• E-mail
• Print
• RSS

Build HIPAA into your overall compliance program: Increase efficiency with overall audits, hotlines

HIPAA Training Advisor, July 12, 2007

One way to save time and money is to integrate your HIPAA compliance program with your other compliance programs. But too many organizations have failed to do this as effectively as they could--sometimes even maintaining a completely separate effort for HIPAA.

"It doesn't make sense to have your HIPAA effort in a separate silo from the rest of the organization," says Timothy P. Blanchard, Esq., partner with the Los Angeles office of McDermott Will & Emery, LLP. "As money gets tight, an organization can look for efficiencies in overhead areas like compliance."

Many organizations missed the opportunity to combine HIPAA efforts with their existing compliance programs when the privacy and security rules first came out, because they were focused on implementing policies and training staff members on the new rules, Blanchard says. HIPAA also may have seemed like a different animal from the typical fraud and abuse concerns for which many compliance programs are set up to work.

But there may be more synergies than some organizations realize. Both HIPAA and other compliance efforts--whether for fraud and abuse, state regulations, or The Joint Commission--require ongoing staff training. It makes sense to combine these efforts as much as possible so that staff members aren't bogged down with too many training sessions.

"I cringe when I hear companies doing this piece of their compliance training program totally separate from the rest," says Christopher Myers, Esq., cochair of Holland & Knight's global compliance and governance practice in McLean, VA. Companies should coordinate staff training, otherwise "you have privacy and compliance officers making separate demands on people's time. I think you frustrate the people being trained and make the training less effective and a violation more likely." says Myers.

Another money-saver is to combine your hotlines, says James M. Jacobson, Esq., cochair of Holland & Knight's health and life sciences team in Boston. Some organizations have separate hotlines for HIPAA concerns, fraud and abuse, and Sarbanes-Oxley. That's a recipe for losing track of important complaints or concerns, because a compliance officer dealing with just fraud and abuse might not recognize a HIPAA concern, he says.

Instead, it makes more sense to train a single person or team to triage those calls and route them to the right department. "It's very confusing to have multiple hotlines," says Jacobson. "You need to combine these or there'll be mass confusion."

Another area in which it makes sense to look at combining efforts is with ongoing monitoring and auditing of HIPAA compliance. This often requires you to develop and track metrics that measure how well you're implementing your HIPAA policies.

These can vary from a metric that looks at what percentage of your staff members have received HIPAA training and how fast your turnaround time is regarding patient record requests to whether you have all of the business associate agreements you should have for outside vendors. This is precisely the type of work that compliance programs do all of the time, and you can easily incorporate HIPAA compliance into their efforts to save both time and money, Blanchard says.

In many organizations the compliance staff will conduct reviews of contracts or patient records anyway to identify potential fraud and abuse or other compliance matters--so it just makes sense to have them check up on HIPAA issues while they're at it.

"That's something the compliance office might be more used to tracking and reporting on," Blanchard says. "It may be easier for them to handle such reviews and monitoring than for the privacy officer."

It also makes sense for compliance and privacy personnel to work together in responding to possible HIPAA violations, because compliance officers already have expertise conducting investigations, handling staff discipline, if necessary, and also dealing with patient concerns.

"A HIPAA violation is a compliance problem," says Blanchard. "If the organization has assigned responsibility for HIPAA compliance to an individual who's not part of the compliance department, I would encourage them to work out coordination with the compliance department in advance of a problem so they can work together."

It's also important for compliance officers to conduct a comprehensive risk assessment each year that considers the totality of an organization's regulatory requirements and risks, says Myers. Make sure to include HIPAA.

The risk assessment should help you prioritize your most serious risks and help you plan ahead for any new regulatory requirements that will take effect that year. That way you can allocate resources to the most important requirements and get ready for new regulations as they become effective.

The assessment also should help you prioritize your audit schedule, says Myers.

• E-mail to a Colleague
• Print
• RSS
• Archive