendment Requests: when a patient asks you to make changes to the information in their medical record.

4. Accounting of Disclosure Requests: when a patient asks for a list of everyone who has come in contact with the patient's record.

5. Confidential Communication Channel Requests:  when a patient requests to receive information in a specific way or at a specific location.

Examples of these forms are in OD Link in the preferences tab.  If you have an older version of OD Link, you can contact us for these forms.

There is a generic NPP in OD Link under preferences and HIPAA.  You can click into the area and customize it for your office.  A physician is required to provide the NPP to new patients and use their best efforts to obtain acknowledgment of receipt.  In OD Link you can have the patient sign for receipt of NPP at the same time they sign the forms.  To customize the message at the bottom of your forms go to Preference > Messages/Billing Defaults > Disclaimer for Visit Form.  You can add "I have been given the opportunity to read ABC Clinic's Notice of Privacy Practices".  An NPP should clearly detail how your practice will use and disclose PHI and your patients' rights, including their rights to prohibit the sale of their PHI or it's use for marketing purposes.  It should have information about how the patient can access their HPI and that they will receive notice of any breach.  You should post your NPP in a prominent location and on your website.  You should also have paper copies available if the patient requests a copy.

Your staff should be periodically trained to comply with your HIPAA policies and procedures.  The above is an example of an annual training log.  You will find this form in OD Link in preferences.

Make sure your practice has the appropriate administrative, technical and physical safeguards to protect the privacy and security of your patients' HPI.  Make sure these are clearly outlined in your HIPAA binder.

Your practice should have appropriate sanctions against members of the office workforce if they fail to comply with the HIPAA rules.

Your practice should enter into appropriate Business Associate Agreements with all associates who have access to patients' HPI to ensure those associates comply with HIPAA.  There is an associate agreement for OD Link in preferences > Setup > Setup Checklist.  

There should be a clear process for patients and staff to make complaints.  Complaints should be taken seriously with no retaliation.

The practice should encrypt all PHI and take steps to reduce the risk of any breach.  If a breach does occur, the practice should have appropriate policies for discovering and reporting.