Tools and Tips

• By Thomas E. Barnard, Richard J. Hohmann Jr.
• Jul 01, 2003

To get an idea of the real risk HIPAA poses for a medical provider, take a look at http://www.hhs.gov/ocr/privacyhowtofile.htm, a Web site that describes how to file a Health Information Privacy Complaint with the Office for Civil Rights.

Any patient, or a relative or friend of a patient, can submit this complaint form, resulting in a compliance review that could cost you time and money. Unless you are prepared.

Is your practice or company really ready? Maybe. But if you are like the majority of physicians and health care professionals I have met over the past few months, you have significant gaps in your HIPAA plan and documentation that could cost you plenty.

Most likely, you have taken the obvious steps, distributing the newly required Notice of Privacy Practices and having patients sign authorizations for releasing protected information.

That still leaves many of the less-visible (but equally as important) HIPAA requirements, particularly in areas involving staff and physician training, dealings with outside vendors, data and record security arrangements and documenting compliance over time. In the event of a compliance review, you will have to prove you are compliant. A compliance review means documenting every step you take to comply.

The following questions identify some of the more subtle, but common, compliance problems. Answering them will give you a good idea of how your practice will look to an HHS inspector.

1. Has your organization designated a privacy official?

The office manager or other senior staffer usually takes this role. Keep in mind, though, that as the proprietor of a health care practice or business, you are the one on the hook for non-compliance. Make sure your privacy officer understands the entire scope of your HIPAA obligations.

2. Have you assigned the responsibility for maintaining the security of information systems that contain Protected Health Information to an individual or an organization?

This position also is typically held by someone other than the organization head, perhaps even an outside consultant. Once again, you are responsible for their mistakes, so make sure you know what they are doing.

3. Do you have a policy and procedure for limiting the uses and disclosures of Protected Health Information to the minimum necessary information required to accomplish the purpose of the use or disclosure?

This is a basic tenet of HIPAA that many practices fail to document, even as they comply in daily operations. However, if you don't commit your policies and procedures to writing, inspectors will assume you haven't complied.

4. Do you have a policy and procedure requiring verification of identity and authority of individuals and entities requesting disclosures of Protected Health Information?

This is another area where many practices comply in practice, but fail to adequately document a policy and process.

5. Do you provide and document HIPAA Privacy training for all members of your workforce?

HIPAA is intended to change the way health care workers handle information. That happens through training. Don't forget to include physicians and other practitioners as they are the ones who communicate most with patients. Most doctors I have met have overlooked their own training needs.

6. Have you identified all of your business associates and do you have written business associate contracts as required by the Privacy Rule?

Billing services, suppliers, transcription services, ancillary service providers-everyone you provide with patient information, may be a HIPAA business associate. You must develop agreements with all of them on how you will work together to protect patient privacy.

7. Do you have a formal, documented process for receiving, acting on and documenting the disposition of privacy complaints?

An inspector is going to want to know all the details of how you handled every complaint. A formal process ensures that you have the information in one place and that you have responded to every complaint.

8. Do you have policies and procedures that address safeguards and mitigation of harm due to violations of an individual's privacy on the part of your workforce or business associates?

In the event of a violation, you have a responsibility to minimize potential harm, such as asking for the return of records mistakenly sent to the wrong address. Your compliance plan is not complete without policies on limiting damages.

9.Do you have a policy and procedure that describes how you modify existing privacy policies and procedures, and how you add new policies and procedures, so you can accommodate changes in the law, or changes you make in your privacy practices?

Compliance is a moving target. Your plan needs a review and update process built in to keep it on the mark.

10. Have you completed a risk analysis to identify and assess the potential risks to electronic Protected Health Information created, received, maintained or transmitted by your organization and taken the appropriate steps to reduce risk and maintain it at an acceptable level?

This is an area that many practices have neglected, in part because it requires sophisticated IT skills. But it is an integral part of protecting patient privacy.

If you answered "no" to any of these questions, you will not be able to generate all the information you will need to respond to a HIPAA complaint and you are not doing everything you should to protect your patients' privacy.

Despite all the confusing information you have seen about HIPAA, developing a comprehensive compliance program doesn't have to be overwhelming. Interactive software packages (similar to popular income tax programs) guide you through a complete practice assessment in about two hours and provide plans, sample forms and policies you need to develop a comprehensive compliance program. Such programs also help document all of your HIPAA activities. The questions above are based on the assessment module from HIPAASays.

Implementing an effective HIPAA compliance plan does take time and effort, and it will change the way you and your staff operate. But if someone files a complaint, you will be ready.

This article originally appeared in the July 2003 issue of HME Business.