Vol. 13 •Issue 24 • Page 25
HIPAA Compliance Strategies:
Monitor your efforts
As the April 14, 2003 HIPAA privacy deadline passed, most health care organizations successfully developed the policy and procedure framework necessary for HIPAA compliance. However, development of policies and procedures is not sufficient to ensure on-going organizational compliance. It is necessary for the organization, under the guidance of the privacy officer, to periodically monitor the privacy protections to ensure their effectiveness, as well as to ensure employee awareness. This article discusses initial areas of focus the organization can address, as well as suggestions for maintaining ongoing HIPAA compliance.
Policies and Procedures
For HIPAA policies and procedures to be effective, they must be written in language that the work force will understand and be able to follow. Work with staff members to determine whether the policies and procedures are written in language that is too difficult to understand. Communication with the staff will also allow the privacy officer to discover any policies and procedures that do not work, as opposed to discovering the problem as a result of a patient complaint.
When reviewing the HIPAA policies and procedures, begin with those that address patient rights. Patient rights policies and procedures are most likely to result in complaints. As of mid-June 2003, the Office of Civil Rights (OCR) received 637 privacy-related complaints, 260 of which were accepted for investigation. Two of the top three reasons for the complaints were patients’ rights related–the patient was denied access to his/her medical record and no Notice of Privacy Practices was provided to the patient (the third reason was inadequate privacy safeguards in place in treatment settings). Reviewing the effectiveness of organizational policies and procedures should be of paramount concern to all covered entities.
Notice of Privacy Practices
Covered entities are required to make a good faith effort to provide all individuals with their Notice of Privacy Practices (NPP). To ensure this process is being followed, organizations should conduct a review of the signed acknowledgments when performing a chart review. Review a random sampling of the inpatient/outpatient charts to determine if the signed acknowledgment is present. If software is utilized to track whether a patient has received the NPP, perform a system audit to ensure that patients who have been flagged as having received the NPP have a recorded acknowledgment. For patients who do not have a signed acknowledgment in their chart, the reviewer should then determine whether documentation is present capturing the good faith effort to obtain a signed acknowledgment and the reason why the acknowledgment could not be captured. Review of the NPP can be added to teams that perform open or closed chart review.
Tracking Disclosures
Covered entities are responsible for providing individuals with an accounting of disclosures of their protected health information (PHI). To ensure that disclosure information is being captured by the organization, develop a process for tracking disclosures of PHI. This process can be accomplished through utilization of a software solution, or can strictly be a paper process. To ensure that individual requests for an accounting of disclosures is handled appropriately by health information management (HIM) staff, the privacy officer should review the information being provided in the accounting and conduct periodic education to the staff involved to ensure they are following the tracking protocol.
Staff Training
A covered entity’s success at maintaining HIPAA compliance largely depends on how thoroughly it educates the work force on the organizational policies and procedures and importance of protecting the privacy of PHI. The privacy officer should review the training attendance rosters to ensure that all staff receive initial HIPAA training. Design training content to ensure that the work force receives education on the organizational safeguards for reducing the risk of accidental or inappropriate access, uses or disclosures of PHI. Staff members should be well educated on the process for reporting suspected violations of organizational policies and procedures, as well as the individuals available to answer any HIPAA-related questions that may arise.
Following initial HIPAA training, it is critical for the organization to reinforce the policies and procedures to all staff. Tailor training programs to the needs of the audience. Provide specialized training to all clinicians, HIM and business office staff. Update the training material to ensure that the most current information is being provided to staff.
Additionally, as the HIPAA security deadline begins to approach, covered entities should also begin to implement security awareness training for its work force. Areas that should be addressed in the security awareness training include security reminders, protection from malicious software, log-in monitoring and password management.
Business Associates
Covered entities must ensure that Business Associates (BA) contracts contain the necessary provisions and protections before PHI is shared. Develop a process to ensure that a listing is maintained and periodically reviewed of all current BAs. The privacy officer, with assistance of Legal Counsel, should review the BA contracts on at least an annual basis. This process will ensure that each vendor meets the criteria for qualifying as a BA under the privacy regulations and that appropriate provisions have been included in the vendor contracts.
Facility Tour
A facility tour provides the privacy and security officers with the opportunity to observe whether the staff members are consistently carrying out the written policies and procedures. Findings of the facility tours should be reported to the HIPAA Task Force and/or Compliance Committee. HIPAA areas to observe include:
•Disposal of PHI
•Visibility of PHI
•Verbal communications among staff members
•Access to PHI
•Protocol in patient care areas
•Location of printers and fax machines used for transmitting PHI
•Information captured on sign-in sheets
•Response to patient requests for medical records
•Information being maintained on bulletin boards, whiteboards and other highly visible locations
•Maintenance of workstation areas
Periodically, the facility tour can include involving staff members in a HIPAA question and answer session. Pose questions and hypotheticals to staff members to review the processes for handling situations involving HIPAA issues. Scenarios can include:
•How to handle requests for PHI from business associates
•Confirming the identity of individuals requesting PHI over the telephone
•Appropriate information to leave on an answering machine
•Steps to take when the individual refuses to sign the NPP acknowledgment
•Fax machine protocol
•Inappropriate conversations involving PHI
•De-identifying PHI
•What to do when a co-worker is observed committing a HIPAA violation
•Password maintenance
Take the opportunity after the HIPAA Q&A session to reinforce the importance of work force vigilance. All members of the work force are responsible for ensuring that unauthorized use or disclosure of PHI does not occur and working to prevent such incidents.
Trend Reported Complaints
The best approach to avoid HIPAA litigation is to prevent violations from occurring at all. But if a violation does occur and a complaint is lodged, it is necessary for the organization to keep a detailed written record of the complaint. Trending and periodically reviewing the reported complaints will assist the privacy officer in investigating and resolving each issue and ensuring that all complaints are appropriately addressed. Individuals are less likely to report an issue to the OCR if they are confident that a complaint lodged with the organization will not go ignored. Trending will also increase the privacy officer’s awareness of problem areas within the organization.
It is important for covered entities to adopt the approach that HIPAA compliance is an ongoing process. It is a significant step for organizations to adopt the policies and procedures that will govern organizational compliance, but that process alone does not guarantee that violations will not occur. The privacy officer must periodically and consistently review the protections that have been implemented to ensure that all employees are aware of and are following the guidelines that have been provided to them. Developing HIPAA-related policies and procedures and reviewing their effectiveness within the organization will assist the privacy officer in identifying HIPAA-related problems, correcting identified deficiencies, and developing a mechanism to prevent future violations. This will result in an ultimate reduction in HIPAA violations, better organizational decision-making and an improved organizational image.
Lynne Koshar is the director of compliance and regulatory services for Precyse Solutions’ HIM Service Group. Koshar is a health care attorney who has been working with Precyse since 1998. She has been a senior consultant and frequent speaker on compliance and HIPAA topics. She may be reached at [email protected]. Linda Bugdanowitz is a senior HIM consultant for Precyse Solutions’ HIM service group that focuses on interim HIM management. She may be reached at [email protected].