HIPAA compliance forms are intended to manage the patient information management system and so ensure compliance to HIPAA. The simple way to manage HIPAA is to regard it as a security or patient confidentiality management system and maintain it as such, just like any other management system.
That means separating the system from the information it is controlling, and managing the system as an entity and not managing the patient’s information. It is not an easy concept for many to grasp, but once it has been, then HIPAA compliance becomes so much easier. The forms and records required to achieve this are as much a part of the system as the regulation itself, which is the driving force behind it. Manage HIPAA properly, and patient medical records will be secure by definition.
If we take note of how patient records are obtained, stored and disseminated, and then manage the systems controlling these we shall be complying with HIPAA. The first HIPAA compliance form you will need will be the Notice of Privacy Practices. You will already have something like this in place for health and safety – your Health and Safety Policy notice. The Notice of Privacy Practices is simply a notice informing patients of how you handle their information, and making them aware of your management system to control their Protected Health Information (PHI).
Once you have that, you can then collect all the other forms together that you will need. These will be a mixture of checklists, auditing forms and permissions that should be signed whenever a form changes hands. HIPAA does not require this in every instance, but is just as easy to do so as try to identify those practices that do and do not require it.
Thus, consider the Patient Authorization Form. This should be signed by the patient whenever you have to provide PHI to any third party that is not covered by what is referred to as TPO – Treatment, Payment or routing transfer Operations. Some health services have decided that making the distinction is too dangerous, too difficult or simply confusing, so they request that the patient sign for ANY transfer of their PHI.
They have gone beyond HIPAA, but have demonstrated a tight application of their management system, and are within the law to do so. If a patient refuses, it is simply signed as such and there are no problems. However, patients rarely refuse essential transfer operations when their need is explained to them. Take note that ‘transfer’ and ‘disclosure’ in this case refers to both physical transfer and verbal or other form of health information disclosure. You can even operate a chain of custody system for physical health records and secure password protection for electronic equivalents.
Another requirement of a health authority is to allow patients to request an amendment to their health information. Even if you don’t agree with this, simply have a HIPAA compliance form for this that the patient can sign. You have no obligation to agree, but you should record the reasons for this in the event that the patient complains.
The patient has a right to request how his or her PHI has been disclosed to others – they should sign an Accounting of Disclosures form, another HIPAA compliance form, on which you should provide all inter-office transfers or disclosures of the patient’s health records, and also those sent out of the facility itself. If you run a good management system, you will have records of all of these disclosures and this should be a simple request to deal with.
You should identify all areas and circumstances where patient’s records are stored, ensure the storage is secure (even to the type of locks used) and then record all transfers of this information along with the permission of patients for each where relevant. A HIPAA compliance form will be required for each type of transfer along with the patient’s signature. Note that this applies irrespective of the relative geographic locations of patient and records.
You should carry out an internal audit of your entire system using trained auditors, and hold regular review meetings designed to initiate any corrective actions required. Treat HIPAA as any other management system and you should find compliance easy if not quick. HIPAA compliance forms will be the backbone of such a system.