Firm News & Legal Alerts

Thursday, August 1, 2013


Physician practices are frequently advised to know the requirements for obtaining reimbursement from a payor for services rendered and to have necessary documentation in place to withstand an audit. But do you know the same holds true to withstand a HIPAA audit of your practice conducted by the U.S. Office for Civil Rights? In other words, every physician practice should know the minimum requirements of the HIPAA Privacy, Security and Data Breach Notification rules and be prepared to prove compliance should OCR come calling. OCR’s audit protocol is extremely comprehensive but, as a starting point, you should make sure you have forms, policies and procedures in place to implement the following:


Privacy Rule requirements:

Notice of Privacy Practices

Revised Notice required as of September 23, 2013

Patient rights to request restrictions on disclosure of PHI

Certain restriction requests must be granted

Patient rights to access their PHI

Special rules apply for EHR

Uses and disclosures of PHI

Special authorizations apply for certain disclosures

Accounting of disclosures

Accountings differ when an EHR is involved

Amendment of PHI

Protocol required for responding to patient requests to amend

Business Associate Agreements

Revised agreements to reflect new definitions and subcontractors

Training of personnel, including physicians

Documented training must occur upon hire and at least annually


Security Rule requirements:

Administrative safeguards

Mandatory security risk assessment

Workforce security and training

Contingency plan

Security awareness and training

Physical safeguards

Facility access control

Workstation use and security

Device and media controls

Technical safeguards

Access control

Transmission security

Encryption analysis

Secure patient portals


Breach Notification Rule requirements:

Protocol for responding to a security incident

Data Breach Notification Policy and Procedures required

State laws must be addressed

Risk assessment to determine whether a breach has occurred

New factors must be applied

Steps to take when a breach has occurred

Documentation of the investigation must be maintained

Notification of affected individuals, HHS and the media

Timeframes must be met


If you are missing any of the above in your HIPAA Compliance Program, your practice will be at risk come September 23, 2013. And the HITECH Act increased the penalties for non-compliance.


Archived Posts


© 2020 Weiss Zarett Brofman Sonnenklar & Levy, P.C. | Disclaimer
3333 New Hyde Park Road, #211, New Hyde Park, NY 11042
| Phone: 516.627.7000

Healthcare Law | Business Law | Our Team | Publications | Contact Us

Law Firm Website Design by
Amicus Creative