The U.S. Department of Health and Humans Services Office for Civil Rights currently is focusing its enforcement on patient access to records. Both HIPAA and state law recognize patient access to their records as an individual right and have established rules with which health care entities must comply. Access means viewing or obtaining a hard or electronic copy of the records. Access must be timely, and there are limits on what a health care entity may charge a patient for access. Utilize Patient Request to Access Records (Records Release) Form and Q&A to create the required policy and procedures. The resource includes a sample authorization form.
A thorough and comprehensive risk analysis consists of (1) assessment of covered entity’s compliance with Security Rule implementation specifications, (2) assessment of covered entity’s information technology and (3) risk assessment of threats and vulnerabilities to covered entity’s electronic protected health information. HHS considers the risk analysis essential to a covered entity’s responsibility to safeguard patient information, and the lack of one is often cited when HHS resolves potential HIPAA violations. Learn How to Do a HIPAA Risk Analysis by reviewing this PowerPoint presentation.
The HIPAA Privacy Rule determines which uses and disclosures of PHI are required, permissible without patient authorization or allowed upon patient authorization. The policies should be comprehensive, covering all possible uses and disclosures of PHI. Social media use by both the practice on official accounts and employees on their personal accounts should be addressed in the policies. Read more about the rules in Uses and Disclosures of Patient Health Information.
Already a CDA Member?
to keep exploring our resource library.
Learn more about CDA Member Benefits.
Go back to the previous page.