If you're a pure direct primary care practice, you're probably done already 🎉

Determine if you are a covered entity under HIPAA

To answer this, check out DPC Frontier's thorough discussion of HIPAA here. If you are not covered, feel free to ignore the rest of this list.

Check for state laws regarding patient privacy

In some states they are even more stringent than HIPAA.

Covered entities only: complete a Security Risk Assessment

This free tool from the ONC will make this much easier.

Covered entities only: draft a Notice of Privacy Policies (NPP)

The HHS publishes a sample NPP that can be easily customized for your practice. Check out AtlasMD's NPP here.

Once completed, publish the notice to your website.

Covered entities only: draft a Release of Records/Authorization Form

HIPAA requires you to have a Release of Records (Authorization) form on file for any disclosure of protected health information for purposes other than treatment, payment, and health care. Here is an example from AtlasMD.

Every time you have a patient sign one of these, make a note in an Accounting of Disclosures log such as this. You must be able to acocunt for all PHI discosures you've made should you get audited.

Covered entities only: draft a Patient Consent Form

Though not required by HIPAA, many practices also have a Patient Consent Form which lets the patient green-light certain forms of communication (email, text, phone calls, answering machines). It also affords your practice an extra measure of protection. Here is a sample Consent Form.

Covered entities only: gather and maintain proof of HIPAA compliance

This is a multi-faceted problem; full compliance involves writing a Breach Plan, a Training Plan, a Communications Plan, a Disaster Recovery Plan, and an Audit and Monitoring Plan, plus the maintenance of a detailed Policies and Procedures Manual and data governance documentation. Check out this page from the AMA for some resources to get you started. You can find a lot of the Policies and Procedures online - check out Kim Corba's DPC Manual.

Covered entities only: gather Business Associate Agreements

You need to get a signed Business Associate Agreement from every company/product/service that handles your patients' health info. Some notable exceptions are labs, specialists you refer to, and data "conduits" (some messaging services qualify). See a complete description here and an agreement template here.

Questions? Recommendations? Concerns?

Send us a message!