HIPAA Series Part II: Protect Your Office

Part I of our HIPAA series discussed the importance of protecting patient data, or protected health information (PHI). In part II, let’s cover how to employ HIPAA best practices before, during and after your nutrition consults at your office, thus ultimately protecting your clients and practice as a result. 

Is Your Office HIPAA-Compliant? 

Our earlier post noted the importance of implementing an encrypted email platform to protect PHI. We also noted that if you’re providing telehealth services, you’ll need to identify a secured platform for use. What other considerations should you take into account? 

What Goes on in the Office, Stays in the Office

Create a Notice of Privacy Practices (NPP) for all clients to sign prior to their first appointment. This is part of the paperwork you will need when you start seeing new clients. View an example from the Academy of Nutrition and Dietetics here. You’ll also want to post a copy of your privacy notice in your office.

Information exchanged between you and your client needs to stay between you and your client (or between other healthcare professionals on a need-to-know basis). Avoid discussing client cases elsewhere in the office, and never discuss them outside of the office. Enforce locking computers that are not in use, lock up any paper charts or notes and restrict these areas to authorized personnel only. 

Best Practices for Staff Compliance

If you have other RDNs or CNSs on staff, or if you employ an administrative assistant, etc. – note that it is wise to conduct HIPAA trainings as a private practice to ensure that everyone is up to speed on HIPAA regulations. The American Medical Association and The Department of Health and Human Services have a few great training resources! We suggest doing this on a regular basis, given the government’s rules and regulations around HIPAA are always-evolving and changing. Your clients have the right to keep their medical records private; only authorized healthcare personnel with a need to know patient details should be allowed to view charts, notes, etc. 

Establish good practices. Have written policies for how you will use, share, store and, eventually, erase or discard any materials with PHI. 

Can PHI be Shared? 

Your clients can authorize others to view their records and information, such as their spouse or other family member. Keep in mind that records in all forms, whether electronic, paper or verbal – must remain confidential and protected unless your client authorizes otherwise. Note, too, that all records must be available to those with the need to know. 

Yes, when it comes down to it, HIPAA compliance is good old-fashioned common sense. But it’s worth putting in the extra training and regulations up-front to protect you, your staff, your clients and your practice! Stay tuned for our next piece in the series on HIPAA-compliant meeting locations. 

What other HIPAA-compliance tips can you share?