HIPAA Policy Template for Medical Billing Companies

Eagle’s policy template helps you increase security, gain compliance, and avoid fines.

HIPAA Policies and Procedures Designed for Medical Billing Companies (Business Associates)

These policies are designed to meet the regulatory requirements of medical billing companies who provide services to healthcare organizations, including physician practices, hospitals, insurance plans, other HIPAA-covered entities, and other Business Associates.  Under the HIPAA regulations, medical billing companies who serve covered entities and business associates are HIPAA Business Associates themselves! Therefore, these billing companies are obligated to have certain written policies and procedures. All policies are compliant with the HITECH Act of 2009, the Breach Notification Rule, and the HIPAA Omnibus Rule published in January 25, 2013.

These policies are completely different from policies designed for medical practices, hospitals or insurance companies.  They are specifically built based on the business and services provided by medical billing companies who serve covered entities.  The benefits of using these policy templates include:

• Quickly bring your technology into compliance with HIPAA rules for business associates
• Saves you $1000’s in consulting fees
• Ability to customize using Microsoft Word based on unique requirements of your business
• Satisfaction is guaranteed by Eagle Consulting Partners, a leading consultant for IT security policies in healthcare

Your comprehensive policy and procedure manual, designed for medical billing companies’ compliance with the 2013 HIPAA regulations, in Microsoft Word format.

Your organization is subject to both civil and criminal penalties for non-compliance.  That’s right.  In 2016, the first-ever random audits of HIPAA Business Associates began.  Penalties can soar into the millions of dollars, which makes HIPAA one of the toughest sets of government regulations.  The 4 tier penalty structure is as follows: (see PDF)

• Did not know and, by exercising reasonable diligence, would not have known of the violation:  Penalty ranges from $100 to $50,000 per violation and up to $1.5 million for identical violation per year.
• Violation due to reasonable cause and not willful neglect:  $1,000 to $50,000 per violation;
  Up to $1,500,000 per identical violation per year.
• Violation due to willful neglect but the violation is corrected within 30 days after the covered entity knew or should have known of the violation:  Mandatory fine of $10,000 to $50,000 per violation;
  Up to $1,500,000 per identical violation per year.
•  Violation due to willful neglect, and the violation was not corrected within 30 days after the covered entity knew or should have known of the violation:  Mandatory fine of not less than $50,000 per violation; Up to $1,500,000 per identical violation per year.

Contents Include:

HIPAA POLICIES 

POLICIES FOR ALL STAFF

1000 Confidentiality, Privacy and Computer Security Definitions
1010 HIPAA – General Rules
1020 Minimum Necessary Policy
1030 Confidentiality Safeguards (Oral & Written)
1040 Speaking with the Family and Friends of a Patient Receiving Services
1050 Authorizations
1060 Verification
1070 Minors, Personal Representatives and Deceased Patients
1080 Duty to Report Violations and Security Incidents
1090 Disclosures that do Not Require an Authorization
1095 Patient Portal

PATIENT RIGHTS

1200 Patient’s Right to Access Records
1210 Patient’s Right to Request Amendment of Records
1220 Patient’s Right to Receive an Accounting of Disclosures
1230 Patient’s Right to Request Additional Restrictions
1240 Patient’s Right to Request Confidential Communications

CONFIDENTIALITY POLICIES FOR SUPERVISORS

1300 Mitigation
1320 Non-intimidation and Non-retaliation

SHARED PRIVACY/SECURITY POLICIES

1340 Policy Updating and Staff Training
1350 Sanctions for Staff Violations of Privacy/Security Policies
1360 Business Associate Contracts
1370 HIPAA Assignments and Documentation

HIPAA SECURITY POLICIES
POLICIES FOR CEO AND THE HIPAA OFFICER

2000 HIPAA Officer and Security Management Process
2010 Data Backup Policy
2020 Disaster Recovery Plan and Emergency Mode Operation
2030 Facility Security and Access Control
2040 Annual Security Evaluation
2050 Audit Control and Activity Review Policy
2060 Malicious Software Protection Policy
2070 Security Awareness Program
2080 Device and Media Disposal and Re-Use
2090 Technical Safeguards
2100 Breach Reporting

SECURITY POLICIES FOR OFFICE MANAGER & SUPERVISORS

3010 Employee System Access and Termination Procedures

HIPAA ADMINISTRATIVE REQUIREMENTS
SECURITY POLICIES FOR ALL STAFF

3080 Computer Usage
3082 Use of Social Media
3085 Portable Computing Devices
3087 Home Offices
3090 Security Incident Response and Reporting

APPENDICES

Appendix A – Identifying Business Associates
Appendix B – Sample HIPAA Business Associate Agreement
Appendix C – Sample Privacy & HIPAA Officer Duties
Appendix D – Facility Security and Safeguards for Oral and Written PHI
Appendix E – Workforce Access to PHI and Safeguards
Appendix F – Minimum Necessary – Procedures for Routine Disclosures and Requests
Appendix G – Miscellaneous
Disclosure Log
Confidentiality Agreement for Cleaning Agency

Gary Pritts, President of Eagle Consulting Partners, Inc.

About the Author:  Gary Pritts is Founder and President of Eagle Consulting Partners. His unique experience that led to these popular HIPAA Policy templates.  Gary understands IT managed services companies, medical software authors, and value-added resellers (VARs) and has created these templates specifically for these companies.   He partnered with dozens of VARs in the early 2000s when the HIPAA rules were first implemented.  He assisted the VARs by delivering HIPAA services to their physician practice customers.  During that time, Gary crafted HIPAA policies for the VARs and his other software-author managed services partners.   These policies deal with topics such as help desk protocols, secure configuration of remote management and monitoring systems, and secure handling of client access credentials.  In addition, the policies include guidance to the technical staff so that they can better assist HIPAA-regulated clients with their HIPAA compliance.  His first-hand experience as a prior general manager for a VAR and his partnerships with VARS, software authors and managed services companies has led to these policy templates.  Gary studied computer science at Purdue University and holds an MBA from Harvard Business School.

Limited Time Special… Save 20% ($100)  at Checkout… type in this code:  Save-20