HIPAA Policies and Procedures Designed for Medical Billing Companies (Business Associates)
These policies are designed to meet the regulatory requirements of medical billing companies who provide services to healthcare organizations, including physician practices, hospitals, insurance plans, other HIPAA-covered entities, and other Business Associates. Under the HIPAA regulations, medical billing companies who serve covered entities and business associates are HIPAA Business Associates themselves! Therefore, these billing companies are obligated to have certain written policies and procedures. All policies are compliant with the HITECH Act of 2009, the Breach Notification Rule, and the HIPAA Omnibus Rule published in January 25, 2013.
These policies are completely different from policies designed for medical practices, hospitals or insurance companies. They are specifically built based on the business and services provided by medical billing companies who serve covered entities. The benefits of using these policy templates include:
- Quickly bring your technology into compliance with HIPAA rules for business associates
- Saves you $1000’s in consulting fees
- Ability to customize using Microsoft Word based on unique requirements of your business
- Satisfaction is guaranteed by Eagle Consulting Partners, a leading consultant for IT security policies in healthcare
Your organization is subject to both civil and criminal penalties for non-compliance. That’s right. In 2016, the first-ever random audits of HIPAA Business Associates began. Penalties can soar into the millions of dollars, which makes HIPAA one of the toughest sets of government regulations. The 4 tier penalty structure is as follows: (see PDF)
- Did not know and, by exercising reasonable diligence, would not have known of the violation: Penalty ranges from $100 to $50,000 per violation and up to $1.5 million for identical violation per year.
- Violation due to reasonable cause and not willful neglect: $1,000 to $50,000 per violation;
Up to $1,500,000 per identical violation per year. - Violation due to willful neglect but the violation is corrected within 30 days after the covered entity knew or should have known of the violation: Mandatory fine of $10,000 to $50,000 per violation;
Up to $1,500,000 per identical violation per year. - Violation due to willful neglect, and the violation was not corrected within 30 days after the covered entity knew or should have known of the violation: Mandatory fine of not less than $50,000 per violation; Up to $1,500,000 per identical violation per year.
Contents Include:
HIPAA POLICIES
POLICIES FOR ALL STAFF
1000 Confidentiality, Privacy and Computer Security Definitions
1010 HIPAA – General Rules
1020 Minimum Necessary Policy
1030 Confidentiality Safeguards (Oral & Written)
1040 Speaking with the Family and Friends of a Patient Receiving Services
1050 Authorizations
1060 Verification
1070 Minors, Personal Representatives and Deceased Patients
1080 Duty to Report Violations and Security Incidents
1090 Disclosures that do Not Require an Authorization
1095 Patient Portal
PATIENT RIGHTS
1200 Patient’s Right to Access Records
1210 Patient’s Right to Request Amendment of Records
1220 Patient’s Right to Receive an Accounting of Disclosures
1230 Patient’s Right to Request Additional Restrictions
1240 Patient’s Right to Request Confidential Communications
CONFIDENTIALITY POLICIES FOR SUPERVISORS
1300 Mitigation
1320 Non-intimidation and Non-retaliation
SHARED PRIVACY/SECURITY POLICIES
1340 Policy Updating and Staff Training
1350 Sanctions for Staff Violations of Privacy/Security Policies
1360 Business Associate Contracts
1370 HIPAA Assignments and Documentation
HIPAA SECURITY POLICIES
POLICIES FOR CEO AND THE HIPAA OFFICER
2000 HIPAA Officer and Security Management Process
2010 Data Backup Policy
2020 Disaster Recovery Plan and Emergency Mode Operation
2030 Facility Security and Access Control
2040 Annual Security Evaluation
2050 Audit Control and Activity Review Policy
2060 Malicious Software Protection Policy
2070 Security Awareness Program
2080 Device and Media Disposal and Re-Use
2090 Technical Safeguards
2100 Breach Reporting
SECURITY POLICIES FOR OFFICE MANAGER & SUPERVISORS
3010 Employee System Access and Termination Procedures
HIPAA ADMINISTRATIVE REQUIREMENTS
SECURITY POLICIES FOR ALL STAFF
3080 Computer Usage
3082 Use of Social Media
3085 Portable Computing Devices
3087 Home Offices
3090 Security Incident Response and Reporting
APPENDICES
Appendix A – Identifying Business Associates
Appendix B – Sample HIPAA Business Associate Agreement
Appendix C – Sample Privacy & HIPAA Officer Duties
Appendix D – Facility Security and Safeguards for Oral and Written PHI
Appendix E – Workforce Access to PHI and Safeguards
Appendix F – Minimum Necessary – Procedures for Routine Disclosures and Requests
Appendix G – Miscellaneous
Disclosure Log
Confidentiality Agreement for Cleaning Agency
About the Author: Gary Pritts is Founder and President of Eagle Consulting Partners. His unique experience that led to these popular HIPAA Policy templates. Gary understands IT managed services companies, medical software authors, and value-added resellers (VARs) and has created these templates specifically for these companies. He partnered with dozens of VARs in the early 2000s when the HIPAA rules were first implemented. He assisted the VARs by delivering HIPAA services to their physician practice customers. During that time, Gary crafted HIPAA policies for the VARs and his other software-author managed services partners. These policies deal with topics such as help desk protocols, secure configuration of remote management and monitoring systems, and secure handling of client access credentials. In addition, the policies include guidance to the technical staff so that they can better assist HIPAA-regulated clients with their HIPAA compliance. His first-hand experience as a prior general manager for a VAR and his partnerships with VARS, software authors and managed services companies has led to these policy templates. Gary studied computer science at Purdue University and holds an MBA from Harvard Business School.
Limited Time Special… Save 20% ($100) at Checkout… type in this code: Save-20
Purchase now:
Protect your organization!
Only Eagle brings decades of healthcare experience to a strong GDPR policy that ALSO covers HIPAA regulations!