Health Information Management

As attention shifts to HITECH, don't forget about compliance with HIPAA basics

HIM-HIPAA Insider, September 21, 2010

Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

Many HIPAA privacy and security officers now focus on meeting new regulatory requirements under HITECH. But they shouldn’t leave HIPAA behind. Consider the following tips: 

  1. Review, revise, and re-communicate policies. Revisit your policies and procedures to ensure that you continue to address all HIPAA requirements. Revise and update your existing privacy, security, compliance, and HR policies to require reporting of possible threats to confidential information whenever an employee observes a potentially harmful situation, says Phyllis A. Patrick, MBA, FACHE, CHC, cofounder and managing director of AP Health Care Compliance Group in Purchase, NY. Then examine how your organization communicates these policies to your workforce. Make communication of policies a requirement in performance evaluations for management personnel.
  2. Ensure physical and technical safeguards. Your physical safeguards need to address devices and media. “Everyone has heard about lost tapes, CDs, and USBs,” says Lesley Berkeyheiser, of N-Tegrity Solutions Group in Glen Mills, PA, and cochair for the Workgroup for Electronic Data Interchange Strategic National Implementation Process. “If you don’t know where PHI is and how people are using it, you don’t have good controls of media.”
  3. Make reporting accessible and easy. Make it easy for members of your workforce to report possible incidents, ask questions, and bring potential threats to the attention of privacy and security officers so you can resolve risky situations before they become real threats, says Patrick. Training staff members on how to report possible incidents and making it easy to do so are key elements of an effective program, she says. Organizations can use an existing compliance or safety hotline that allows for anonymous and confidential reporting, or they can establish a separate privacy/security hotline, if necessary. Train staff members who respond to these hotlines and queries on how to gather and document critical information. They should also know how to properly transmit the information to those responsible for resolving problems, Patrick says.
Editor’s note: This tip was adapted from an article in the September issue of Health Information Compliance Insider. Subscribers have access to the full article in their newsletter.

Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

Most Popular