OSHA & HIPAA Compliance Made Easy
OSHA & HIPAA Compliance Made Easy
With 25+ years of OSHA experience and one of the nation's only Certified HIPAA Professionals, Smart Training makes compliance not only manageable but easy! We want to address your concerns, so comment and have your questions answered by the experts!
Smart Training

Is an Employee Privacy Policy (EPP) Required by HIPAA?

Is an Employee Privacy Policy (EPP) Required by HIPAA?

12/3/2020 12:50:02 PM   |   Comments: 0   |   Views: 121

Is an Employee Privacy Policy (EPP) required?

Yes. An Employee Privacy Policy is a HIPAA-required document.

Lee Slaton, Smart Training’s Vice President of Healthcare, writes that signed Employee Privacy Policies “can be get-out-of-jail-free cards in worst-case scenarios.”

An Employee Privacy Policy informs and educates employees about their role in protecting patient privacy and health information. However detailed the document may be, it is not a substitute for HIPAA training. You should have both in place.

What should come before the Employee Privacy Policies?

Employee Privacy Policies are one of the last elements in a chain of proactive processes that help ensure the security of patient information. Here’s the order of processes:

  • Criminal background checks
  • Certified HIPAA training 
  • Employee Privacy Policies
  • Access management and control

Most Practice Owners never conduct routine background checks on current or prospective employees. This is like letting the fox into the henhouse. Avoid assuming you “know” someone you hired. Play it safe instead.

The State Department of Public Safety has, for the past several years, offered $3 ‘arrest checks’ which don’t really probe too deeply into someone’s history, but they are better than nothing at all. I always recommend Sterling Check for background checks; their number is 800-899-2272.

A note on HIPAA employee training: One of the real steps forward with Texas House Bill 300 was the requirement that employees be trained at time of hire on patient privacy. Texas Senate Bill 1609 watered this down to within 90 days of hire.  

A final word: There have been cases where hired healthcare employees turn out to be in a data theft ring. These employees get jobs solely to access and steal protected health information (PHI). PHI is extremely valuable, and Practice Owners aren’t immune to the threat of criminal employees.

Is an Employee Privacy Policy the same as a Notice of Privacy Practices?

The Employee Privacy Policy is not a substitute for a Notice of Privacy Practices. The two are different documents, both in terms of content and scope. The Notice of Privacy Practices should explain in plain language what patients can expect with regard to privacy and treatment of their PHI. The Employee Privacy Policy is a document that ensures your employees understand their responsibilities to protect PHI. 

What should I do with Employee Privacy Policies?

Ask employees to read the Employee Privacy Policy, then sign the document and return it to you. You may wish to have employees initial each page to indicate they’ve read the content and understand it.

Provide the employee with a copy of the document they have signed, then file the original. Ideally, you should maintain a file containing only signed copies of the Employee Privacy Policy and HIPAA training certification.

What should I include in the Employee Privacy Policy?

Here are some topics to include brief information about in your Employee Privacy Policy:

  • Notice of Privacy Practices
  • Assigning privacy and security responsibilities
  • Deceased individuals
  • Minimum necessary use and disclosure of PHI
  • Marketing activities
  • Privacy complaints 
  • Prohibited activities
  • Responsibility
  • Verification of identity
  • Mitigation
  • Safeguards
  • Business associates
  • Training and awareness
  • Material change
  • Sanctions
  • Retention of records
  • Regulatory currency
  • Cooperation with regulatory agencies
  • Investigation and enforcement

What if I need help writing my Employee Privacy Policy?

If you need help writing your Employee Privacy Policy, Smart Training’s Dental Platinum+Dental Essentials, and Complete Medical Compliance packages provide you with these documents.

With these packages, you will also receive HIPAA-certified employee training modules. Our learning management system (LMS) automatically documents your employee HIPAA training and creates certifications. You can store these certifications with your Employee Privacy Policies.

If you don’t have either of these plans, request a demo with a Compliance Officer here.

Trusting Smart Training is like putting your HIPAA compliance on autopilot.

You must be logged in to view comments.
Total Blog Activity
Total Bloggers
Total Blog Posts
Total Podcasts
Total Videos
Sally Gross, Member Services Specialist
Phone: +1-480-445-9710
Email: sally@farranmedia.com
©2022 Hygienetown, L.L.C., a division of Farran Media, L.L.C. • All Rights Reserved
9633 S. 48th Street Suite 200 • Phoenix, AZ 85044 • Phone:+1-480-598-0001 • Fax:+1-480-598-3450