Education & Training

I’m currently in the process of opening up a chiropractic office. What do I have to do to become HIPAA compliant? Do I (and my employee) have to take any type of test/training/fill out anything or is it just a matter of doing certain procedures in my office the right way?
HIPAA has many implications for your office and your patients. You must follow the HIPAA guidelines and comply with all of the regulations if you are considered a covered entity.

Here is a simple test to see if a person, business, or agency is a covered health care provider.

  • Does the person, business, or agency furnish bill, or receive payment for, health care in the normal course of business?
  • If the answer is yes, does the person, business, or agency conduct covered transactions?
  • If yes, are any of the covered transactions transmitted in electronic form?
  • If the answer to this question is yes, the person, business, or agency is a covered health care provider and must comply with all HIPAA regulations.

You must have a Notice of Privacy Practices available for all of your patients and document their signature. This NPP tells your patients how your office uses and discloses their protected health information. Education for all of your staff and documentation is mandated. We recently developed a training booklet for physician office practices, which provides scenario based training for staff on HIPAA awareness. You will also fall under the HIPAA security regulations and will need to train on these issues as well. Policies and procedures need to be developed to comply with HIPAA regulations and tracking mechanisms should be instituted.

There is no specific test that must be completed. Although you must document your training and your employee’s training and maintain that documentation for 6 years. You must also show ongoing training by documenting these efforts as well. HIPAA states that all employees must be trained on your HIPAA specific policies and procedures. As far as documents for compliance, there is not one document that must be completed that states you are in compliance. Your compliance will be shown by many efforts and documentation of those efforts such as acknowledgement of receipt from your patients of your NPP, signed authorizations for release of information other than for treatment, payment, or health care operations, and policies and procedures for privacy rights, etc.

Unfortunately, this is only scratching the surface, but do not let this overwhelm you. This process can be made scalable for your individual office. (Posted 5/29/03)

Could you please advise me as to whether or not have physicians sign a confidentiality statement each time with their reappointment or to have them sign a confidentiality agreement that would uphold during the entire time they are employed with our organization? I would like them to but I am having trouble finding documentation that supports this. Could you please help?
I wish I could supply you with the exact section in the regulation that states this but it does not exist. HIPAA leaves the policies and procedures up to the individual entities. You certainly can require this as part of your organization's practice and incorporate this into a privacy policy. You might also want to supply them with a refresher HIPAA education session at that time and document their attendance. This would bode well for your organization if a breach is reported showing that you educated employees, physicians, etc. as the regulations require and took this education seriously as well as complying with HIPAA. (Posted 5/15/03)

I am an independent doctor of optometry who works inside of a Target Optical. The Target Optical staff helps out with claim forms and such. Is Target Optical considered a business associate? What about Cole Vision/National which is Target Optical's parent company?
The Target Optical staff can be considered part of your workforce and then must be trained on HIPAA compliance and documented in your records. If this is the path you choose, there is no need for a business associate agreement. If all Target Optical employees have access to your department whether or not they are part of the temporary workforce, you will still need a business associate agreement.

If you choose to go the route of Business Associate instead of considering those employees part of your staff you will definitely need a Business Associate Contract with Target Optical. If Cole Vision/National has access to any records containing protected health information (PHI) you will also need a Business Associate Contract with that company as well. (Posted 5/15/03)