10 steps to HIPAA readiness
If you haven't started your HIPAA compliance efforts already, now is the time. The following plan describes 10 essential steps that all physicians and physician groups should take in 2002 toward HIPAA readiness.
Appoint and train a privacy officer
Even if it weren't required by the Privacy Rule (and it is), a necessary first step is to appoint someone in your practice as the "go to" person for HIPAA. Does this mean that every physician group must hire an additional employee to be the designated privacy officer? No. But it does mean that someone in your organization will have to understand HIPAA and be responsible for compliance.
The designated employee must have a working knowledge of and familiarity with the regulations in order to properly analyze the HIPAA compliance issues that your practice may face.
The designated privacy officer is going to be very busy at first, and the longer your practice waits to appoint one, the less time that person will have to learn about HIPAA and complete necessary tasks. Unless you plan to hire someone to work full-time in this position, physician practices will benefit greatly from getting an officer appointed and educated as soon as possible.
Conduct an internal assessment or "gap analysis"
Once a privacy officer has been designated and trained, the next step is to conduct an internal assessment of existing policies, procedures, and practices for collecting and handling medical records and other patient information to determine where the gaps may be in your practice's ability to meet HIPAA standards.
What information is collected from patients? Where is it stored? Who has access to it? What forms are currently used to obtain consent and authorization for necessary disclosures? With what third parties do you share protected health information? These and other questions must be asked and answered to identify risk areas and set priorities.
Because this assessment may disclose inadequacies or troublesome areas in your practice, it is also advisable, before you begin the assessment, to consult an attorney for assistance in order to obtain the protection of the attorney-client privilege to the fullest extent possible.
This project will take considerable time. Depending on the size and complexity of your practice and the amount of time that the privacy officer and other staff members are able to devote to the job, a comprehensive assessment could take from two to six months.
Identify and enter into agreements with business associates
One of the more controversial provisions in the new law requires healthcare providers to enter into special agreements with nonemployee service providers that may have access to protected health information ("PHI").
For example, contracts with third-party record storage facilities, translators, or collection agencies will need to include provisions that comply with the HIPAA standards for Business Associates. Under the Privacy Rule, a covered entity must obtain satisfactory assurance that the Business Associates will appropriately safeguard PHI.
Changes to the privacy standards announced on August 14, 2002 provide some relief from the administrative burden of complying with the Business Associate requirements. The recent changes include a transition period during which an existing contract will be "deemed" to be in compliance until April 14, 2004 or the date such contract is renewed or modified.
In addition, the revised privacy standards include an appendix with model Business Associates contact provisions to assist healthcare providers in meeting their compliance obligations.
Adopt a policy regarding minimum necessary disclosures
The Privacy Rule requires physicians to make "reasonable efforts" to limit PHI to the minimum necessary to accomplish the intended purpose of a use, disclosure, or request. Although this minimum necessary requirement does not apply to disclosures made for treatment purposes, it will require healthcare providers to carefully consider existing practices.
Healthcare providers will need to consider to whom they grant access and whether these people actually need access to all the information they currently receive.
Adopt a notice of privacy practices
Each covered entity must adopt a notice of privacy practices. Like the privacy notices that all financial institutions were required to provide to customers last year, the notice of privacy practices must describe the uses and disclosures that the entity is permitted or required to make under the rule without additional written authorization.
Although a number of form notices are available, it is important to tailor the notice to the practices of your organization.
Changes to the Privacy Rule published in August 2002 strengthen the requirements for healthcare providers to notify patients about their privacy rights and practices, and require them to make good faith effort to obtain patients' written acknowledgement of the notice.
Adopt HIPAA-compliant authorizations
For disclosures unrelated to treatment, payment, or healthcare operations, such as research and marketing, covered entities are required to obtain written authorization. For example, a physician would need an authorization to disclose information to an employer for employment decisions, or to disclose information related to eligibility for life insurance.
Although you may currently have an authorization form in place that is consistent with existing state law, changes may be required in order to meet the detailed requirements for authorizations as set forth in the final Privacy Rule.
Adopt procedures for handling patient requests for access to their medical records
Covered entities must allow patients to make certain requests regarding their own PHI. Patients should be able to place restrictions on the use or disclosure of PHI, request access to inspect and obtain a copy of PHI, request that amendments be made to their information, and request an accounting of certain disclosures of their PHI.
The policies and procedures for accommodating the request may be similar to an organization's current practices. Rather than starting from scratch, healthcare providers should consider modifying current practices to meet the regulatory requirements. For example, review what you already do if someone requests access. If you turn that into a written policy will you meet HIPAA requirements without any further work?
Amend employee manuals regarding the HIPAA Privacy Rule
Since the HIPAA Privacy Rule requires that various policies and procedures be in place in order to protect the privacy of individually identifiable health information, employee manuals must be updated to reflect these policies and procedures. Note, however, that small providers will be able to develop more limited policies and procedures under the rule than large providers and health plans, based on the volume of PHI.
Once your practice-specific policies, procedures, consents, and notices are in place, it will be critical to train your staff. HIPAA requires all covered entities to train all workforce members on policies and procedures regarding PHI, "as necessary and appropriate" for them to carry out their functions.
The implementation specifications describe when employees must receive their training and the documentation of the training, but they do not otherwise specify the details of the training itself, which is left to the employer. Methods may include classroom instruction, videos, booklets, or brochures tailored to the particular needs of workers and employers. For most physicians' practices, this responsibility will fall to the designated privacy officer.
Documentation of your HIPAA compliance efforts is critical. The privacy regulations impose extensive and specific documentation requirements on covered entities. For example, a covered entity must retain signed authorizations, copies of the Notices of Privacy Practices, and any agreements with patients restricting disclosure of PHI.
In addition to meeting these specific requirements, the covered entity should retain documentation to show that reasonable steps were taken to meet generalized and scalable standards imposed by HIPAA. The minimum necessary standard, for example, requires a covered entity to take "reasonable efforts" to limit disclosures of PHI.
Without consistent documentation, it may be difficult to show that reasonable efforts were taken under the circumstances. Covered entities should also document staff training, adoption of policies and procedures, and other efforts to comply with HIPAA.
David Schoolcraft can be reached at firstname.lastname@example.org.
This article originally appeared in the October 2002 issue of Physicians Practice.