With fewer than 90 days left before all of the HIPAA revisions begin enforcement, Health Centers should be well on their way to compliance. If you are not, here are a quick dozen things you should get started on:
Do an inventory of your PHI
One of the major problems many facilities have is that they don’t have a good idea of what private information they have. If you already did an inventory and it is more than two years old, do it again. You need to know what information you have, what form it is in, how it is acquired, how it is used, how it is stored, and who has access to it.
Do a risk assessment/gap analysis
HIPAA requires a risk assessment that identifies potential risks and gaps in your system to protect against those risks for HIPAA privacy rules, HIPAA security rules, and non-HIPAA exposures under state laws and professional liability theories. Meaningful use criteria also require a risk assessment. This assessment should include processes and systems, but it should also include risks from your workforce. With workforce errors being high on the list of causes for data breaches, exposure to honest mistakes and intentional violations must be anticipated. Repeat every two years or in the event of a substantial change (such as adopting an EHR) or privacy/security incident.
Prepare a risk management plan
Risk management is an important part of the “Redeeming” application. It is the part where the Board has considered the risk assessment and decided what process the CHC will follow to address the risks and gaps. In the event of an audit or investigation, the OCR will want evidence of leadership involvement, a written plan, and effective implementation.
Prepare or update your policies and procedures
Policies and procedures need to be reviewed at least annually and every time CMS alters the HIPAA rules or issues an interpretation. They need to be kept current and carefully coordinated to prevent gaps and inconsistencies. The policies should address privacy, breach, and security, as well as training, monitoring, and discipline. They should be created by and for your facility. Purchased templates have definite flaws: 1) One size never fits anyone; 2) You are not invested in their creation; 3) They sit on the shelf and are never reviewed; 4) …And they never are followed closely enough to avoid violations.
Have a policy on data retention and follow it. Systematically destroy documents that you no longer need. More data means more potential liability.
Have a policy on litigation holds. This becomes much more difficult when you go to EHR, so talk to your vendor, your gap insurance risk management folks, FTCA consultants, and/or your cyber-insurance carrier about what they can suggest for your current records system.
Have a policy on criminal background checks. Do them on everyone.
Have policies on physical security, portable media, taking records out of the office, remote access, BYOD, laps tops, cell phones, social media, etc.
Now train, train, train…
One of the most common violations for all of the federal regulations is a failure to properly and “adequately” train providers and employees. OCR will expect that employees and providers are properly trained through an orientation process prior to assuming their duties and that they will be retrained at least annually. They also must be retained when policies and procedures change.
Training is important, but it also must be relevant and useful or it is quickly forgotten or ignored. The most effective training is provided to staff with similar functions and tightly focused on just those aspects of the law and policies that apply to their job. Real life examples also improve performance a great deal.
I suggest that data breach procedures be presented in separate training sessions from privacy and security general training. Getting everything in at once may help the schedule, but generally trashes any hope of long term information retention.
Perform regular and frequent monitoring and performance audits
Do not rely on built in audit features of your EHR to feel assured that you are in compliance. Someone has to actually look at reports and analyze them for them to actually do any good. With OCR expectations of active surveillance and correction, CHCs have to assign a trained person to review security and privacy aspects in as close to real time as is feasible in your setting.
By monitoring, I am referring to going over logs and other records on a continuous basis to identify access or security issues as quickly as possible, should they occur. Auditing typically is a process of actually requiring internal proof of compliance using standards similar to those standards that OCR would apply. Audits may be done less frequently, unless monitoring reveals an issue.
Discipline for violations
Have disciplinary policies as required by the HITECH Act and implement the tiered approach that parallels the OCR fine structure, so that discipline is appropriate to the situation. Remember, re-education is an option for discipline until attitude or repeated failure demonstrates that it is not going to improve performance from the individual employee or provider. Some circumstances, however, may justify “one strike” termination.
Revise your Notice of Privacy Practices
OCR has made it clear that they believe the changes in the regulations require revision and re-issue of your Notice of Privacy Practices. Posting to a website along with posting a summary in the lobby waiting area appear to conform to OCR expectations, so long as full NPP are available for the patient to review upon request.
Inventory your Business Associates
The 2013 regulations make it extremely important that you know who your business associates are, and that they in turn realize their obligations as business associates. The best way to determine who your business associates are is to review you payables history to see who you are doing business with, then evaluate whether any portion of what they do for you falls within the business associates definitions. Remember, just because the business or individual falls within a permissible disclosure category under HIPAA does not mean that they are not business associates. In fact, it almost assures that they are business associates.
Complete new Business Associates Agreements
Revise your Business Associates Agreements (BAA) to comply with the terms of the new regulations and get the agreements in place. If you have a service contract that includes the necessary elements of a Business Associates Agreement, a separate BAA is not required.
Connect with Stephen Frew on LinkedIn.com