|
Designating a Privacy Officer
The privacy officer is responsible for implementing and overseeing the
privacy policies and procedures for the practice. Small practices may
assign the role to one or more persons, while larger group practices
may designate a separate person to oversee the integrity of personal
health information. The privacy officer has many roles, such as
performing a risk assessment of the practice to determine where
vulnerabilities lie with respect to personal health information;
ensuring privacy and security measures and policies are implemented and
adhered to by the practice; and serving as the designated contact
person required by the final rule to receive complaints and provide
further information about the practice's privacy policy and procedures.
Initiating Documentation of Privacy Efforts
A large part of complying with HIPAA requires that a medical practice
has established policies and procedures to reduce the risks of
inadvertent disclosures and to protect the privacy and security of
personal health information. Although some medical practices may
already have these policies in place, they may have to amend existing
policies and procedures or create new policies and procedures. This may
be as simple as documenting routine practices to show a compliance plan
is in place and that employees are aware of the expectations with
respect to protecting the privacy and security of personal health
information. Examples of the required policies are discussed in HIPAA
and Medical Practices.
Steps to Privacy and Security Compliance
1. Identifying risks
Performing a risk assessment should
be the first order of business for a newly appointed privacy officer. A
risk assessment is used to assess where privacy and security threats
may exist with respect to personal health information. Medical
practices deal with a variety of vendors, healthcare entities and other
providers. A first step to assessing the vulnerable areas of a medical
practice can be to make a list of every business function or activity
that involves the use or disclosure of personal health information and
to evaluate whether there are procedures in place to reduce the risk of
internal or external threats to the privacy and security of the
personal health information.
A Risk Assessment Survey designed by experts is available in the
Manage Your Practice tab of the Member Center under Regulatory and
Legal.
2. Elements of a plan
Once a practice identifies the areas
where potential threats to personal health information exist, it must
create a plan around those identified areas to reduce such risks.
Creating a plan establishes the direction and goals a practice must
take to prevent the misuse or unauthorized disclosure of personal
health information. Establishing a plan can be as simple as prohibiting
employees from keeping their Username and password on a note attached
to their computer or implementing a policy identifying the process for
responding to requests for disclosures of information about your
patients.
3. Implementation of a plan
HIPAA compliance does not mean
having a binder full of paper with policies and procedures that the
practice does not follow. Policies should be developed or amended as
the practice integrates compliance into its everyday business
activities. Compliance should be incremental so that employees are not
overwhelmed and can gradually build a culture within the practice where
maintaining the privacy of personal health information is a priority of
the practice.
4. IT security plan
This standard applies to a large
hospital or a small medical practice setting. At a minimum, practices
are required to conduct a risk assessment and develop a security plan
to protect confidential patient information from inadvertent misuse or
disclosure. The proposed security standard is divided into four
categories which were discussed in HIPAA and Medical Practices.
Implementation of a security plan will vary widely depending on the
level of digital technology used in a practice. For example, a practice
that submits all claims on paper and keeps paper medical records will
have a different security plan than a practice where all claims are
submitted via the Internet and all medical records are computerized.
An example of a single component of an IT security plan for each of the four categories is provided below:
Administrative procedures:
All new employees will receive privacy and security training at the
time of hire. All existing employees will receive privacy and security
training within six months of the HIPAA compliance date.
Physical safeguards:
All workstations where patient information is displayed will be
situated so only authorized practice personnel will be able to view the
screen.
Technical security services: A system is
implemented which can authenticate individuals and provide them with
the level of access determined in the administrative procedures
Technical security mechanisms:
All products and services using the Internet as a means of transmitting
patient information and all browsers used in the practice will support
128 bit encryption
5. Educating colleagues and employees
All personnel having
contact with personal health information must be trained on the
practice's privacy and security policies and procedures. Training
should be relevant to the person's function in your practice. All
employees should be aware of the types of data that are considered
protected, when health information may be released, under what
circumstances personal health information may not be released and
situations when the security of identifiable health information may be
jeopardized. Training for new employees should occur within a
reasonable period of time after an employee joins the practice. If a
member of the practice takes on new responsibilities with greater
rights of access to personal health information, he or she must also be
trained within a reasonable period of time following the change in
position. Training should be integrated into the practice's compliance
plan, including documentation that the training occurred in accordance
with the practice's policies and procedures.
HIPAA covers many types of communications that employees may not
even think are a violation of a patient's privacy under the rule. For
example, staff discussions regarding patients in the office or in
public space, or even discussions loud enough to be heard, are privacy
issues.
6. Monitor and enforce
An important part of a privacy
officer's role is to ensure the practice is actively adhering to the
privacy and security policies and procedures established by the
practice. As with any type of compliance plan, identifying risks and
implementing a plan to reduce those risks are just the beginning.
Monitoring whether the practice adheres to its own policies and
procedures can help identify whether the policies are working or new
areas of risk within the practice. Also, if an employee or business
associate fails to adhere to the policies and procedures established by
the practice, some form of discipline must occur and be documented by
the practice. Since HIPAA requires medical practices to provide a
complaint process to individuals who feel the practice is not adhering
to its policies and procedures, the government is no longer the only
party to whom medical practices will have to answer about whether they
are HIPAA compliant.
|
