What is PHI?
PHI stands for Protected Health Information (PHI). To be considered PHI both, 1. health information. (e.g., diagnosis, diagnosis code, etc), and any identifying personally identifying information(e.g., IP address, email address, physical address, etc.- are present.
Who should be the Compliance Officer for my organization?
HIPAA law requires your organization to designate at least one person who is responsible for overseeing and implementing their HIPAA Compliance Plan. This should be an individual who works with those exposed to PHI and has the authority to ask them to complete tasks related to HIPAA. They also must have the power to sanction individuals.
Your organization is required to have a Privacy and Security Officer (compliance officers). This can be the same individual for smaller organizations, or for larger groups, it might make sense to have 2 people in these roles. The compliance officer(s) will be the first to take HIPAA training, and then they'll coordinate the completion of the Risk Assessment. In larger organizations, this may require coordination and conversations with individuals in different departments, such as IT, HR, and other groups that have organizational knowledge. Smaller organizations may need the assistance of their IT vendor.
How do I get started?
If you don’t see an onboarding email, you can request it by emailing: support@totalhipaa.com
Begin by taking the Leader Training. Once this is completed, the Risk Assessment will be released. Allow several hours or days to complete the Risk Assessment. You may find it helpful to complete a few sections at a sitting. If necessary, don’t be afraid to engage with individuals who own privacy and security processes in your organization. This is a great opportunity to gain a better understanding of what is going on in your organization. It’s important to be honest so Total HIPAA can provide accurate documentation. We’re not here to judge you, but to help identify vulnerabilities and tactics for better compliance.
Once the Risk Assessment is completed, Total HIPAA’s experts will review it and provide a list of steps to become compliant while we work on creating your organization’s compliance plan. At each step of the process the designated compliance officer receives an email from their project manager with the next steps.
How do I get more training licenses?
We’re happy to help your organization grow. Please send an email to: sales@totalhipaa.com. One of our team members will be glad to help add those licenses to your subscription.
Can I book a call with support?
If issues do come up or your compliance team needs help with an audit or breach, please submit a support ticket here: https://www.totalhipaa.com/submit-support-ticket/. We are a small team, and we strive to give every one of our customers the support they need. Submitting a ticket allows us to make sure the proper resources are available to address your needs.
I received the Final Document Set. Does that mean I am done with HIPAA compliance?
HIPAA compliance is not a one-time thing. It isn’t about the destination but the journey. Your organization's Compliance Plan will evolve as your company grows, technologies change, compliance standards evolve and incorporate new processes. HIPAA compliance requires annual training for your organization’s staff and annual reviews of the Risk Assessment and Compliance Plan as a whole. (This includes reviewing thePrivacy and Security Policies and Procedures.)
What should we do if we have to designate a new Compliance Officer?
New compliance officers should start by taking the Leader training. If there are enough licenses available, a compliance officer can register them. If there aren’t enough licenses, or you need help registering a person, can submit a support ticket here: https://www.totalhipaa.com/submit-support-ticket/
We are launching a software, at what point in the HIPAA Prime process can we release the app to the public?
The app can launch once the Risk Assessment Report has been finalized and Total HIPAA has started the process of creating and customizing the Privacy and Security Policies and Procedures. This can take a few iterations to make sure we get the items documented properly, but in the meantime, we believe your app is ready to launch.
Things to double check:
Any employees with access to PHI need to complete their training ASAP, and prior to any PHI access;
The organization needs to make sure everyone issuing the systems and processes we have documented in the Risk Assessment Report. Your organization is currently doing things ‘Ad hoc’ which means there isn’t a documented plan. We will move as quickly as possible to get these items documented, but as long as your organization is using the items and structures in final Risk Assessment, this is ok;
Notify us as quickly as possible if there is a privacy or security incident that comes up in this process; and
Remember HIPAA is a journey, not a destination. There will be many updates to plans and the Risk Assessment over the coming years. Just as technology changes, your organization’s plan will need to be updated!
How often do BAAs/BASAs (Business Associate Agreements/Business Associate Subcontractor Agreements) need to be updated?
BAAs/BASAs should be re-signed every three years.
I don’t feel like any of the answers to this question in Risk Assessment apply to my situation. What should I do?
Answer “No” to start with. Our compliance team will go through your answers and create your Risk Assessment Report. When you get the Risk Assessment Report you will have the availability to revise your answers or ask additional questions. When you see the Risk Assessment Report it should make more sense and we will work with you personally to make the answer more accurate.
Does the HIPAA Policy need to be in our employee handbook?
All that is required is a reference to the fact that a policy exists and who to contact for more information.
How does my staff find out about our specific policies?
Once your HIPAA Compliance Plan is complete we provide you with the “Staff Training Powerpoint” in your final document set. This powerpoint will be specific to your policies and procedures and can be used to train staff on your Compliance Plan.
Who keeps track of making sure our staff is training on my specific HIPAA Policies and Procedures?
Total HIPAA is in charge of your annual HIPAA training, but it is up to your Compliance Team to track the training of your staff on your specific Policies and Procedures.
Do you have to complete the Risk Assessment in sequential order?
The first section titled "Start Here" must be completed first but the other sections can be completed in any order