Home Health & Hospice Week

Follow this expert advice to ensure your compliance - before it's too late.

The security rule compliance countdown has hit full speed. You have fewer than six weeks to pass your toughest HIPAA compliance test yet, but advice from top security experts can help get your security program in tip-top shape.

1. Appoint a security officer. To set your HIPAA security plan in motion quickly, you must pick a dynamic leader to be in charge and get things done, advises attorney Robert Markette with Gilliland & Caudill in Indianapolis.

Home care providers often choose a "computer person" to be the security officer because the security rule addresses electronic data, notes Gene Tischer with the trade association Associated Home Health Industries of Florida. But restricting your security officer choice to an IT person isn't necessary, Markette maintains.

The security officer must make numerous non-technical decisions, Markette says - for example, the procedure to follow when terminating employees or physical security for your building. With time running so short, your security officer will have to delegate many tasks to other employees anyway, and she can delegate technical items to the IT person.

2. Learn the rule. The security officer should take a good look at the HIPAA security rule and learn the requirements. The final rule is at www.cms.hhs.gov/hipaa/hipaa2/regulations/security/03-3877.pdf.

3. Create your compliance team. You should bring in employees from across the organization to serve on the team, explains Beth Rubin, an attorney with Dechert in Philadelphia.. Your security officer should head up the team, advises Greg Young, security officer for Mammoth Hospital in Mammoth Lake, CA.

"The first 30 minutes of your team's initial meeting should be dedicated to educating members on the rule," Rubin stresses. Send team members an information packet or security rule 'cheat sheet' ahead of time, she proposes. A CMS overview of the rule is at www.cms.hhs.gov/hipaa/hipaa2/education/Security%20101_Cleared.pdf.

4. Develop a task-specific action plan. The result of your first team meeting must be a decisive action plan that outlines how your organization will tackle its security rule compliance, Rubin says. "That includes a strict timetable for when each task will be completed," she adds.

Rubin recommends your action plan answer the following questions: who will conduct the risk assessment; when will the risk assessment be completed; who will be in charge of risk management; who will review business associate agreements; when will all agreements be finalized; who will draft and review policies and procedures (P&Ps); and when will training begin?

5. Assess and manage your organization's risks. Completing your risk assessment will be the bulk of your HIPAA security work, Markette advises.

But the risk assessment doesn't have to be a huge ordeal, says security consultant Chuck Connell of www.HIPAASecurityExperts.com. "Focus on the standards first," he suggests. Once you pin those down, you can attack the addressable implementation specifications, Connell says.

Use your risk assessment to guide your risk management process. "Highlight the highest risk areas in your organization and fix those immediately," Connell suggests. Once those issues are under control, you can address the rest.

"You'll find the open doors and close them," Tischer explains.

The good news is that you're probably addressing many of these risk areas already, Markette points out. For example, virtually all home health agencies already have procedures in place for backing up data, and accredited agencies have contingency plans in place. You'll just have to identify what you do, review your policy to make sure it makes sense, and then move on to the next step, he says.

6. Write and implement your policies. Choose one person to write all your P&Ps, Young suggests. That way, you'll ensure consistency - and you can quickly resolve any conflicting measures, he says.

Next step: Train your employees on your organization's compliance plan. You don't have to wait until the end of the process to do that - start by teaching them basic security controls and then focus your training as your P&Ps develop, Connell suggests.
 
Editor's Note: For information on HIPAA, see Eli's Health Information Compliance Alert and Eli's HIPAA Training Alert at www.elihealthcare.com.