HIPAA Compliance

Maintaining a HIPAA-compliant privacy policy and safeguarding patient information are essential requirements for any healthcare group seeking credentialing services. Insurance payers, Medicare, Medicaid, and other healthcare programs expect providers to demonstrate robust privacy and security practices as part of the credentialing process.

What Is Expected of Your Group?

1. Written HIPAA-Compliant Privacy Policy

  • Develop and maintain a privacy policy that fully complies with the HIPAA Privacy Rule.

  • The policy must clearly describe how your group collects, uses, discloses, and protects patients’ protected health information (PHI).

  • Patients must be informed of their rights regarding their health information, including the right to access, amend, and receive an accounting of disclosures.

2. Safeguarding Patient Information

Your group must implement safeguards to protect PHI in all forms—paper, electronic, and oral. This includes:

  • Administrative Safeguards:

    • Appoint a privacy official responsible for HIPAA compliance.

    • Develop and enforce policies and procedures for handling PHI.

    • Train all staff on HIPAA requirements and your organization’s privacy practices.

    • Apply sanctions for noncompliance.

  • Physical Safeguards:

    • Secure physical access to areas where PHI is stored.

    • Use locks, alarm systems, and controlled access to prevent unauthorized entry.

    • Ensure paper records are not left unattended or accessible to unauthorized individuals.

  • Technical Safeguards:

    • Use secure, HIPAA-compliant electronic systems for storing and transmitting PHI.

    • Implement access controls, encryption, firewalls, and regular system audits.

    • Ensure only authorized personnel can access electronic PHI (ePHI).

3. Minimum Necessary Standard

  • Limit access to PHI to only those individuals who need it to perform their job duties.

  • Disclose only the minimum necessary information required for a given purpose.

4. Breach Notification and Incident Response

  • Have procedures in place to detect, respond to, and report any unauthorized access, use, or disclosure of PHI.

  • Notify affected individuals and authorities in the event of a breach, as required by law.

5. Ongoing Compliance and Documentation

  • Regularly review and update your privacy and security policies.

  • Conduct periodic risk assessments and audits to identify and address vulnerabilities.

  • Maintain documentation of all HIPAA compliance activities, including training records, risk analyses, and incident reports.

What Credentialing Teams Look For

During credentialing, you may be asked to:

  • Attest that your group maintains a HIPAA-compliant privacy policy.

  • Provide a copy of your privacy policy or Notice of Privacy Practices.

  • Demonstrate that you have safeguards in place to protect patient information.

  • Show evidence of staff training and ongoing compliance efforts.

PreviousMedicaid Enrollment IdentifiersNextFraud, Waste & Abuse (FWA) Compliance

Last updated

Was this helpful?