HIPAA Compliance Services

Protect patient data with our comprehensive HIPAA compliance program

A female doctor in coat working on an iPad
How We Help

Prioritize Patient Care By Investing in HIPAA Compliance

Streamlining your HIPAA compliance is a powerful solution to the burden of regulatory standards. By investing in a compliance partner, your practice can save time and focus on providing high quality care to patients. At SimmonSafe, we make it easy by leveraging technology and human expertise to keep your practice compliant with HIPAA.

OUR SOLUTIONS

HIPAA
Compliance Services

Our comprehensive compliance program is designed to ensure your practice meets all OSHA standards. Let us handle the logistics of regulatory compliance so your practice can focus on providing care to patients.

Training and Education

Track employee training with a digital learning platform that delivers courses on HIPAA regulations, including privacy, security, and breach notification.

Policy & Procedure

Create privacy and security policies and procedures customized for your practice.

Forms & Documentation

Generate and maintain important compliance documents, including Notice of Privacy Practices, Acknowledgement of NPP, and HIPAA authorization forms.

Security Assessment

Evaluate the security of your protected health information and implement safeguards according to HIPAA requirements.

Incident Management

Plan your strategy to respond to and minimize the impact of HIPAA incidents.

Consultation

Advise your practice on strategies for establishing, growing, and developing areas of your compliance program.

Rapid Response Support Services

Guide your practice with fast response to incidents that occur in your facility

Explore

Frequently Asked Questions

Learn more about how our services can help modernize your OSHA and HIPAA compliance

Can a grandparent bring a child to an appointment?

This is more a question of consent, than HIPAA. Practices should always ensure that they have consulted with their Risk Department on what type of consent forms may be necessary for individuals other than parents to bring minor children for medical and/or dental appointments. The Health Insurance Portability and Accountability Act does permit covered entities to share information that is directly relevant to the involvement of the grandparent (or other friend or family member) in the patient’s care or payment for healthcare services.

How long do we need to maintain HIPAA documentation?

The Health Insurance Portability & Accountability Act requires that Covered Entities and Business Associates maintain HIPAA documentation for a period of six years. For example, if a dental practice updates it’s Notice of Privacy Practices, it would need to retain the old Notice for a period of 6 years from the date of the newest revision.

How long do we need to maintain old medical/dental records?

The retention of medical and dental records is driven by state law. You should refer to your specific state regulations for guidance on how long to retain records for inactive patients.

How much can we charge a patient for a copy of their records?

The Health Insurance Portability & Accountability Act offers many protections for patients, including their right to receive copies of their records at a cost based, reasonable fee. The Privacy Rule permits fees that include the cost of certain labor, supplies and postage related to creating and providing copies of records. This includes the labor for creating and delivering the records, the cost of supplies such as paper, ink or electronic media, and the cost of postage for delivery.

What if they owe a balance? Can we require them to pay the balance before we release a copy of their records?

No. Covered entities are not permitted to require the patient to pay their balance in full prior to receiving a copy of their records, but may charge them a cost-based reasonable fee that includes the actual cost of labor, paper, ink and postage.

If a patient is deceased, can we release a copy of their medical/dental record to a family member?

The Privacy Rule permits (but does not require) a covered entity to disclose protected health information about a decedent to a family member, or other person who was involved in the individual’s health care or payment for care prior to the individual’s death, unless doing so is inconsistent with any prior expressed preference of the deceased individual that is known to the covered entity. This may include disclosures to spouses, parents, children, domestic partners, other relatives, or friends of the decedent, provided the information disclosed is limited to that which is relevant to the person’s involvement in the decedent’s care or payment for care.

Can we leave computers unlocked if we hide patient names on the schedule?

No. The Security Rule requires covered entities to secure unattended sessions. The purpose of securing the device when unattended is to prevent unauthorized persons from gaining access to not just the Protected Health Information (PHI) that may be visible on the screen, but that also could be accessed if an unauthorized individual had access to the device itself.

Can a patient request that an employee not have access to their record?

Yes. Covered entities must have a process (and corresponding policy) to allow individuals to make Restriction Requests. Once the request is received, the Privacy Officer must evaluate the request, and determine whether it can be reasonably accommodated or not. In small practices, where employees are cross-trained and may perform multiple functions, this may not be a reasonable request, while a larger practice with more departments and employees might be able to reasonably limit or restrict an employee's access to certain records. If the covered entity does agree to a restriction request, the covered entity must comply with the agreed restriction, except for in medical emergencies or other circumstances as defined in the Privacy Rule. Restriction requests accepted or denied in writing.

Can you email a patient a copy of their records?

Yes. The Privacy Rule allows covered entities to communicate with their patients through electronic means such as email if reasonable safeguards are used. Encryption is a good example of a safeguard used during the transmission of Protected Health Information (PHI) through email. If encryption is not available for email communications between the provider and patient, the provider should make the patient aware of the risks associated with using unencrypted email, and let the patient decide whether to proceed with the transmission of PHI via unencrypted email.