HIPAA, compliance programs fit like gloves

ATLANTA - Healthcare institutions can take advantage of existing corporate compliance programs as they work to implement Health Insurance Portability and Accountability Act (HIPAA) standards.

The two programs are a natural fit, according to a presentation Wednesday at the 2002 Healthcare Information and Management Systems Society (HIMSS) meeting.

Many healthcare facilities have implemented compliance programs to prevent, detect, and correct unwanted conduct and avoid financial loss, legal liability, and harm to their reputations, said Patricia Carter, an attorney with Minneapolis law firm Gray, Plant, Mooty & Bennett.

The U.S. Office of the Inspector General (OIG) has encouraged careful attention to such programs, which analyze operations, assess risks, and direct compliance efforts in healthcare facilities.

"Those same skills, and individuals involved in that process, will serve you well for HIPAA purposes," Carter said, listing seven core elements of an effective compliance program:

  • Written standards and procedures

  • A compliance officer

  • Training

  • Open and effective lines of communication

  • Internal audits and evaluations

  • Enforcement of standards through clear disciplinary guidelines
  • Response to offenses and correction of errors

The same steps can be applied to compliance with HIPAA's privacy and security regulations, Carter said. HIPAA demands documented policies to address all components of privacy and security, she said. A security policy should cover a high code of conduct.

A HIPAA privacy officer should be appointed, with responsibility for development and implementation of privacy policies and procedures. This person would work with the compliance officer, and could also fill that role as well, she said.

A security officer should also be appointed, tasked with overseeing security measures and the conduct of personnel regarding protection of data. The security officer should not serve as the compliance officer or privacy officer, she said.

Privacy training covering policies and procedures needs to be developed to satisfy regulations, with specific training of select employees depending on job responsibilities, she said. Security awareness training should be provided for all employees, including training on viruses and password management. As with privacy, specific security training of select employees should be given depending on job responsibilities.

All new employees should receive training, with all employees receiving training at least annually. Attendance should be documented. Information on sanctions, as well as reporting processes for noncompliance, should be disseminated, Carter said. It's a good idea to integrate privacy and security training with compliance training as well, she said.

A contact person should be designated to receive privacy complaints, and a process should be formed on how to receive, document, and respond to complaints. For HIPAA security, documented security incident procedures should be formulated. A formal mechanism should be instituted to document security incidents, and formal rules should be set up spelling out the response to security incident reports, Carter said.

While specific auditing is not required for HIPAA's privacy regulations, auditing is recommended to verify adherence to privacy policies and procedures, she said. Institutions should track disclosures, as they must account for all disclosures upon request.

Security monitoring efforts should be focused on identified risk areas. Officials should review records of system activity, but also focus review on improper access and patterns of system activity, she said.

As for disciplinary guidelines, institutions must develop and apply appropriate sanctions for noncompliance with privacy regulations. Sanctions and discipline policies and procedures for security violations should be communicated to all employees, agents, and contractors, Carter said. Background checks should be performed.

The compliance team should develop procedures to mitigate any harm from improper use or disclosure of information, and spell out formal procedures covering incident reporting and response procedures for security-related matters.

Carter said it's important to keep records, both for the compliance and HIPAA programs. These records should cover reports, responses, internal investigations, and corrective action.

While security regulations are still in proposed form, institutions must comply with HIPAA privacy regulations by April 2003, she said.

"Now is a good time to start," Carter said. "Apply lessons that you learned from the compliance program to help smooth the transition to implementation of the HIPAA privacy and security standards."

By Erik L. Ridley
AuntMinnie.com staff writer
February 1, 2002

Related Reading

HIPAA extension becomes law, January 10, 2002

A roadmap for implementing HIPAA in radiology, July 26, 2001

HHS pushes 'reasonableness' in HIPAA guidance document, July 19, 2001

RBMA president says it’s time to make HIPAA critical, June 8, 2001

NEMA offers help with privacy and security laws, April 18, 2001

Copyright © 2002 AuntMinnie.com

Page 1 of 1173
Next Page