Tip: Address inadequate HIPAA Security Rule-required policies and procedures
CDI Strategies, January 6, 2011
Want to receive articles like this one in your inbox? Subscribe to CDI Strategies!
CMS detailed seven shortcomings, including old and inadequate policies and procedures, in its 2009 audits of healthcare organizations to determine compliance with the HIPAA Security Rule. CMS detailed the findings in its 2009 HIPAA Compliance Review Analysis and Summary of Results report.
CMS conducted reviews of five HIPAA covered entities (CE) during 2009. In the past, CMS initiated reviews based on complaints filed, identification of potential Security Rule violations through the media, or recommendations from the Office for Civil Rights. This was the first time CMS reviewed CEs that had not been the subject of any complaints.
In the report CMS recommended solutions to help CEs increase compliance, such as:
- Requiring management to periodically review policies and procedures. These reviews should be conducted when systems or the environment change significantly.
- Mandating the participation of one of a CE’s designated HIPAA security officers as a permanent member of the policy and procedure development team.
- Developing a standard format for documenting policies and procedures. This format should accommodate multiple types of documents but should maintain information about document revisions, including all revision dates, the individual who revised the document, the date of the most recent approval of the document, and the individual who approved it.
- Conducting periodic evaluations, either internally or through a third party, to assess the effectiveness of policies and procedures and compliance with the Security Rule. CEs can perform this assessment using various methods, including interviews, process walk-throughs, and assessment of the actual results of these processes.
Editor’s note: For additional tips see the November issue of Briefings on HIPAA.
Want to receive articles like this one in your inbox? Subscribe to CDI Strategies!
Related Products
Most Popular
- Articles
-
- Q/A: Volume requirement for reporting hydration services
- Featured blog post: Nurses face felony charges after reporting physician to the Texas Medical Board
- Catch up on what's new with injections and infusions
- Topic: CMS, OESS post new security compliance review information, checklist
- Capturing all necessary codes for IUD insertion and removal can be challenging
- HIPAA Q&A: Level of encryption needed for email
- What does case-mix index mean to you?
- Identify potential Medicaid RAC target areas
- QA:Coding multiple initial infusions
- OB services: Coding inside and outside of the package
- E-mailed
-
- Q/A: Volume requirement for reporting hydration services
- Featured blog post: Nurses face felony charges after reporting physician to the Texas Medical Board
- HIPAA Q&A: Level of encryption needed for email
- Q&A: Follow CMS' coding guidelines when using modifier -25
- CMS has reformulated payments for some bilateral procedures
- Catch up on what's new with injections and infusions
- New conflicts of interest create new challenges
- Q/A. One injection code or two?
- What does case-mix index mean to you?
- ED-to-inpatient transfers are flawed with safety gaps
- Searched