Health Information Management

Conduct a global HIPAA policy review

HIM-HIPAA Insider, August 23, 2011

Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

If you're looking for a reason to review your organization's policies and procedures, look no further than HITECH. It includes many provisions that may necessitate policy and procedure development or revision. The act addresses areas such as business associate agreements, breach notification, the Notice of Privacy Practices, patient requests for restrictions, and fundraising communications.

HITECH trigged a global HIPAA policy review at North Shore-Long Island Jewish Health System (North Shore-LIJ) in Great Neck, NY. This was no easy task; North Shore-LIJ includes a medical school, a research institute, 15 hospitals, more than 200 ambulatory care centers, over 5,600 beds, and a total workforce of more than 42,000 employees.
Julie Agris, PhD, JD, LLM, CHC, CIPP, CCEP, director of compliance and privacy officer at North Shore-LIJ, described the undertaking at the 19th National HIPAA Summit in Washington, DC.
Healthcare organizations can determine which HITECH provisions trigger a need to develop or revise their policies, said Agris. Alternatively, they may decide to undertake a full-scale review of their HIPAA policies. She recommends the following for organizations that decide to complete such a review.
Start by gathering all current HIPAA policies from all of your entities. This may sound like an easy task, but it can present a challenge for a large healthcare system, Agris said. In fact, you may not even find all of them. Some policies may predate HIPAA, and some buried policies may keep reappearing, she said. As such, accept that your search and transition to new policies and procedures will be an ongoing process.
For tracking purposes, create a grid, Agris advised. Include current policy names and numbers, provide a column for noting recommendations (e.g., archiving a policy or incorporating it into a new policy), and leave room to document the status of each policy (e.g., date scheduled for presentation to policy committee or date policy is approved).
Editor’s note: For additional tips on conducting a HIPAA policy review, see the full article in the August issue of Briefings on HIPAA.

Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

Most Popular