Ever feel like you’re drowning in documents?
You’re not alone. No one likes paperwork. But it is important — especially when it comes to the Health Insurance Portability and Accountability Act (HIPAA).
Good documentation helps your practice run efficiently and ensures clear communication between you, your clients, and anyone else you work with. Plus, if there is ever an issue, having the right records at your fingertips may help protect you.
The trick is knowing what’s required to ensure nothing slips through the cracks.
In this article, we’ll help you get HIPAA documentation under control once and for all.
👉 Want everything we cover in one easy-to-use checklist? All five HIPAA documentation categories are included. Grab your copy here:
|
Table of Contents |
There are many good reasons to ensure your documents are in top shape.
First, both the Privacy and Security Rules require specific paperwork. If you are audited or experience a compliance review, you will be expected to produce records that support your compliance. If you don’t, you could face penalties for non-compliance.
Second, documents form a useful record of communications between you and your clients, staff (if you have any), and third parties. You never know when an issue may come up.
Documents also retain useful information. This can be especially helpful with a process you or your staff don’t do every day, like dealing with a security breach. Do you know off the top of your head exactly what to do if your office experiences a breach? Maybe not. But if you have written procedures for this scenario, they’ll be there for you in a crisis.
Finally, documentation aids continuity. If you ever need to hand your office management over to someone else, having detailed written policies and procedures can help keep your practice on track.
According to the Privacy Rule, you must keep documents related to HIPAA for at least six years from the date they were created or came into effect, whichever is later. For example, documents like policies and procedures, which are updated regularly, should be kept on file for six years from the latest update.
Experts recommend keeping them a little longer, though.
|
And, be aware that state law or agencies like the IRS may have other requirements.
|
To avoid confusion, consider reviewing all the relevant requirements and then keeping your records on file for the longest period indicated. If the HIPAA rules ask you to archive documents for six years and state rules say ten, keep all your records for ten years.
So, what documents do you need for HIPAA compliance? You can break them down into five major categories:
Let’s take a closer look at each category.
These records show how your office is run and how you manage risks to privacy and security.
HIPAA gives covered entities (including healthcare providers) the freedom to adapt the regulations to their practices. A large hospital will implement the rules differently than a small healthcare practice.
But, this means that HIPAA compliance looks different in every organization. That’s why keeping detailed written policies and procedures is essential. They explain exactly how you apply HIPAA in your practice.
What to include in your policies and procedures:
👉 If you have staff, don’t forget to include:
Yes, these policies and procedures do require a lot of information. But they create an excellent record of everything you’re doing to protect your clients and your practice from harm.
The HIPAA rules also require healthcare providers to conduct risk assessments.
These should be done when first opening a practice, bringing in new equipment, moving offices, after a breach, and at least once every year.
As part of the risk assessment process, you are required to identify risks to client information and make plans to reduce them. This should be documented in writing.
In your risk assessment, include:
This includes forms and other paperwork that show how you communicate with clients regarding their private information.
You probably ask clients to fill out a lot of forms. For HIPAA compliance, it’s important to retain records related to privacy.
Required client forms:
Recommended client forms:
According to the HIPAA Privacy Rule, clients have the right to make several requests that should be documented. Keep any emails or forms related to these requests on file. And don’t forget to include your responses.
Clients may ask for:
The HIPAA Privacy Rule also protects a client’s right to complain to you or the US Department of Health and Human Services (HHS) if they believe you have not safeguarded their information appropriately.
It’s critical to keep a record of all client complaints related to privacy, and how you handled them, on file. If the client escalates the complaint to the HHS, these documents could help avoid a compliance review or other sanctions.
According to the HIPAA Privacy Rule, you are required to maintain specific records of the sharing of client information.
You don’t have to track client information shared:
Do track client information shared:
These records must include disclosures made in the previous six years.
These are agreements you have made with third parties including service providers or other healthcare organizations.
The Privacy Rule stipulates that you must have Business Associate Agreements (BAA)s in place with companies you work with that are not covered by HIPAA and who have access to and store client data.
A health plan, for example, is covered by HIPAA. Your email provider is not. This means you would not need a BAA to share information with a health plan, but would need one for the company providing your email services.
There is an exception to this rule. You don’t need a BAA with companies that transmit but do not store information. A courier service or traditional telephone (landline) provider, for example, is exempt because they only act as a conduit for information.
Many companies, like Hushmail, have a ready-made BAA, so you don’t need to create your own. If you do need to create an agreement, consider using this template from the HHS.
BAAs create rights and obligations and are legally binding agreements. Have them reviewed by a lawyer before signing.
If, despite your best plans, disaster strikes, either in the form of a security breach or a catastrophe such as a fire or flood, you must document the steps you took to protect and restore client data.
Licensed Professional Counselor Anne McKay discovered firsthand how nature may ruin years of archives.
|
Anne was lucky the flood didn’t reach her files. But this isn’t always the case.
If this happens to you, be sure to take good notes. This may be the last thing on your mind in a situation like this, but it is vital. What should you document?
For a natural disaster, note:
For a data breach, note:
If you have staff, you’re probably already keeping documents related to their employment on file. To comply with HIPAA, you must keep additional records.
You are required to train your staff on the Privacy and Security rules. That’s why it’s important to keep evidence of it on file.
You might consider keeping records that show the content of the training, when it took place, and their acknowledgement that they completed the training.
Staff must be trained soon after starting their employment with you, and be provided with ongoing training at least annually, in addition to whenever there are significant updates to your policies and procedures or the HIPAA rules.
According to HIPAA regulations, you are also required to document procedures for disciplining staff members who break the rules.
If this happens, taking notes on the situation and how you deal with it is recommended. Don’t forget to save relevant emails.
Be sure to keep a record of how and when you revoke access to your office and online systems after an employee leaves your organization.
This would include requiring office keys to be returned and making computer and email user accounts inactive.
The HIPAA rules are complicated, and there’s always more to learn.
If you’re looking for more information on HIPAA, try these resources:
Looking for HIPAA-compliant email but scared to lose your archive? We can help you switch your old emails to Hushmail.