Where to begin with a privacy gap analysis?
HIPAA Weekly Advisor, January 24, 2002
Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!
Q: My facility is in the process of conducting a privacy gap analysis, but we're not sure where to begin. Any suggestions?
A: Your gap analysis needs to compare where you are versus where you need to be. Start by identifying all your new responsibilities. Then, gather your raw materials. These include:
- Existing policies and procedures-especially for use and disclosure of patient information and access to your facility's computer system.
- Contracts. First gather all contracts, then decide whether HIPAA affects them
- User/technical manuals and inventory of all IT systems and devices. They will help you determine what protections your systems are capable of providing.
- Audit trails. You can use these to determine patterns of suspicious access.
- Training outlines and handouts.
- Insurance policies. No policy will cover your facility for criminal activity, but find out whether you're covered for civil damages for breaches of confidentiality or other HIPAA violations.
- The rules themselves. Keep handy a copy of the HIPAA regulations and any state laws on privacy and security of health information.
Remember, information use goes on in almost every department. Even though the HIM department is undoubtedly your largest site for information disclosure activities, it's not the only one.
The privacy rule either explicitly requires or implies that privacy officers must do the following:
- Audit and review current policies and procedures to determine whether they're effective or even existent
- Oversee development of new policies and procedures
- Train staff (or at least oversee those doing the training)
- Evaluate staff adherence to the policies and procedures
- review and negotiate contracts
- work with patients' complaints and requests for information
- cooperate and coordinate with the Department of Health and Human Services and the Office of Civil Rights when faced with a violation or complaint
- regularly communicate with the security officer to avoid duplication of efforts
Editor's note: Answered by Jill Callahan Dennis, JD, RHIA, principal of Health Risk Advantage, in Denver, and Kathleen Frawley, JD, MS, RHIA, president of Frawley and Associates, in Montclair, NJ.
The above information is adapted from The Greeley Company's (a division of HCPro) December 10 audioconference, "The HIPAA Chief Privacy Officer...How to be successful in your new role."
Go to http://www.hcmarketplace.com/product.cfm?ID=12548 to order an audiocassette of the audioconference.
Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!
Related Products
Most Popular
- Articles
-
- Q/A: Volume requirement for reporting hydration services
- Featured blog post: Nurses face felony charges after reporting physician to the Texas Medical Board
- Catch up on what's new with injections and infusions
- Identify potential Medicaid RAC target areas
- HIPAA Q&A: Level of encryption needed for email
- Topic: CMS, OESS post new security compliance review information, checklist
- Capturing all necessary codes for IUD insertion and removal can be challenging
- What does case-mix index mean to you?
- OB services: Coding inside and outside of the package
- QA:Coding multiple initial infusions
- E-mailed
-
- Q/A: Volume requirement for reporting hydration services
- Featured blog post: Nurses face felony charges after reporting physician to the Texas Medical Board
- HIPAA Q&A: Level of encryption needed for email
- Q&A: Follow CMS' coding guidelines when using modifier -25
- What does case-mix index mean to you?
- Catch up on what's new with injections and infusions
- CMS has reformulated payments for some bilateral procedures
- New conflicts of interest create new challenges
- Q/A. One injection code or two?
- ED-to-inpatient transfers are flawed with safety gaps
- Searched