To ensure you are ready if an auditor comes knocking, critically assess your policies and procedures and update them if necessary, says Ericka Adler, a health law attorney at Kamensky Rubinstein Hochman & Delott, LLP, based in Lincolnwood, Ill. "I think one of the most important things is that a lot of practices did what they were supposed to do [when the laws first came out] in terms of getting their policy together and getting their forms out there, and they haven't talked about HIPAA since," she says, noting that some of the laws have changed and practices need to alter their policies accordingly.
In addition, practices must have an active program in terms of training staff on the privacy and security rules, tracking patient record requests, HIPAA
violations, etc. "HIPAA needs to be a living breathing part of a practice and not a policy that sits on a shelf so the practice can say they have a policy," says Adler
But one initial training session is not sufficient, says Adler
"I recommend to my clients that you make this an annual event because it just fades into the background unless [HIPAA compliance] is something that's repeated to employees all the time," she
"Discipline really gets people paying attention," says Adler
, noting that practices must make it clear what consequences staff will face for HIPAA violations, such as leaving a file out in the exam room.
"People need to know whether it's a warning in their files, or it's a reprimand, or it's termination because time after time they're not
Stay updated regarding HIPAA
by monitoring any relevant cases that arise and following any related news coverage, says Adler
And when relevant news comes out, share it with staff members to keep HIPAA
at the forefront of their minds.
"I ... like to see the kinds of things that are getting practices investigated to make sure those aren't things that we are doing in our practices," she