Call Our Customer
Service Specialists
Downtown Miami: 305-374-7826
Miami-Brickell: 305-374-8288
Coral Gables: 305-446-COPY (2679)

How Medical Offices Can Become HIPAA Compliant

February 6th, 2012
In 1996, the Health Insurance Portability and Accountability Act or “HIPAA” was endorsed by the U.S. Congress to simplify and standardize the administrative functions of healthcare. The HIPAA Privacy Rule, also called the Standards for Privacy of Individually Identifiable Health Information, provided the first nationally recognizable regulations for the use and disclosure of an individual’s health information. Essentially, the Privacy Rule defines how covered entities use individually identifiable health information or the PHI (Personal Health Information). “Covered entities” is a term often used in HIPAA-compliant guidelines and includes all healthcare organizations that choose to exchange data electronically.


The Administrative Simplification section (Title II) of this law requires adaptation and implementation of standards for the security, privacy, and management of electronic healthcare transactions. The standards are meant to improve the efficiency and effectiveness of the nation’s healthcare system by encouraging the widespread use of electronic data interchange in the U.S. healthcare system. As healthcare providers and organizations migrate their patient records to various electronic forms, the actions necessary to become HIPAA compliant will vary.

How does an organization become HIPAA compliant?

  1. Although becoming HIPAA compliant does requires substantial effort, the Act’s requirements are simply good business practices for the management of sensitive information and records. In particular the Act requires organization-wide implementation of:
  2. Administrative procedures aimed at creating or enhancing information security policies.
  3. Industry accepted safeguards and measures to adequately protect the healthcare information within your organization.
  4. Phone protocols; medical offices must have specific guidelines for what information is given over the phone. Certain individuals like health insurance representatives or family members might have clearance to be told patient information, but other callers should be given only basic information that does not violate HIPAA.
  5. Secured workstations; computer should always be locked when its user is away from his/her desk in order to prevent unauthorized use.
  6. Document protection; medical claims and bills should be turned face down when the person responsible for them is away from the desk. The files must be kept in secure containers where they cannot be read by a passerby.
  7. HIPAA-compliant waste baskets and shredders; some offices use color-coded trash bins, one set for regular trash like apple cores and gum wrappers, and another covered set of bins for documents, which should be shredded every day. The other trash bins get emptied by cleaning people at night.
  8. Staff education; a well-informed staff will be more adept at following HIPAA regulations, and they’ll know why they’re doing it.

How can you stay HIPAA compliant?

Satisfying HIPAA may require your organization to enhance its current set of practices and procedures. Once those new policies and practices are in place, you should review them periodically (either internally or by using an outside third-party) to make sure they are effective. It is important to understand that while the HIPAA requirements may seem onerous, they are not substantially different that what would be necessary for any organization to protect its electronic resources and the privacy of its records. Since HIPAA security compliance covers a wide range of issues, it is important not to delay. Compliance with most of the requirements will be fairly straightforward though satisfying certain of the requirements will be more of a challenge. Starting the assessment work early to identify what really needs to be done will enable your organization to develop sensible plans that can be implemented at an affordable cost. Consulting with an experienced information security organization can greatly smooth the transition.

Resources to find out more

Health Care Financing Administration
http://www.hcfa.gov/medicaid/hipaa/default.asp

American Hospital Association HIPAA links
http://www.aha.org/hipaa/links.asp

HCFA HIPAA Fact Sheet
http://www.hcfa.gov/facts/f9702as.htm

Searchable HIPAA Regulations
http://www.hipaadvisory.com/regs/