HIPAA, Security Risk Assessments, and the Pediatric Practice
What is HIPAA? What should a pediatric practice do to meet HIPAA regulations? What should be in a pediatric practice’s privacy policy? And what’s a Security Risk Assessment?
This article discusses the many issues around HIPAA, Security Risk Assessments (SRAs), and what a pediatric practice should do to protect patient privacy and be in compliance with HIPAA regulations. Read below to learn about Business Associate Agreements, audits, and other HIPAA concepts.
Along the way, you’ll see sample documents and tips from PCC to help your practice be HIPAA-perfect.
Contents
- 1 What is HIPAA?
- 2 What Does HIPAA Require of a Pediatric Medical Practice?
- 3 HIPAA Training At Your Office
- 4 Log Visitors and Repairs to the Office
- 5 Network and Technology Audits and Scan Logs
- 6 Paper Charts, vs. Electronic Charts, and HIPAA
- 7 When You Get Audited, or Asked for Your Security Risk Assessment Records
- 8 Conclusion: What NOT to Do for HIPAA
What is HIPAA?
HIPAA, or the Health Information Portability and Accountability Act, is a set of policies, procedures and guidelines that were passed into U.S. law in 1996.
HIPAA has many provisions, including rules around health insurance, medical savings accounts, and other aspects of healthcare. When most people talk about HIPAA, they are talking about the HIPAA Title II sections on privacy, rules around information transactions, and security.
HIPAA defines Private Health Information, or PHI, and establishes it as the property of the patient. HIPAA says that the patient owns their medical records, and any organization that handles their PHI is obligated to take certain steps to protect their privacy. The patient (or guardian) is the only one who can do anything they want with their health information (share it, use it, etc.), and physicians and organizations need permission.
What Does HIPAA Require of a Pediatric Medical Practice?
What specifically does a pediatric practice need to do in order to follow HIPAA guidelines?
HIPAA obligates a medical practice to do the following:
- Assign the roles of HIPAA Security Officer and HIPAA Privacy Officer to someone at your practice
- Keep a signed Business Associate Agreement (BAA) with all vendors or other individuals who may come in contact with your patients’ Private Health Information (PHI).
- Create and maintain a HIPAA Privacy Policy for your practice.
- Perform an initial Security Risk Assessment for your practice, during which you look at all potential risks to your patients’ Private Health Information (PHI), and establish policies for protecting it.
- Create and maintain a HIPAA Security Policy for your practice, based on your Security Risk Assessment.
- Perform annual Security Risk Assessments, during which you review and update your HIPAA Security Policy, as needed, and log that you have done an annual review.
- Make a HIPAA Patient Privacy Policy available to patients and families, and have them sign a HIPAA agreement.
- Follow and enforce your practice’s written policies at your practice, taking reasonable steps to protect patient PHI.
In the sections below, you can learn more about each of these topics.
Violations, Penalties and Fines?: What are the risks to your practice if you do not follow HIPAA guidelines? Up until 2006, the HIPAA laws did not include clear actionable guidelines, and there was no rigorous enforcement. Since 2006, however, there have been tens of thousands of investigations of HIPAA violations, such as misuse and improper disclosure of patient PHI. Private practices are the most frequent group to receive corrective action, and millions of dollars in fines have been levied. (source)
Documents, Policies, Paper!: As you read the above obligations, you may have noticed that a big part of it includes developing a set of HIPAA policy documents and making them available to the correct people. The list of common HIPAA policy documents includes: Business Associate Agreement, HIPAA Privacy Policy, HIPAA Security Policy, and your HIPAA Patient Privacy Policy. Read below to learn more.
Assign Your Practice’s HIPAA Security Officer and HIPAA Privacy Officer
Who is in charge of HIPAA stuff at your practice? Who will handle the forms and policies, and who will help employees deal with PHI?
Your practice should assign the role of a HIPAA Security Officer and a HIPAA Privacy Officer to one or two people at your practice. These roles could be filled by your office manager, a managing provider, a human resources manager, or some other individual who has a head for policies and regulations.
Your HIPAA Security Officer will be the expert on your practice’s HIPAA policies. They will create and maintain the policy documents described below, implement those policies and make sure that your practice follows them, and they will be the person who everyone goes to if there is a breach in patient privacy. They will also oversee the annual renewal of the security risk assessment.
The HIPAA Privacy Officer is a more people-focused role. The privacy officer trains your staff and also assesses requests for PHI. They might take action or make changes around the office in order to protect patient privacy.
Sample Job Descriptions for HIPAA Security and Privacy Officer: You can find sample job descriptions online, from various third parties. You can also network with your fellow pediatricians on PCC Talk to find out how they fill these important roles.
Document Your Officers: Your HIPAA Security Policy, described below, should list who fulfills these two HIPAA roles at your practice. (164.308(a)(2), “identify security official”)
Business Associate Agreements (BAAs)
Your practice should maintain signed Business Associate Agreements with any vendor or third-party who might come in contact with your patients’ PHI. Keep a copy of these signed agreements. A Business Associate Agreement describes the limits and safeguards on how an entity has access to your patient’s PHI, and how they are/are not allowed to use it.
For example, you need to have a signed BAA with PCC. Patient PHI leaves your practice and passes through PCC’s servers when you submit insurance claims electronically. When you became a PCC client, we sent you a BAA which describes you, the “covered entity” and PCC, the “business associate”. Alternatively, your practice may have developed your own BAA and sent it to PCC to sign instead. PCC, in turn, has BAAs with clearinghouses and other entities that may receive patient PHI from us.
(More BAA information and samples at HHS.gov)
If your practice wishes to develop or update your BAA for use with third-parties, the HHS.gov website provides an excellent introduction to BAAs as well as sample BAA language that you can edit and adapt for your purposes.
You can also review your BAA with PCC as an example. A BAA is not a document that needs a great deal of customization for the average pediatric practice.
Do I Need a BAA With a Lab, My IT Professional, My Cleaning Service, etc.?: You might not need a BAA with every third-party or vendor with whom you do business. For example, if you fill out lab requisition forms and then give them to the patient, but you never actually send or distribute any form of PHI to a lab, you do not need a BAA with them. However, if your practice sends PHI directly to a vendor, you do need a BAA with that vendor. You need a BAA with any person or organization who might come into contact with patient PHI. For example, if an IT professional enters your premises to work on a computer that contains PHI, you should have a signed BAA with that IT professional or organization. If your cleaning service could potentially access paper charts in your practice, you should have a BAA with them. You do not need a BAA with your postal carrier or your internet service provider.
Security Risk Assessments
HIPAA obligates your practice to perform an initial Security Risk Assessment, as well as annual Security Risk Assessment updates. You will use the results of your Security Risk Assessment to create and periodically update your practice’s HIPAA Security Policy.
What do you need to do for your practice’s initial Security Risk Assessment? First, identify all potential security risks to PHI in your office. For example, you could start at your front door, walk around as if you are a patient or visiting professional, and identify every situation where a patient’s information may be revealed.
As you evaluate your office’s physical space, you should inventory your laptops, your procedures for closing the office, and carefully consider the different individuals and organizations that visit your practice and may come in contact with patient PHI. On the virtual side, you should consider all the technological ways that a patient’s PHI might be at risk.
Other Resources:
-
Automated Assessment Tool: The ONC’s Healthit.gov site provides an online tool that can walk you through performing an SRA. Every office is going to have different security risks, but by walking around your office and answering 150 questions, you can get a report that will cover most areas.
-
Security Risk Analysis Tip Sheet: CMS.gov publishes a tip sheet for issues around performing your security risk analysis. Read the Security Risk Analysis: Protect Patient Health Information article.
Initial SRA, Annual Reassessment, and Audits: After you perform an initial SRA, you should perform annual re-assessments, where you evaluate whether your existing policies are successful at mitigating risks to PHI, and to update your HIPAA Security Policy to reflect any changes. If a state agency performs an audit of your practice, they may ask to see your record of performing annual SRAs and what updates were made as a result of each annual SRA.
What do SRAs Have to Do With CMS and Meaningful Use?: One of the Meaningful Use measures used for the EHR Medicaid Incentive Program and PCMH requires that your office do annual SRAs. You should be doing them anyway, as part of your HIPAA compliance, but it’s notable that SRAs are part of CMS Meaningful Use guidelines as well.
HIPAA Security Policy
As you perform your initial Security Risk Assessment, your office will develop a written HIPAA Security Policy. As you identify risks, you will document what your office does to mitigate each risk. The finished document is your HIPAA Security Policy, and you should review it and update it each year when you perform your subsequent Security Risk Assessments.
Every office has different security needs, so PCC recommends you do not use a HIPAA Security Policy template or sample as a starting point.
Here are some examples of things your HIPAA Security Policy could cover:
- Who is your practice’s HIPAA Security Officer?
- How do you secure patient PHI technologically?
- Where do you keep your laptops each night?
- What do you do to ensure computer workstation security?
- How do you keep paper charts secure?
- How do you backup your PCC system? Are your backups encrypted?
- What do you do to mitigate each of the specific risks that you identified in your SRA?
- When do you perform your annual SRA?
For the official list of all the things your HIPAA Security Policy should say, the HHS provides a list of the HIPAA standards and what topics should be covered. PCC reviewed those guidelines and has additional information available. By walking through the standards and including each row, you can create a HIPAA Security Policy that will reflect the security policies of your practice and meet HIPAA guidelines.
PCC can not provide sample HIPAA Security Policies because the policy needs to be based on what your office does, and what your risks are, as discovered by performing a Security Risk Assessment. Do you have 2 employees, or 110? Are you in a high-crime area, or a small town? When you evaluate your security needs, your answers will be very different. The list of standards you must meet can be published in a table, but how your practice will meet those standards is particular to your practice.
Required Elements, Addressable Elements: As you review the HHS requirements, you will notice that some elements of a HIPAA Security Policy are classified as “Required” and some are classified as “Addressable”. A required element is a specific, required standard for security. It states precisely what your HIPAA Security Policy should say, and includes the guidelines that your practice should follow. An addressable element, on the other hand, is an issue that your office must have a policy about, though your practice’s specific policy is up to you. Your HIPAA Security Policy should include a reference to both Required and Addressable Elements, but the Addressable Elements will be customized based on your practice. For example, your HIPAA Security Policy should include your practice’s guidelines for when you terminate an employee, but there are no official guidelines for what those steps should be. As a “Required” example, your Security Policy should state that your practice will have a BAA with vendors.
Hire a Consultant?: Your practice may choose to hire a third-party consultant to help you perform your SRA and develop your HIPAA Security Policy. For example, PCC has worked successfully with Paul Vanchiere from the Pediatric Management Institute. PCC recommends caution when working with consultants, vendors, or state-sponsored organizations that may have divided motivations or may have a vested interest in selling you additional services or products. If your practice has a lawyer on retention, they can also provide consultation on HIPAA laws and regulations.
HIPAA Staff Privacy Policy Document
In addition to your HIPAA Security Policy, your practice needs a HIPAA Staff Privacy Policy.
The good news is that your HIPAA Staff Privacy Policy is much shorter than your Security Policy. It concisely describes when and how your staff can disclose PHI.
Your Privacy Policy should include:
- The name of your HIPAA Privacy Officer
- A list of reasons for when your practice would disclose PHI, such as upon receiving a court order, witnessing evidence of abuse, etc. Your policy should list all situations where your practice would disclose information without the patient or family’s consent.
- A description of how the practice disposes of any PHI they receive. For example, when a paper lab result arrives at the practice, what happens to it?
- Additional details that will help your staff perform the requirements of your HIPAA security policy, such as instructions for handling emailed PHI.
PCC created a downloadable list of items to include on your HIPAA Staff Privacy Policy: PCC’s Privacy Policy Recommendations. You can also read about all the standards at HHS.gov’s HIPAA Privacy Policy Summary page.
HIPAA Notice of Privacy Practices
Every patient, or patient guardian, must sign a HIPAA consent form when they first visit your practice.
If your practice is currently doing business, you are probably already doing this. If you’d like help writing or updating your HIPAA Notice of Privacy Practices or HIPAA consent form, we recommend reviewing this Department of Health and Human Services website, and working with your PCC colleagues.
The Office for Civil Rights issued a final rule on April 26, 2024 titled: HIPAA Privacy (New) Final Rule to Support Reproductive Health Care Privacy. The final rule requires covered health care providers, health plans, and health care clearinghouses to revise their Notice of Privacy Practices (NPP) in support of reproductive health care privacy. The deadline to update NPPs is February 16, 2026.
The Final rule NPP language and requirements begins here on the Federal Register: https://www.federalregister.gov/d/2024-08503/p-1046. We recommend you read this section of the Final Rule in full to determine the updates appropriate for your practice. We also encourage you to read the HIPAA Privacy Rule Final Rule to Support Reproductive Health Care Privacy: Fact Sheet HHS.gov, which provides a thorough overview of the final rule.
HIPAA Training At Your Office
You should train all employees on HIPAA privacy guidelines and your practice’s HIPAA policies.
For example, a HIPAA training should include:
- A definition of HIPAA
- What information is protected under HIPAA
- The “Minimum Necessary” HIPAA rule: if PHI must be disclosed in the course of your practice’s normal business, you only disclose the minimum amount of PHI necessary to resolve the problem
- The proper destruction of PHI that enters the office
- The types of PHI disclosure and the penalties for disclosing PHI
- What steps to follow if PHI is breached
- Review of the practice’s privacy and security policies
- Identify the practice’s HIPAA Security and Privacy officer(s)
You might schedule a class to teach a bunch of employees, or the HIPAA Privacy Officer might sit down and teach each new employee. You should make all employees aware of your Security and Privacy policies, and the employee should sign a HIPAA training form stating they have completed training and understand what is expected of them.
Document that Training Occurred: HIPAA requires that you document that the training has been provided (164.316). Along with any other kind of HIPAA activity, your practice should record when and who was trained and by whom. “if an action, activity, or assessment is required, maintain a written (which may be electronic) record of the action, activity, or assessment.” Record the training content, the date, and each attendee’s name along with any other materials or communication about the training.
Log Visitors and Repairs to the Office
If there is a breach of patient privacy on a particular day, you may need to create a list of all folks who entered your practice or could have had access to PHI.
In order to meet HIPAA requirements, your practice should keep a log of anyone who visits your office, along with the date and time and purpose of their visit. If they repair a laptop or other equipment, for example, you should record which laptop they repaired.
Network and Technology Audits and Scan Logs
If anyone sends you a report of a scan having to do with your technology, keep it. In case of an audit or security breach, the log or security scan will help identify problems or prove your office was making every effort to ensure patient security.
PCC provides your practice with a periodic Network Vulnerability Scan. PCC does not operate or maintain all aspects of your technology infrastructure, however. You may receive similar reports if you work with a different IT vendor.
Paper Charts, vs. Electronic Charts, and HIPAA
Sometimes a medical practice feels they do not need to perform Security Risk Assessments, or perform some other aspect of HIPAA preparation, because they use paper charts, because of their office configuration, or some other reason.
These assumptions are false. If your practice comes in contact with patient information of any kind, including demographic data, then you need to take HIPAA seriously and maintain the policies and guidelines described above.
Private Health Information, whether electronic (“ePHI”) or physical, is protected by HIPAA rules, and it includes any diagnoses or information used for billing, as well as patient names and birthdates.
Regardless of whether or not a medical practice uses an EHR, they need to go through the same steps, perform Security Risk Assessments, develop Security and Privacy Policies, inform patients of their HIPAA privacy policy, and maintain BAAs.
When You Get Audited, or Asked for Your Security Risk Assessment Records
If a state-sanctioned or other entity audits your practice, they may ask for a record of your security risk assessments or other evidence that you comply with HIPAA.
Here is a list of things your HIPAA Security Officer should keep on hand in case of an audit:
- Business Associate Agreements (BAAs) with all business associates
- Privacy and Security policies for your practice
- HIPPA Patient Privacy Policy
- Signed HIPAA training forms for all staff
- Log of visitors/repairs in the office
- Network/Technology Audit Logs
- Security Risk Assessment Record
For more information about any of the items on this list, read the sections above.
Will You Ever Get Audited?: There is a budget out there for doing audits nationally. Hospitals get audited more often, but some PCC practices have had a HIPAA-related audit by a state agency, or an agency representing the Health and Human Services (HHS) office.
The AAP's Guide to Audits: If you’d like to learn more about the audit process, the AAP published an article called What to Do When an Auditor Knocks On Your Practice’s Door in 2013.
Conclusion: What NOT to Do for HIPAA
The HIPAA rules are intended to protect patient privacy. They are not intended to prevent you from providing care to patients, or to prevent you from doing business.
Here are some other important “don’ts” for HIPAA: Don’t get scared. Don’t trust anyone who recommends massive office remodeling in order to meet HIPAA requirements. Don’t let an outside commercial entity provide you a “free” security audit or analysis. Don’t think you need to spend thousands of dollars or hire a consultant if you don’t want to.
Every medical practice needs to have a series of policies in place and train their staff to protect PHI, but they do not need to take extreme or expensive measures.
If you have questions or concerns about HIPAA compliance at your practice, PCC encourages you to contact us. We’d be happy to help.