Home Health & Hospice Week

It's time to move HIPAA off the back burner.

With new HIPAA audits on the horizon, you'd be wise to make sure your information privacy bases are covered now.

The HHS Office for Civil Rights recently announced a pilot of 150 HIPAA audits (see Eli's HCW, Vol. XXI, No. 1, p. 4). OCR will complete the audits by December 2012.

You can start to prepare by putting together your documentation of whatever steps you have taken to be compliant with HIPAA and HITECH requirements. "I've seen many organizations big and small lapse in their mitigation and monitoring response. Specifically that they do not review periodically," says information security expert Ester Horowitz. Organizations followed HIPAA initially from a system-wide approach, she adds. New procedures were adopted and others revised. Many of the procedures from that time continue today but some have become outdated or lax.

Every organization is required to periodically review its privacy policies, procedures, and methodologies and to document that it did, points out Horowitz. Included in these reviews is a demonstration that employees were and are trained, not just one time but also periodically.

"In an effort to standardize and make habit a routine that allows the company to deliver care or support care, it must also be acknowledged that routines become obsolete, need adaptation, updating, and should be minimally reviewed," insists Horowitz. "I do not see that occurring at this stage of the HIPAA life cycle across a majority of organizations."

Remember: Following the site visit, auditors will develop and share with the provider a draft report. Audit reports generally describe how the audit was conducted, what the findings were and what actions the covered entity is taking in response to those findings, the Department of Health and Human Services says on its website. Prior to finalizing the report, the covered entity will have the opportunity to discuss concerns and describe corrective actions implemented to address concerns identified.

You should see taking corrective action "as valuable labor ... (and) clearly understand that it is a profit center method that will only elevate the organization's reputation and output if followed and measured appropriately," Horowitz advises.

Assemble A Team

"Covered entities should be assembling a team to review all privacy and security policies, procedures and practices, and should update and revise them as needed," advises attorney Kenneth Rashbaum of Rashbaum Associates in New York. The team should be comprised of IT, health information management (also known as medical records), in-house counsel, the chief information security officer and/or an outside technology consultant experienced in security analyses, outside counsel with experience in HIPAA privacy and security compliance, and representatives of clinical departments (end users), he says.

You should consider bringing in outside counsel because in-house counsel may find themselves in an awkward position if they attempt to advise the work force prior to and during the audit, as in some states the privilege protections for in-house counsel are not as strong as they are for outside counsel.

Conduct Risk Assessment

"If the covered entity has not done so recently, it should immediately begin the process of conducting and documenting a HIPAA Security Risk Analysis, as required by the Security Rule," Rashbaum tells Eli. HHS "has issued a guideline on the requirements of this Risk Analysis. The team referenced above should facilitate it, with outside counsel receiving reports from the team members and preparing the documentation of the risk analysis."

Assemble a list of likely audit questions and review them, Rashbaum says. When you "feel comfortable answering those questions, you can start to feel comfortable about being audited." But it takes an information security compliance expert to really be able to honestly feel comfortable with those questions, he adds.

Resource: To generate your question list, check out the 42 questions asked in the first OIG HIPAA Security audit in March 2007 at http://tinyurl.com/2ac9jm; CMS OESS 2008 Interview and Document Request for HIPAA Security Onsite Investigations and Compliance Reviews at http://tinyurl.com/27eakjz; and questions asked of a small provider after a data breach involving theft of a laptop and server at http://tinyurl.com/3jpoa4p.

Head Off Further Problems

As a covered entity you should, during this period, avail your organization of all required safeguards and precautions with regard to uses, storage and disclosures of electronic health information, and should avoid activities that may lead to a breach, Rashbaum reminds.

You should enhance monitoring of compliance with safeguards and precautions for management of electronic health information, and document the steps taken to monitor compliance. "Particular attention should be paid to preservation of information relevant to security and privacy protocols; such documentation should be protected from loss or destruction," Rashbaum advises.