HIPAA Employee Compliance Program TRAINING MANUAL






Full text


HIPAA Employee

Compliance Program


Training Manual to Assist Employees in HIPAA Compliance

January 2013


Program For HIPAA Compliance Plan Goal

The purpose of this manual is to instruct our employees on the compliance rules and regulations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). In this manual we will outline the key elements of HIPAA. Congress has stated that the goal of HIPAA is to improve the efficiency and effectiveness of the health care system in the United States.

The HIPAA Act revolves around three sets of standards:

1. Compliance with HIPAA guidelines by protecting patient's medical privacy; 2. Maintain our patient information and billing processes in compliance with

national standards;

3. Provide appropriate security of our patient records.

These principles are the outline for our compliance program. By adhering to these three sets of standards, we will achieve compliance with the HIPAA Act.

Introduction to HIPAA

The Health Insurance Portability and Accountability Act was enacted by Congress to include a series of "administrative simplification" provisions that required the Department of Health and Human Services (HHS) to adopt national standards for electronic health care transaction.

The goal of this act is to improve the efficiency and effectiveness of the health care system in the United States. Sue to countless variations in the way health care companies and individuals process patient records, claims, services, etc., the HIPAA Act was established to ensure consistency throughout the industry. These nations standards will make it easier for health plans, physicians, hospitals and health care providers to process claims and other transactions electronically.

Another key component of HIPAA, requiring security and privacy standards, has been created in order to protect Personal Health Information. HHS has issued the following regulations:

• Electronic health care transactions • Medical privacy

• Security requirements

• Unique identifier for employers • Unique identifier for providers • Unique identifier for health plans • Enforcement procedures


One of the main objectives of the privacy guidelines is to ensure fair and equal health care. Uniform national standards will save billions of dollars each year for health care businesses by lowering the cost of developing and maintaining software and reducing the time and expense spent on health care transactions. The initial planning and implementation of the HIPAA Act will take time and resources.

Definitions under HIPAA

The definitions described below have been defined by the Department of Health and Human Services (H1-IS) in the sense that they are used in the HIPAA regulations.

Privacy - The

patient's right

over the use and disclosure of his or her own personal health information.

Privacy includes the right to determine when, how and to what extent personal information is shared with others. The HIPAA privacy rule grants new rights to patients to gain access to and control the use and disclosure of their personal health information.

Security - Specific measures a health care entity must take to protect personal health information from unauthorized breaches of privacy.

The security rules outline a detailed and comprehensive set of guidelines to guard against unauthorized disclosure of personal health information either stored, transmitted electronically, or put on paper.

Personal Health Information -Health information, in any form, i.e. paper, verbal, or electronic that personally identifies a patient.

HIPAA Schedules Basic Guideline

In the United States, health plans, hospitals, pharmacies, physicians, and other health care entities use a variety of systems to process and track health care information. In order to ensure that a claim is paid, much time and expense is spent formatting and coding that is required by each insurer.

Congress has included provisions in HIPAA to require HHS to adopt national standards for certain electronic health care transactions and security. HIPAA has set a three-year deadline for Congress to enact comprehensive privacy legislation to protect medical records and other personal health information.


Covered Entities

The HIPPA Act requires that health plans, health care clearing houses, and those health care providers who conduct certain financial and administrative transaction electronically


authorizations, claims, etc.) to comply with each set of final standards. Other

businesses may voluntarily adopt the standards, but the law does not require them to do so.

Compliance Schedule

October 16, 2002 - Deadline for electronic transaction rule April 14, 2003 - Deadline for health information privacy rule

Changing and Developing Standards

Any changes to the final rule must be made in accordance with the Administrative Procedure Act (APA). Rules changes will be published in the

Federal Register through

a Notice of Proposal Rulemaking and will invite comment from the public. After reviewing and addressing those comments, HHS will issue a final rule to implement appropriate modifications.

Enforcement: Penalties and Fines

If HIPAA Standards are not adopted, businesses can receive stiff fines and penalties. The law gives the Secretary of Health and Human Services the authority to impose monetary penalties for failure to comply with the standard.

The secretary is required, by statute, to impose monetary penalties of not more than $100.00 per violation on any person or entity who fails to comply with the standard, except that the total amount imposed on any one person in each calendar year any not exceed $25,000.00 for violations of one requirement.


HIPPA Compliance Employee Commitment to Compliance

I have read and understand our office's Employee HIPAA Compliance Manual. I agree to do within my area of responsibility, to maintain and update my knowledge about federal and state laws and program requirements.

I will comply with these requirements to the best of my ability. I will let the Compliance Officer know if there is any area where I feel out office is not in compliance with these laws and program requirements. Our Employee Compliance Program involves the following principles:

• We seek to maintain up-to-date knowledge of federal and state law pertaining to

protection of our patient's Personal Health Information,

• We educate our employees and keep them up-to-date about federal and state law as

it applies to Personal Health Information.

• Our policy is to comply with all federal and state law governing Personal Health


As an employee, I recognize that Personal Health Information must be treated with the utmost attention, accuracy, honesty, and integrity. We seek to educate and carry out these policies at all times. All employees, managers, clinicians, physicians, nurses, and where appropriate, contractors, business associates and other agencies are all responsible for ensuring that all policies are adhered to at all times.

I agree with our policy and will comply with all regulatory laws pertaining to Personal Health Information. I understand that our office has an open door policy and I may discuss any problems I feel may occur with Personal Health Information without worry of recourse with my supervisor, or any other member of management at any time.

Employee Signature Date Signed

Printed Name


HIPAA Privacy Guide Quick Reference


Lower your voice for all verbal communications that might

disclose Personal Health Information.


Use discretion when disclosing information in a public area

that may be considered personal, e.g. treatment plans, test

required or taken, test results, medications, medical devices, etc.


Do not allow the viewing, intentionally or unintentionally, of

computer screens by unauthorized persons.


Exit all programs that might contain Personal Health

Information when leaving a computer workstation for a period of



Be certain that "sign in" sheet


not require "reason for visit"



All chart holders must effectively obscure patient information.


All email, written, and faxed Personal Health Information must

be secured and locked.


Never leave files or folders open or unattended. Filing cabinets

containing Personal Health Information must be secured and



Do not share computer passwords. Log off or sign in before

beginning to work on a computer.


Take every precaution to control disclosure of Personal Health