HIPAA Privacy: Are You Ready to Comply?
March 2003 Issue
The compliance date of April 14, 2003 for the HIPAA (Health Insurance Portability & Accountability Act of 1996) Privacy Rule is fast approaching O&P businesses. Are you ready to comply?
What is Required of an O&P Organization?
The following items would be required for an O&P organization that has been identified as a covered entity, to be in compliance with the Privacy Rule.
- Designate a Privacy Officer
- Designate a contact person
- Outline a sanction policy
- Document your complaint process
- Determine if any state laws preempt the HIPAA Privacy regulations
- Document your accounting of disclosure procedures
- Develop the following mandatory forms and documents: Notice of Privacy Practice, Authorization Form and Business Associate Contract.
- Provide training to all of your staff that come in contact with protected health information (PHI) on your policies and procedures
- To reasonably safeguard PHI from any intentional or unintentional use or disclosure
How To Prepare Your Organization For Privacy Compliance
There are numerous experts and sources that outline the steps for your organization to take in preparation for privacy compliance. The following steps seem to be a consistent theme with each source:
Step 1 - Study the final Privacy Rule.
Become familiar with the final Privacy Rule. Make sure that you have looked at any amendments that the Department of Health and Human Services (DHHS) or the Office of Civil Rights (OCR) has issued as well. For a copy of the Privacy Rule and latest updates visit http://aspe.hhs.gov/admnsimp/bannerps.htm
Step 2 - Designate a Privacy Officer.
The privacy officer will be responsible for creating a comprehensive compliance plan, developing policies and procedures, administering education and training programs, maintaining and documenting the policies and procedures for compliance with the HIPAA regulations, and monitoring ongoing compliance. This person will be responsible for all HIPAA initiatives within your organization.
Step 3 - Start a HIPAA awareness program for top-level management.
Your privacy officer should develop a program to help the top-level management get a better understanding of HIPAA Privacy and its importance within the organization.
Step 4 - Organize a HIPAA compliance task force within your organization.
Ideally, a HIPAA compliance task force should be created to include representatives from each component of your health care system such as hospitals, clinics, physician practices, and departments such as HR, administrative, IT, and health care professionals. The privacy officer should lead the HIPAA compliance task force in addition to their required duties defined by the Privacy rule.
Step 5 - Perform a "gap analysis."
Have each department assess where they currently are in respect to the final Privacy Rule regulations versus where they need to be. The difference between their current practices and what their practices should be is considered the gap. Examine how your organization uses and discloses protected health information, and then track and document existing flow of protected health information inside and outside the organization. Determine the inputs, roles, and outputs along with the type of information they have access to. Examine each database in the organization to determine what protected health information you maintain. And identify business associates as well.
Step 6 - Develop a HIPAA Compliance Plan.
Based from the gap assessment, create a HIPAA Compliance Plan detailing completion dates and responsible individuals. Your HIPAA task force should review the plan and endorse it before it is executed. The task force must also publicly express that the privacy officer has the authority to require individuals to complete their assigned tasks.
Step 7 - Define a HIPAA budget.
The privacy officer should define a budget for your HIPAA Privacy initiatives based off of the approved Compliance Plan. Create an estimated total budget and a 6-12 month detailed budget. The budget should be presented to the executive management for approval.
Step 8 - Review state statutes.
Work with your legal counsel to determine if any state laws supersede or conflict with the HIPAA regulations. You can visit http://cms.hhs.gov/hipaa/hipaa1/default.asp for a link to some state statute databases.
Step 9 - Identify a contact person.
Identify who your contact person is going to be. The contact person will answer patients' questions concerning forms, questions, and complaints.
Step 10 - Identify all of your business associates.
Identify who your business associates are. You will be required to have a Business Associate Contract in place for every current business associate by April 14, 2004.
Step 11 - Develop your policies, procedures and forms.
Develop your policies, procedures, and forms for each of the HIPAA initiatives. Sanctions for violations should be included. Present them to your legal counsel for their opinion. Ensure that your Standard of Conduct include the HIPAA Privacy Rule.
Step 12 - Have vendors update your current IT software.
If you use packaged software, the software vendors should provide you with updates that help meet the HIPAA Privacy standards. The Privacy Rule does not require updating your software.
Step 13 - Ensure all of the Privacy Rule Administration requirements are implemented.
Walk through all of the Privacy Rule requirements and check to ensure you have met the appropriate standards.
Step 14 - Develop a customized training program for employees.
The Privacy Rule requires all staff to be trained on their organization's policies and procedures. The privacy officer should work with human resources to develop a customized training program for the Privacy Rule. Make sure the training is documented and that every employee has taken the training.
Step 15 - Monitor your policies, procedures, and staff.
The privacy officer should monitor compliance to ensure that the HIPAA regulations are being followed and are working properly.
Step 16 - Stay current on HIPAA Privacy rules and regulations.
The privacy officer should regularly review the DHHS and Centers for Medicare & Medicaid Services (CMS) websites to stay current on HIPAA Privacy rules and regulations. The privacy officer should subscribe to the DHHS HIPAA update notification service at http://cms.hhs.gov/mailinglists.
Jay Masci is the principal consultant of Provaliant, a company providing IT consulting services, including HIPAA compliance and customized training. For more information, visitwww.provaliant.com.
Editor's note: Additional information about HIPAA can be obtained at a website provided by CMS:www.hipaa.org .
Jay Masci is the principal consultant of Provaliant, a company providing IT consulting services, including HIPAA compliance and customized training. For more information, visit www.provaliant.com.