A notice of compliance is an internal document that healthcare organizations use to prove they adhere to HIPAA regulations. The document may include how the company secures protected health information (PHI) and details about its policy and procedures related to HIPAA. Ideally, the document is available for company self-assessment and to communicate compliance internally and externally.
While HIPAA doesn't define or require a notice of compliance, the company-generated document can showcase efforts in meeting HIPAA's privacy and security requirements, especially if a complaint is filed or a data breach occurs.
The notice may be part of the organization's Notice of Privacy Practices, which contains information about data and security for patients. The notice of privacy practices for patients is required by the HHS and is also a strong starting point for organizations developing a notice of compliance.
Related: Is there a HIPAA certification?
The notice of compliance helps organizations improve accountability and transparency regarding data protection and documentation by stating what security standards are in place.
During HIPAA audits, the document can help streamline the process. These audits, which "assess entity compliance with selected requirements and may vary," are becoming more common.
According to a spring news report, the HHS plans to return with random HIPAA audits, making it an ideal time for companies to create this document and make any necessary adjustments.
For a notice of compliance to be helpful during an audit or other abnormal incident, the notice should include the following:
Scope: Begin by specifying whether the document focuses on the HIPAA Privacy Rule, Security Rule, or both.
Organizational policies and procedures: Provide an overview of the organization's policies and procedures related to PHI, including those related to data access, use, disclosure, retention, and disposal, as well as the process for responding to privacy and security incidents.
Safeguards
Business associate agreements (BAAs): Include information about associates who handle PHI on behalf of the organization to ensure they are maintaining the confidentiality and security of PHI, which can prevent third-party breaches.
Organization-wide monitoring: Explain how the organization audits compliance with HIPAA regulations, including internal monitoring, ongoing risk assessments, regular review of policies and procedures, and how the company plans to address noncompliance.
Training: Describe the organization's training programs and initiatives that raise awareness of employee responsibility for compliance.
Contact information: Include contact details for a designated HIPAA compliance officer or department within the organization.
A notice of compliance should be reviewed and updated annually or whenever a change in regulations, organizational processes, or technology occurs that may impact HIPAA compliance.
While primarily an internal document, healthcare organizations may choose to share details from the document with external parties, such as requesting patients or regulatory authorities.
Companies should regularly self-access their security policies and HIPAA compliance. If the company finds issues, it should take corrective action immediately, such as updating policies, providing additional staff training, implementing new safeguards, or investigating the issue further.