Section 1
HIPAA Compliance Program
Protected Health Information (PHI)
What Is PHI?
PHI is any information that identifies a patient and relates to their physical or mental health, healthcare services, or payment for those services.
Examples of PHI
- Names
- Addresses & phone numbers
- Email addresses
- Dates of birth
- Medical records
- Insurance information
- Photographs
Minimum Necessary Standard
- Access only what you need to do your job
- Scheduling staff: appointment info only
- Billing staff: insurance & payment info only
- Never view records of family, friends, or coworkers without a job-related need
Workforce Responsibilities
Required
- Access only information necessary for assigned duties
- Maintain patient confidentiality at all times
- Log off unattended workstations
- Secure paper records
- Report suspected breaches immediately
Prohibited
- Sharing passwords with anyone
- Accessing records without a business purpose
- Discussing patient info in public areas
- Leaving records unattended
Patient Rights
Patients Have the Right To:
- Receive a Notice of Privacy Practices
- Request access to their records
- Request amendments to their records
- Request restrictions on disclosures
- Receive an accounting of disclosures
- File privacy complaints without retaliation
Security Rule: Required Safeguards
🏢 Administrative
- Annual risk assessments
- Written policies & procedures
- Annual workforce training
- Regular access permission reviews
- Incident response procedures
🏗 Physical
- Secure workstations
- Restrict access to records areas
- Locked storage where appropriate
- Proper disposal of confidential documents
💻 Technical
- Unique user credentials
- Strong passwords (12+ characters)
- Multifactor authentication
- Audit logs maintained
- Encrypted devices & backups
- Automatic screen locking
Password Policy
- Minimum 12 characters long
- Must include letters, numbers, and symbols
- Must be unique to each system
- Must never be shared
- Change immediately if compromise is suspected
Email & Electronic Communication
Required
- Verify recipients before sending PHI
- Use secure communication methods
- Report misdirected communications immediately
Prohibited
- Sending PHI through unsecured channels
Business Associate Agreements (BAAs)
Requirement
A signed BAA must be on file with every vendor that accesses PHI — including IT providers, cloud services, billing companies, practice management software, and any marketing vendors handling patient information. BAAs are reviewed annually.
Breach Reporting Procedure
Report Immediately
Lost devices · Misdirected emails · Unauthorized access · Improper disclosures · Stolen records
1
Investigate the incident
2
Determine breach status
3
Document all findings
4
Coordinate required notifications
5
Implement corrective action
Training Requirements
Training Is Required:
- During onboarding
- Annually thereafter
- Following major policy changes
- Following significant security incidents
Section 2
OSHA Compliance Program
Universal Precautions
Treat all blood and bodily fluids as potentially infectious — without exception. This includes blood, saliva containing blood, human tissue, and other potentially infectious materials (OPIM).
Personal Protective Equipment (PPE)
Approved PPE Includes
- Gloves
- Masks
- Protective eyewear
- Face shields
- Protective clothing
PPE Requirements
- Wear PPE whenever required
- Replace damaged PPE immediately
- Dispose of contaminated PPE properly
- Wash hands after glove removal
- Follow CDC hand hygiene guidelines
Sharps Safety
Required
- Use safety-engineered devices when available
- Dispose of sharps immediately after use
- Use only approved sharps containers
Prohibited
- Recapping needles using two hands
- Overfilling sharps containers
Sharps Container Standards
Containers must be puncture resistant, properly labeled, and replaced before they become overfull.
Exposure Incident Procedure
1
Immediately wash the affected area
2
Notify a supervisor
3
Complete incident documentation
4
Obtain a medical evaluation
5
Follow post-exposure protocols
Hepatitis B Vaccination
OSHA Requirement
All eligible employees must be offered the Hepatitis B vaccine at no cost. Documentation of acceptance, declination, or vaccination records must be maintained.
Section 3
Hazard Communication Program
Chemical Inventory
- Maintain a current chemical inventory at all times
- Keep Safety Data Sheets (SDS) updated
- SDS documents must remain readily accessible
Every Employee Must Know
- Where SDS documents are located
- Emergency response procedures for chemical exposure
- Safe handling procedures for chemicals in use
Container Labeling
- All containers must be properly labeled
- Labels must not be removed or defaced
- Replacement labels must be applied immediately if removed
Section 4
Fire & Emergency Preparedness
Covered Emergency Scenarios
- Fire emergencies
- Severe weather events
- Medical emergencies
- Utility failures
- Security threats
Equipment — Routine Inspection Required
- Fire extinguishers
- Emergency exits (clear and accessible)
- First aid supplies
- AED equipment (if applicable)
Section 5
Incident Reporting
Report All of the Following Immediately to Designated Management
Injuries · Exposure incidents · Safety hazards · Security incidents · Privacy incidents
Section 6
Record Retention
| Record Type | Category |
|---|---|
| Risk assessments | HIPAA |
| Policies and procedures | HIPAA |
| Training records | HIPAA OSHA |
| Breach investigations | HIPAA |
| Business Associate Agreements | HIPAA |
| Exposure incidents | OSHA |
| Vaccination records | OSHA |
| Safety inspections | OSHA |
| Exposure Control Plans | OSHA |
Retention Period
All records must be retained according to applicable federal and state legal requirements.
Section 7
Annual Compliance Checklist
🔒 HIPAA
🧤 OSHA