5 HIPAA Compliance Examples
Although a search for HIPAA compliance examples most often returns results listing HIPAA violations, if you look deep enough it is possible to find multiple examples of HIPAA compliance, workplaces designed to support HIPAA compliance, and policies that explain why compliance with HIPAA is important.
Further HIPAA compliance examples can be found by comparing the compliance efforts of one organization against those of another, or by identifying organizations that implement HIPAA policies with more stringent requirements than those demanded by the HIPAA Privacy Rule in order to mitigate the likelihood of foreseeable and impermissible disclosures of Protected Health Information (PHI).
Dealing with Complaints Privately
In 2019, Elite Dental Associates settled an alleged HIPAA violation for $10,000 after admitting to impermissibly disclosing PHI in a response to a negative online review. Some dental practices did not learn from the settlement, and continued to impermissibly disclose PHI on review sites – leading to two further settlements in 2022 in which the practices were fined $23,000 and $50,000 respectively.
One dental practice that did learn from the 2019 enforcement action was Red Rose Family Dental of Lancaster, PA. The practice responded to a negative review on its Facebook page by reaching out to the dissatisfied patient privately, rather than disclosing PHI on social media. HIPAA covered entities should note the correct way to respond to negative online reviews in the first of our HIPAA compliance examples:
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Workplaces that Support HIPAA Compliance
The second of our HIPAA compliance examples is quite commonplace inasmuch as many pharmacies offer private consulting rooms for patients to speak with pharmacists about health concerns and medications. Private consulting rooms support HIPAA compliance by eliminating the risk that private conversations between patients and pharmacists could be overheard and PHI disclosed impermissibly.
As well as supporting HIPAA compliance, private consulting rooms can drown out the distraction of other patients waiting their turn to be served, optimize patient care, and improve the patient-pharmacist relationship. Surprisingly, although many pharmacies design their workplaces to support privacy and HIPAA compliance, few pharmacies advertise that they offer this service.
Sloan Pharmacy offers private consultations for our patients to speak with our pharmacists about any and all of their individual health matters. Source: Sloan’s Pharmacies
Policies that Explain the Importance of HIPAA Compliance
Several HIPAA covered entities make their internal HIPAA policies publicly available. Some start with a rationale for why the HIPAA policy exists and an explanation of why compliance with the policy is important. An example of a policy that explains the importance of HIPAA compliance is the University of Wisconsin-Madison’s policy for “Email Communications involving Protected Health Information”.
As well as being comprehensive, the policy (UW-129) explains why the confidentiality of medical information has to be protected and why sending PHI via unencrypted email exposes medical information to security risks. Importantly, the policy is referenced in the University’s annual HIPAA training along with a selection of best practices for supporting HIPAA compliance for emails containing PHI.
Comparing HIPAA Notices of Privacy Practices
Comparing HIPAA Notices of Privacy Practices is a further way to find HIPAA compliance examples. For the benefit of this comparison, we compared the HIPAA Notices of Privacy Practices from Howard County General Hospital in Columbia, MD, and the nearby Sheppard Pratt Campus in Towson, MD, to ensure neither covered entity had to comply with different state regulations that preempted HIPAA.
As well as being easier to read, Howard County’s Notice includes a number of optional elements listed in the HIPAA Privacy Rule standard §164.520(b)(2). Sheppard Pratt’s Notice not only omits an individual’s right to request privacy restrictions (§164.520(b)(1)), it also requires patients to submit complaints in writing – but only gives a contact phone number for the organization’s HIPAA Privacy Officer.
HIPAA Training Prior to PHI Access
The fifth of our HIPAA compliance examples comes from Florida Atlantic University, which requires new and recently promoted members of the workforce to take HIPAA training within seven days of joining the workforce or being promoted, and – in any event – before being allowed access to PHI. They must also complete a test at the conclusion of HIPAA training – the pass score for which is 70%.
As well as having more stringent HIPAA training requirements than those demanded by the HIPAA Privacy Rule, all members of the University’s workforce with access to PHI must take refresher HIPAA training annually, plus further training whenever there is a regulatory, policy, or technology change that impacts the privacy or security of PHI. In addition, the completion of each training module is certified.
Why HIPAA Compliance Examples are Important
HIPAA compliance examples are important because they provide compliance benchmarks to other HIPAA covered entities and business associates who may be unsure about whether their compliance efforts are adequate. It can be hard to find examples of HIPAA compliance, and organizations looking for an easier option to assess their compliance efforts are invited to download and use our free HIPAA compliance checklist.
