Health Information Compliance Alert

Privacy 9 TIPS FOR YOUR PRIVACY RULE CRASH COURSE

Still not up to snuff with implementation of your compliance plan? You just might be in luck.

Thanks to a recent audioconference sponsored by Phoenix Health Systems, Inc., even organizations that haven’t started their privacy rule compliance still have a good chance to get in position for the privacy rule race. Here are some tips Phoenix offered Jan. 30 in its latest privacy rule conference, “11th Hour HIPAA: Meeting the Deadlines When You Haven’t Started!”:

Achieve compliance through “negative assumptions.” At this stage in the privacy rule game, there isn’t’ time for in-depth HIPAA training, assessment, remediation planning, and implementation by April. Since you’re in the HIPAA hot seat, using negative assumptions — starting with the end goal, not the gaps — is probably your best bet, says Amanda Dorsey, director of Phoenix Health Systems.

Dorsey suggests you begin by assuming you meet none of the regulatory standards, and that you start from “ground zero” and eliminate the policies in your organization that don’t gibe with HIPAA.

Use the “Design/Build” approach. This method calls for combining three stages into one: gap assessment, a comprehensive planning process and plan implementation. Focus immediate action on outcomes, not on filling gaps, and prepare the plan while “construction” is proceeding, Dorsey urges.

There are two critical features of the Design/Build approach: 1) assume your organization is operating within most HIPAA privacy requirements; and 2) the project must be “owned” by a single, qualified leader, or project manager. In other words, he or she must be a dedicated and focused person who will drive the team toward its desired goals. The project manager must understand all of the specific requirements of HIPAA.

First steps. You can’t afford to take baby steps with compliance at this stage, so you’ll have to make giant leaps. First of all, you need to designate a privacy officer, security officer and a HIPAA taskforce. The taskforce will operate on a supervisory role and decide what gets done and how and when it will be accomplished. Dorsey also recommends that the privacy and security officer be separate offices maintained by two individuals.

Work in tandem. Have the project manager work in partnership with your organization’s CEO, COO or CFO. That’ll ensure a blend of organizational power and will aid in the decisionmaking process. Project managers should work closely with executive staffers to ensure a blend of that organizational power with technical knowledge, Dorsey advises.

HIPAA Task Force to the Rescue!

Your HIPAA task force is vital, and should include key decision makers and people with both the authority and power to address privacy issues raised by the project manager, says Dorsey. Consider your director of registration, director of nursing or medical director, the medical records director, CFO, and security and privacy officers for this post.

Experience is key. Your task force should include some of the most experienced people in your organization, says Tom Grove, vice president of Phoenix Health Systems. Grove says he’s often witnessed  organizations who bring together their privacy officer, the medical records director and an executive in a room to begin working on HIPAA, only to discover that they don’t have the expertise they need to answer some HIPAA questions, and “they all end up each meeting with a bunch of research assignments.” Since there’s no time for lengthy research assignments, experience is crucial.

Give your task force time to operate. It is critically important, says Grove, particularly with the project manager and the privacy officer, to ensure that they have the time necessary to do their job. “You’re very likely to find that your project manager, medical records director and privacy officer could very easily spend a quarter to half of their time over the first two to three weeks of a HIPAA privacy effort getting procedures written to put the policies into place, and it is absolutely critical that you protect that time for these groups.”

Educate your staff. Once you’ve assembled your team, it can be very valuable to have an education session of one to two hours at the beginning of the kickoff meeting whose sole purpose is to ensure that everyone is on the same page concerning all of HIPAA’s provisions, says Grove.

Apply the “7 P’s” approach to creating policies. Choose policies that apply directly to your organization. Dorsey says the privacy rule has 57 standards, and most organizations implement between 35-60 new policies to comply with those standards. The 7 P’s approach means using a matrix comprised of 1) the privacy standard; 2) policies your organization must create; 3) procedures and processes for each policy; 4) paper, including all forms, notices and documentation; 5) people who will lead implementation; 6 prioritized policies according to risk; and 7) a plan for implementation.

The plan should include a schedule for development, approvals, training and any go-live dates you’ll encounter.

Establish priorities. Dorsey says she urges covered entities to first focus on implementing policies and practices that are visible to the patient, such as notices of privacy practices and any polices associated with medical records amendment or records access.

Other high priorities include establishing disclosure-tracking mechanisms and addressing any known security vulnerabilities by installing measures to protect data confidentiality. Examples of this are firewalls, password procedures, and login logoff procedures.

Workforce training and privacy and security awareness is also a requirement. “Remember, you have to create the policies, and then you have to educate your staff on these same policies,” insists Dorsey.

Finally, all decisions on policies and procedures will require multi-disciplinary consensus and agreement before they are passed and before your employees are educated on the new policies. Be sure to have your legal department review and approve all of these policy decisions, Dorsey cautions.