Ophthalmology and Optometry Coding Alert

Privacy violations are often a result of neglect somewhere in the compliance checklist, so it’s crucial to diligently stay on top of issues. Conduct ongoing monitoring of HIPAA compliance entity-wide to ensure nothing falls through the cracks.

2. Don’t Skimp on Risk Assessments

Ensure compliance with the HIPAA Security Rule, including conducting security risk assessments on a routine basis. Plus, if the HHS Office for Civil Rights (OCR) sees that your organization has a steady — and well-documented — track record of assessing, analyzing, and managing risks, it’s more likely to work with you to minimize the breach penalties.

3. Consult a Compliance Expert

Practices that do not have the capacity to conduct their own risk assessment can hire one of many expert consultants to conduct the risk assessment for them. Smaller practices may feel like they don’t have the budget to seek HIPAA help, but the financial and professional costs of a breach often far outweigh the minimal fees of engaging a compliance expert.

4. Address Violations Promptly

If you experience a breach, follow all breach requirements and protocols on a short timeline. Do not sit on a suspected breach.

According to guidance from the government, a covered entity (CE) must notify impacted individuals without unreasonable delay, no later than 60 days after the discovery of the breach.

5. Update Policies When Necessary

It’s a great idea to do a monthly check-up and an annual audit of your policies and procedures, but it is especially critical to address your organization’s shortcomings after an incident. Review your HIPAA compliance program anytime a breach or suspected breach occurs.

6. Enforce Strict Social Media Rules

It can be particularly troublesome for practices to successfully navigate the various social media platforms without sinking the proverbial ship. CEs that use Twitter or Facebook to promote their businesses must use caution and keep HIPAA in mind before posting online.

Maintain a strict social media policy and make sure employees are aware of it and adhere to it. Often when breaches involve social media, the person disclosing the information did not realize that it constituted protected health information (PHI).

7. Train Staff on HIPAA

Educating your staff on the nuances of HIPAA is not only essential to protect your patients and business, but it’s required under the Privacy Rule. Employee training is critical. In addition to comprehensive training required by HIPAA, making sure employees consistently know their resources and first points of contact goes a long way.

Employees should know who the privacy officer is with a direct line of access and be encouraged to ask questions or report anything unusual. An open, ongoing discussion about HIPAA compliance makes it more likely that employees will catch any issues.