While clinical labs may occupy a unique position under the Health Insurance Portability and Accountability Act umbrella, their compliance efforts in certain ways mirror those of other covered entities. Our HIPAA experts offer the following strategies for labs ramping up compliance efforts with the HIPAA privacy rule:
HIPAA is not an IT problem,insists Michael Geldart, an attorney in Holland & Knight's St. Petersburg, FL office. And, "it's not a policy problem it's an operational issue," he says. So, it's time to figure out how your organization currently operates when it comes to information, he suggests. Geldart advises labs to track how they currently use information. Track how it comes in and how it goes out of your organization, he adds. Only when you have a precise map of the way information circulates can you understand what parts of HIPAA apply to your laboratory, he concludes. Gwen Hughes, professional practice manager for the American Health Information Man-agement Association, agrees. An information flowchart is the first thing AHIMA recommends that covered entities do, she says. Without that information you can't analyze the minimum necessary requirements and you can't determine how to train your workforce, she warns. The privacy officer can spearhead efforts to chart the paths of information in the lab, but make sure many people get to check it over and add to it. The HHS will need to finalize the proposed privacy rule changes by mid-October, Hughes concludes, in order to give covered entities the necessary 120 days to prepare for compliance. So provisions that may change because of these revisions are compliance hurdles you can tackle in November, she suggests.