Healthcare organizations must create their own compliance programs, he said; a program can't simply be bought, put on a shelf, and ignored. Although boilerplate information can be a good start, particularly for training new employees, it must be revised and enhanced continually to create a living program. The program should include:
- Compliance procedures.
- Employee training and sanctions.
- Disclosure safeguards.
- Procedures to verify and authorize users for non-routine business.
- Documentation, including policies, procedures, and retention requirements.
The U.S. Department of Justice has created detailed written procedures for setting up a compliance plan. Goldberg maintains the information on his Web site, www.healthlawyer.com.
Larger organizations will need to create privacy or compliance officer positions. The officer must at once be respected, effective, and assertive, and must wield sufficient authority to oversee security monitoring and oversight responsibilities, Goldberg said.
"I'm not talking about HIPAA spies," he said. "The person really has to have an open-door policy in terms of being able to hold secure information. The HIPAA person has to be a teacher and a preacher. You want someone who can oversee audits and conduct investigations," he said, "and the board of directors has to be involved at the highest level."
The officer serves as the HIPAA liaison between different parts of the organization, as well as vendors, government agents, and other third parties, working to develop policies and procedures that are appropriate for the organization. These policies should reflect as much as possible existing business practices.
The compliance officer also creates a cross-departmental compliance committee that might include billing and IT managers, the CFO, medical and clinical personnel, the HR director, and the legal department, Goldberg said. In larger organizations, the committee should establish subcommittees to focus on different parts of the law. Larger organizations might also hire a separate HIPAA information technology officer.
The compliance committee educates management and board members, sets the budget for initial compliance activities, evaluates how PHI is used and disclosed within the organization, and how existing policies and procedures protect that information. It performs a baseline audit of the organization before the measures are implemented. It oversees a "gap" assessment of the computer system to find weaknesses and correct them. It works to ensure that all of the organization's contracts integrate the changes resulting from implementation of the procedures.
The committee must develop a training plan for employees who have access to PHI, implement and monitor training, and ensure that employees have read and acknowledged receipt of all materials. Procedures must be in place to handle unusual requests for information, and employees must be ready to deal with them. For organizations with employee groups whose primarily language is not English, the HIPAA materials might need to be translated.
"Some organizations have started testing people in their HIPAA knowledge, giving them certificates of HIPAA distinction," he said.
Likewise, employee reviews should include an assessment of employees' compliance with the procedures, he said, and managers who don't train should also be disciplined in a manner that corresponds with published disciplinary guidelines.
And, he warned, if the organization finds major problems, or the government attempts to investigate and prosecute for alleged HIPAA violations, the organization should talk to its lawyer before talking to the government or anyone else.
"Always have contingency plans, like a prepaid ticket to Switzerland," he quipped.
Employees should be on the lookout for violations, and do their work openly, checking to see if computers are left on during lunch, for example, leaving PHI exposed. If they hear inappropriate patient information being discussed in the lunchroom, they should deal with it immediately, not at some later time.
"Everybody from the CEO on down has to be HIPAA-centric, HIPAA-knowledgeable, HIPAA-embracing," Goldberg said. "You want effective lines of communication when you're dealing with privacy. You want confidentiality and non-retaliation policies. You want to know people won't be fired for reporting bad HIPAA, and you want resources," such as hot lines, suggestion boxes, or 800 numbers to make the process easier.
"We're really looking at a cultural paradigm shift. Almost every day in the media, on TV and the Internet, people are talking about privacy and confidentiality," Goldberg said. "...I want you all to be HIPAA heroes. And when you go back to your law firms, your institutions, wherever you came from, whatever you do, and people [ask] what do you do, say 'I'm a HIPAA Hero!'"
By Eric Barnes
AuntMinnie.com staff writer
December 11, 2000
Additional HIPAA resources can be found at:
Related Reading
Encryption is key to medical data security, September 19, 2000
Biometrics comes of age as security takes center stage, September 19, 2000
New HIPAA rules portend sweeping changes in medical data security, June 27, 2000
Click here to post your comments about this story. Please include the headline of the story in your message.
Copyright © 2000 AuntMinnie.com
