What is a notice of compliance?

A notice of compliance is an internal document that healthcare organizations use to prove they adhere to HIPAA regulations. The document may include how the company secures protected health information (PHI) and details about its policy and procedures related to HIPAA. Ideally, the document is available for company self-assessment and to communicate compliance internally and externally.

Why keep a notice of compliance?

While HIPAA doesn't define or require a notice of compliance, the company-generated document can showcase efforts in meeting HIPAA's privacy and security requirements, especially if a complaint is filed or a data breach occurs.  

The notice may be part of the organization's Notice of Privacy Practices, which contains information about data and security for patients. The notice of privacy practices for patients is required by the HHS and is also a strong starting point for organizations developing a notice of compliance. 

Related: Is there a HIPAA certification?

When to use a notice of compliance

The notice of compliance helps organizations improve accountability and transparency regarding data protection and documentation by stating what security standards are in place.

During HIPAA audits, the document can help streamline the process. These audits, which "assess entity compliance with selected requirements and may vary," are becoming more common.

According to a spring news report, the HHS plans to return with random HIPAA audits, making it an ideal time for companies to create this document and make any necessary adjustments.  

What should be included in a notice of compliance?

For a notice of compliance to be helpful during an audit or other abnormal incident, the notice should include the following: 

Scope: Begin by specifying whether the document focuses on the HIPAA Privacy Rule, Security Rule, or both. 

Organizational policies and procedures: Provide an overview of the organization's policies and procedures related to PHI, including those related to data access, use, disclosure, retention, and disposal, as well as the process for responding to privacy and security incidents.

Safeguards

1. Administrative: Detail the administrative measures used to safeguard PHI. Administrators may designate a Privacy and Security Officer and make plans for regular risk assessments, workforce training, and additional PHI procedures. 
2. Physical: Describe physical security measures to protect PHI, including access controls, facility security, workstation security, and secure storage of physical records. 
3. Technical: Outline technical controls and safeguards implemented to secure electronic PHI, including access controls, encryption, audit logging, secure transmission methods (including HIPAA compliant email), and regular monitoring of IT systems.

Business associate agreements (BAAs): Include information about associates who handle PHI on behalf of the organization to ensure they are maintaining the confidentiality and security of PHI, which can prevent third-party breaches.  

Organization-wide monitoring: Explain how the organization audits compliance with HIPAA regulations, including internal monitoring, ongoing risk assessments, regular review of policies and procedures, and how the company plans to address noncompliance.

Training: Describe the organization's training programs and initiatives that raise awareness of employee responsibility for compliance.

Contact information: Include contact details for a designated HIPAA compliance officer or department within the organization.

FAQs

How often should a notice of compliance be updated?

A notice of compliance should be reviewed and updated annually or whenever a change in regulations, organizational processes, or technology occurs that may impact HIPAA compliance.

Can a notice of compliance be shared outside the organization?

While primarily an internal document, healthcare organizations may choose to share details from the document with external parties, such as requesting patients or regulatory authorities.

What should healthcare organizations do if they find a compliance problem?

Companies should regularly self-access their security policies and HIPAA compliance. If the company finds issues, it should take corrective action immediately, such as updating policies, providing additional staff training, implementing new safeguards, or investigating the issue further.