Ask yourself these
questions
By Tom Speers
To get an idea of the real risk HIPAA poses for a health care provider, take
a look at www.hhs.gov/ocr/privacyhowtofile.htm. This website describes how to
file a Health Information Privacy Complaint with the Office for Civil Rights.
Any patient, or a relative or friend of a patient, can submit this complaint
form, resulting in a compliance review that could cost you time and money—unless
you’re prepared.
Is your practice really ready? Maybe. But if you’re like the majority
of health care professionals I’ve met over the past few months, you have
significant gaps in your HIPAA plan and documentation that could cost you plenty.
Most likely, you’ve taken the obvious steps—distributing the newly
required Notice of Privacy Practices and having patients sign authorizations
for releasing protected information.
That still leaves many of the less visible (but equally important) HIPAA requirements,
particularly in areas involving staff and doctor training, dealings with outside
vendors, data and record security arrangements, and documenting compliance over
time. In the event of a compliance review, you’ll have to prove you’re
compliant. That means documenting every step you take to comply.
The following questions identify some of the more subtle, but common, compliance
problems. Answering them will give you a pretty good idea of how your practice
will look to a Health and Human Services inspector.
Has your organization designated a privacy official? The office
manager or other senior staffer usually takes this role. Keep in mind, though,
that as the proprietor of a health care practice or business, you’re the
one on the hook for non-compliance. Make sure your privacy officer understands
the entire scope of your HIPAA obligations.
Have you assigned the responsibility for maintaining the security of
information systems that contain protected health information (PHI) to an individual
or an organization? This position is typically held by someone other
than the organization head, perhaps even an outside consultant. Once again,
you’re responsible for their mistakes, so make sure you know what they’re
doing.
Do you have a policy and procedure for limiting the uses and disclosures
of PHI to the minimum necessary information required to accomplish the purpose
of the use or disclosure? This is a basic tenet of HIPAA that many
practices fail to document, even as they comply in daily operations. However,
if you don’t commit your policies and procedures to writing, inspectors
will assume you haven’t complied.
Do you have a policy and procedure requiring verification of identity
and authority of individuals and entities requesting disclosures of PHI?
This is another area where many practices comply in practice, but fail to adequately
document a policy and process.
Do you provide and document HIPAA privacy training for all members of
your workforce? HIPAA is intended to change the way health care workers
handle information. That happens through training. Don’t forget to include
doctors and other practitioners, as they’re the ones who communicate most
with patients. Most doctors I’ve met have overlooked their own training
needs.
Have you identified all of your business associates and do you have
written business associate contracts as required by the privacy rule?
Billing services, suppliers, transcription services, ancillary service providers—everyone
to whom you provide patient information may be a HIPAA business associate. You
must develop agreements with all of them on how you will work together to protect
patient privacy.
Do you have a formal, documented process for receiving, acting on and
documenting the disposition of privacy complaints? An inspector is
going to want to know all the details of how you handled every complaint. A
formal process ensures you’ve got the information in one place and that
you’ve responded to every compliant.
Do you have policies and procedures that address safeguards and mitigation
of harm due to violations of an individual’s privacy on the part of your
workforce or business associates? In the event of a violation, you
have a responsibility to minimize potential harm, such as asking for the return
of records mistakenly sent to the wrong address. Your compliance plan is not
complete without policies on limiting damages.
Do you have a policy and procedure that describes how you modify existing privacy
policies and procedures, and how you add new policies and procedures, so you
can accommodate changes in the law, or changes you make in your privacy practices?
Compliance is a moving target. Your plan needs a review and update process built
in to keep it on the mark.
Have you completed a risk analysis to identify and assess the potential
risks to electronic PHI created, received, maintained or transmitted by your
organization and taken the appropriate steps to reduce risk and maintain it
at an acceptable level? This is an area that many practices have neglected,
in part because it requires sophisticated technology skills, but it is an integral
part of protecting patient privacy.
If you answered “No” to any of these questions, you will not be
able to generate all the information you’ll need to respond to a HIPAA
complaint—and you are not doing everything you should to protect your
patients’ privacy.
Despite all the confusing information you’ve seen about HIPAA, developing
a comprehensive compliance program doesn’t have to be overwhelming. Interactive
software packages (similar to popular income tax programs) guide you through
a complete practice assessment in about two hours—and provide plans, sample
forms and policies you need to develop a comprehensive compliance program. Such
programs also help document all your HIPAA activities. A variety of literature
also exists on the subject, from articles that have appeared in this magazine
to online information at the U.S. Department of Health and Human Services’
website: www.hhs.gov/ocr/hipaa/.
Implementing an effective HIPAA compliance plan does take time and effort, and
it will change the way you and your staff operate. Taking the time now to implement
these changes makes you legally prepared to face a privacy complaint, and if
you’re meticuluous in your implementation, it also prevents those complaints
from ever arising.
About the author: Tom Speers is a consultant with HealthCare Information
Solutions in Kalamazoo, Mich., and a developer of HIPAASays software, produced
by SaysSuite.
Provide your feedback on this article.
© Copyright 2003 Today's Chiropractic