- Home
- » e-Newsletters
Improve your HIPAA policies and procedures: Make necessary updates to ensure HIPAA compliance
HIPAA Training Advisor, October 4, 2007
The HIPAA privacy and security rules have been enforceable for several years now, but many healthcare facilities still need to work on their policies and procedures. Whether your facility needs to fill in some gaps where policies and procedures don't fully comply with the regulation, or you simply need to update according to today's new technologies and standards, chances are your policies and procedures could use some tweaking.
"Even in organizations that have really good privacy and security programs, I can definitely find gaps. You can always find problems, and so you can always find ways to improve," says Kate Borten, CISSP, CISM, a Marblehead, MA-based HIPAA privacy and security consultant. The good news is if you strive for continuous improvement in your facility's policies and procedures, compliance with HIPAA is likely to follow.
Start-but don't finish-with a risk assessment
Some organizations think that if they have performed a security assessment, resolved a few of the recognized issues, and are working on some of the others, then they are compliant, says Borten. But simply installing a new firewall or handing out better passwords to your staff doesn't mean that you are in compliance with HIPAA.
Chances are your risk assessment reported far more security issues than just some weak passwords. A good faith effort is insufficient in this case. The HIPAA security rule required facilities to be in full compliance by spring 2005. A risk assessment is only the beginning of compliance. You must also put controls in place by writing policies, establishing procedures, and then training your staff on the new procedures, says Borten. Even though your organization may have put in place the minimum policies and procedures required by HIPAA when the law became enforceable in 2005, it doesn't mean that your job is now over. Protecting your organization's security is a job that will never be completed. "Privacy and security aren't projects that have a beginning, a middle, and an end-especially not an end," says Borten.
Think outside the 'HIPAA' box
For many healthcare providers, HIPAA provided the impetus to create information and security policies. And in most cases, the policies and procedures you create for HIPAA compliance are adaptable for use in protecting the rest of your organization's confidential information. Although HIPAA doesn't require that you cover your HR records or your fiscal data, it only makes sense to protect this information while you are securing your patients' PHI. "The reality is that policies and controls have to be protecting the entire technical and physical environment, or I would argue the PHI is not really protected," says Borten. Her soon-to-be-released book, The No-Hassle Guide to HIPAA Policies: A Comprehensive Privacy and Security Toolkit, makes it clear that a lapse in one area of an organization's IT security would likely compromise other areas as well.
There is some good news. You can adapt your policies relatively easily so that they protect all of your organization's confidential data and not just your PHI. "It's easy," says Borten. "Instead of saying 'All PHI will be protected,' you change your policies to state: 'All confidential information will be protected.' " By amending the language of your policies, you can essentially get more bang for your buck. Suddenly, your policies will cover not only your PHI but also your financial data, your personnel records, and whatever other information your facility considers confidential. Just be sure to document the types of information you define as confidential.
Plan ahead for feasible enforcement
In order for a set of policies and procedures to be strong, you must be able to enforce it. Therefore, when you create policies and procedures, consider how you will monitor and enforce them. "For every policy, you've got to think about who is going to be enforcing it and how they are going to do so," explains Borten. If you write a policy and then tuck it away, you've really done very little to protect and secure your data.
Advancing technology will continually challenge your organization's security. It is impossible to be 100% secure with your PHI. However, you must be able to demonstrate to an attorney or to the government that you tried to monitor and enforce your procedures.
Strong documentation will help your cause if you are ever involved in litigation or any legal dispute. Eliminate oral tradition at your organization, says Borten. Even if an organization is in compliance with the HIPAA privacy and security rule, it has to formalize its procedures in a written document. Attorneys have said for years that if something isn't documented, they assume it isn't happening, she says.
Some technologies are aiding healthcare organizations with enforcement. Park Nicollet, a Minnesota-based healthcare clinic, is one example. The clinic suspended more than 100 employees in July for violating HIPAA privacy regulations. Most of the employees were guilty of viewing electronic medical records of family members, friends, and other employees without authorization. It is likely that Park Nicollet had monitoring technology in place to track who was viewing the medical records. If so, it is a prime example of a facility that has increased its IT usage to increase the security and privacy of its PHI.
However, the rapid pace of developing new technology means that yesterday's policies and procedures don't necessarily cover emerging security threats. This means that you may need to review and possibly modify your existing policies, or even create new ones if you find yourself needing to address a completely new situation. There may be times throughout the year when new security threats arrive on the scene, and you'll need to respond accordingly, Borten explains.
Recognize the heightened risk of off-site PHI
With the regular development of new technologies, it is imperative to update your policies to include the increased security controls that are necessary to protect your organization. As efficient and helpful as wireless devices, removable data storage drives, and remote access abilities are, they bring with them greatly increased risk to data security.
Remember, HIPAA holds covered entities responsible for protecting PHI on- or off-site. "Organizations are responsible for their PHI wherever it is, wherever their staff members are working with it," says Borten. This includes staff members who work from home, in airports, on trains, or wherever they travel. Staff members don't even have to access the main facility from afar to put data at risk. Simply carrying information on a portable drive creates the possibility of loss or theft. Away from their facility's physical and technical controls, employees dramatically increase the risk of losing data or having them stolen, says Borten.
HIPAA requires that you protect off-site PHI if your facility permits staff members to access and work with it off-site. Because the facility is fully responsible for the data, you must be sure to update your policies and procedures to regulate those who work off-site.
Off-site access certainly puts PHI at a heightened risk, but Borten suggests several ways to begin to protect this information. You may choose to provide physical controls, such as locks and special carrying cases for laptops. Another option is to require multiple forms of ID to access PHI from off-site locations, which HIPAA suggests but doesn't require. A strong password, which is acceptable for on-site use, is not enough to protect remotely accessed PHI, says Borten.
She also suggests that you require all staff members who work remotely to sign a form indicating that they understand what your controls are, that they accept responsibility for the data, and that they promise to adhere to your facility's procedures for off-site access. You may also want to obtain their written consent to do a home inspection with advance notice.
Most Popular
- Articles
-
- Q/A: Volume requirement for reporting hydration services
- Featured blog post: Nurses face felony charges after reporting physician to the Texas Medical Board
- Catch up on what's new with injections and infusions
- Topic: CMS, OESS post new security compliance review information, checklist
- What does case-mix index mean to you?
- QA:Coding multiple initial infusions
- Capturing all necessary codes for IUD insertion and removal can be challenging
- News and briefs: Oklahoma Osteopathic Association against residency bill change
- OB services: Coding inside and outside of the package
- HIPAA Q&A: Level of encryption needed for email
- E-mailed
-
- Q/A: Volume requirement for reporting hydration services
- Featured blog post: Nurses face felony charges after reporting physician to the Texas Medical Board
- Catch up on what's new with injections and infusions
- New conflicts of interest create new challenges
- What does case-mix index mean to you?
- Q&A tackles coding questions about injections and infusions
- Joint Commission Center announces handoff communication solutions
- Inside best practice: Reduce patient falls with a stoplight
- Identify modifiable risk factors to prevent patient falls
- HIPAA Q&A: Level of encryption needed for email
- Searched