HIPAA Manuals

By | October 29, 2019
0 Comment

HIPAA Manuals, Is it Enough?

Remember Windows 95? That operating system was released by Microsoft roughly one year before HIPAA became the law of the land.

In the mid 1990s, the Internet was in its infancy. “Social media” did not exist as we know it. Web commerce was a gleam in its creators’ eyes (the first eBay sale wasn’t consummated until Labor Day of 1995).

These events happened over two decades ago, and as such, have generated feelings of nostalgia for the days of slow startup speeds, the dot.com early years, and for the days of keeping important documents – like HIPAA manuals – in paper form.

While it’s tempting to imagine a return to a “simpler time,” nostalgia is not a way to run a medical practice. 


Enter the HIPAA Manuals: Remember When?

When HIPAA was enacted, covered entity compliance manuals were not stored on the web. They were not stored on the cloud (there was no cloud). Rather, manuals were compiled and stored in paper form. 

In 2003, the HIPAA Security Standards Final Rule (HIPAA Security Rule) was issued.  That same year was the year by which organizations had to comply with the HIPAA Privacy Rule. Covered entities began to develop policies and procedures developed from these rules. Policies and procedures came to be stored electronically, both because of their size, and to permit searching of voluminous text.

Not all providers rode this wave of change, however. Some continued to use paper manuals. Some covered entities still use paper HIPAA manuals, even in this year, 2019.                                                                                                  

Why are HIPAA Manuals No Longer Feasible?

Since 2003, two additional HIPAA rules have been implemented. The first is the 2009 HIPAA Breach Notification Rule, and the second is the 2013 HIPAA Omnibus Rule:

  • HIPAA Breach Notification Rule: The HIPAA Breach Notification Rule is a set of standards that covered entities and business associates must follow in the event of a data breach containing PHI or ePHI. Under this rule, organizations are required to report all data breaches, regardless of their size, to the Department of Health and Human Services’ (DHHS) Office for Civil RIghts (OCR). 
  • HIPAA Omnibus Rule: The HIPAA Omnibus Rule, adopted in 2013, mandates that business associates of covered entities, be HIPAA-compliant.  The HIPAA Omnibus Rule also requires that covered entities enter into business associate agreements with their business associates.  

The frequency with which HIPAA rules have been modified; the amount of additional policies and procedures required with each change; and the need for policies and procedures to be reviewed and updated every year, makes it virtually impossible to maintain HIPAA compliance manuals in paper form.

Adopting compliance solution software brings medical practices into the digital age. HIPAA compliance software:

  • Allows you to efficiently track your HIPAA compliance
  • Provides template policies and procedures that can be customized for a practice’s unique needs
  • Allows for employees to read and attest to policies and procedures on their down time throughout the day
  • Incorporates business associate agreements and vendor management agreements