A Risk Assessment
Survey designed by experts is available in the Manage Your Practice tab of the
Member Center under Regulatory and Legal.Complying with HIPAA
Designating a Privacy Officer
The privacy officer is responsible for implementing and overseeing the privacy
policies and procedures for the practice. Small practices may assign the role to
one or more persons, while larger group practices may designate a separate
person to oversee the integrity of personal health information. The privacy
officer has many roles, such as performing a risk assessment of the practice to
determine where vulnerabilities lie with respect to personal health information;
ensuring privacy and security measures and policies are implemented and adhered
to by the practice; and serving as the designated contact person required by the
final rule to receive complaints and provide further information about the
practice's privacy policy and procedures.
Initiating Documentation of Privacy Efforts
A large part of complying with HIPAA requires that a medical practice has
established policies and procedures to reduce the risks of inadvertent
disclosures and to protect the privacy and security of personal health
information. Although some medical practices may already have these policies in
place, they may have to amend existing policies and procedures or create new
policies and procedures. This may be as simple as documenting routine practices
to show a compliance plan is in place and that employees are aware of the
expectations with respect to protecting the privacy and security of personal
health information. Examples of the required policies are discussed in HIPAA and
Medical Practices.
1. Identifying risks
Performing a risk assessment should be the first order of business for a newly
appointed privacy officer. A risk assessment is used to assess where privacy and
security threats may exist with respect to personal health information. Medical
practices deal with a variety of vendors, healthcare entities and other
providers. A first step to assessing the vulnerable areas of a medical practice
can be to make a list of every business function or activity that involves the
use or disclosure of personal health information and to evaluate whether there
are procedures in place to reduce the risk of internal or external threats to
the privacy and security of the personal health information.
A Risk Assessment
Survey designed by experts is available in the Manage Your Practice tab of the
Member Center under Regulatory and Legal.
2. Elements of a plan
Once a practice identifies the areas where potential threats to personal health
information exist, it must create a plan around those identified areas to reduce
such risks. Creating a plan establishes the direction and goals a practice must
take to prevent the misuse or unauthorized disclosure of personal health
information. Establishing a plan can be as simple as prohibiting employees from
keeping their Username and password on a note attached to their computer or
implementing a policy identifying the process for responding to requests for
disclosures of information about your patients.
3. Implementation of a plan
HIPAA compliance does not mean having a binder full of paper with policies and
procedures that the practice does not follow. Policies should be developed or
amended as the practice integrates compliance into its everyday business
activities. Compliance should be incremental so that employees are not
overwhelmed and can gradually build a culture within the practice where
maintaining the privacy of personal health information is a priority of the
practice.
4. IT security plan
This standard applies to a large hospital or a small medical practice setting.
At a minimum, practices are required to conduct a risk assessment and develop a
security plan to protect confidential patient information from inadvertent
misuse or disclosure. The proposed security standard is divided into four
categories which were discussed in HIPAA and Medical Practices. Implementation
of a security plan will vary widely depending on the level of digital technology
used in a practice. For example, a practice that submits all claims on paper and
keeps paper medical records will have a different security plan than a practice
where all claims are submitted via the Internet and all medical records are
computerized.
An example of a single component of an IT security plan for each of the four
categories is provided below:
5. Educating colleagues and employees
All personnel having contact with personal health information must be trained on
the practice's privacy and security policies and procedures. Training should be
relevant to the person's function in your practice. All employees should be
aware of the types of data that are considered protected, when health
information may be released, under what circumstances personal health
information may not be released and situations when the security of identifiable
health information may be jeopardized. Training for new employees should occur
within a reasonable period of time after an employee joins the practice. If a
member of the practice takes on new responsibilities with greater rights of
access to personal health information, he or she must also be trained within a
reasonable period of time following the change in position. Training should be
integrated into the practice's compliance plan, including documentation that the
training occurred in accordance with the practice's policies and procedures.
HIPAA covers many
types of communications that employees may not even think are a violation of a
patient's privacy under the rule. For example, staff discussions regarding
patients in the office or in a public space such as an elevator, can be privacy
issues. However, DHHS issued "Privacy Guidance" on two separate
occasions (July 16, 2001 and December 3, 2002) to address specific questions and
concerns raised by the healthcare industry. For example, this guidance stated
that incidental disclosures of personal health information, such as using a
sign-in sheet or speaking quietly when discussing a patient’s condition with
family members in a waiting room or other public areas, are not violations of
the Privacy Rule. Also, structural changes to medical offices are not required
as long as the practice implements reasonable safeguards and precautions to
minimize the chance of inadvertent disclosures to others who may be nearby
and/or the unauthorized access of confidential health information by third
parties.
6. Monitor and enforce
An important part of a privacy officer's role is to ensure the practice is
actively adhering to the privacy and security policies and procedures
established by the practice. As with any type of compliance plan, identifying
risks and implementing a plan to reduce those risks are just the beginning.
Monitoring whether the practice adheres to its own policies and procedures can
help identify whether the policies are working or new areas of risk within the
practice. Also, if an employee or business associate fails to adhere to the
policies and procedures established by the practice, some form of discipline
must occur and be documented by the practice. Since HIPAA requires medical
practices to provide a complaint process to individuals who feel the practice is
not adhering to its policies and procedures, the government is no longer the
only party to whom medical practices will have to answer about whether they are
HIPAA compliant.
Back to Top