Follow this advice to keep your compliance plan in shape. Recruit Anonymous Reviewers The basics: Much like the safety audits your office already performs, a walkthrough can prevent violations before HHS' Office for Civil Rights gets involved. Whether you announce inspections or execute them without your staff's knowledge, experts agree that you should perform them at least annually for all departments and more often for high-risk areas. Focus On Your Front Lines "Focus on [areas with] a significant amount of interaction with the public or ... patients," advises Brian Gradle, an attorney with the D.C. office of Hogan & Hartson. Waiting rooms, elevators and even fax machines are all areas where the public can accidentally hear or view information, Gradle offers. Get Tough And Enforce Sanctions Tip: Remember to take HIPAA violations seriously, if and when they do occur. That means you'll have to outline and impose sanctions according to the gravity of the violation. Not only does failure to apply penalties jeopardize your compliance program--it's also against the law not to have a sanctions policy in place.
Your security compliance program could be long overdue for a checkup. Now is the time to begin monitoring your staff so you can knock out violations of compliance with the Health Insurance Portability and Accountability Act (HIPAA) before they occur. Here's how to get started:
"If you've found a problem area, then you want to do [walkthroughs] more often than [once a year] to get things really ironed out," suggests Patricia Johnston, a consultant for Texas Health Resources in Arlington, TX.
Though not mandated by the privacy rule, third party or anonymous reviewers are often an efficient, if costly, method of examining your facility's HIPAA compliance program. "The big thing is making sure that nobody knows what's going to happen because you want to see what people are doing on a day-to-day basis, not what they're doing on their best behavior," posits Robert Markette, an attorney with Indianapolis' Gilliland & Caudill.
The types of violations often caught in walkthroughs range from simple mistakes--like leaving confidential faxes unattended or discussing protected health information (PHI) in public areas--to trickier situations that may have been overlooked. Many times the problem is not a procedural violation, but an issue that hasn't been thought through all the way, Markette says.
Example: In a walkthrough, Markette noted that although the office had obviously positioned computer monitors so that patients could not see them from the waiting room, staff members hadn't considered the glass entryway to be a risk area. "As you walked in, you could look right over the employee's shoulder," he observed.
"Any time a privacy official is walking through, they should have their eyes and ears open," claims Gradle. But experts agree that while privacy officials should conduct informal walkthroughs frequently, there must be some method to document and track violations, and there must be follow-ups.
To solidify the process of monitoring HIPAA compliance, Johnston developed a walkthrough checklist. As a tangible record of violations, you should base your checklist on the privacy policies and procedures central to your organization. The checklist can also include how many times you observed the violation. "It gives you something to start tracking to see if you see any improvement or not," Johnston explains.
The next step: Once you've performed the walkthrough and logged the violations, compliance officers and others can review the document to see what went wrong and where. "The two main areas we look for are our training and the clarity of our policies," Johnson points out. If you observe a violation multiple times, you have to ascertain the causes behind it.
By pinning down answers to these questions, you can streamline your facility's procedures, and thereby avoid glaring HIPAA violations.