OASIS Alert

Compliance:

LEAVE NO EMPLOYEE UNTRAINED

The federal government isn't kidding around when it comes to protecting patients' privacy, so make sure every employee in your agency receives adequate HIPAA training.

And that includes data entry personnel who enter and transmit OASIS information. OASIS assessments are chock full of the kind of health information the Health Insurance Portability and Accountability Act was designed to protect.

HIPAA requires that covered entities train all staff members in the rule's privacy require-ments,notesBurtonsville,MD-basedattorneyEliza-beth Hogue. Agencies have until April 14, 2003 to comply with HIPAA, and many were reluctant to begin their training before the Department of Health and Human Services published the final rule, says attorney Kristen Rosati with Coppersmith Gordon Schermer Owens & Nelson in Phoenix.

But the rule became final with its publication in the Aug. 14 Federal Register, so now providers should be running full steam ahead with their HIPAA compliance efforts, Rosati urges.

The good news is that although agencies must train everyone on HIPAA's privacy rules, they don't have to secure a separate confidentiality agreement from OASIS data entry personal, as some had feared. The HIPAA training is good enough on its own, says attorney Robert Markette, Jr. with Gilliland & Caudill in Indianapolis.

You will have an extra hoop to jump through, however, if you contract with an outside service to complete OASIS entry and transmission. These can you say 'vendors' or 'contractors' to make it clear it's the entity, not the actually service they provide? most likely will qualify as a "business associate" under HIPPA, Hogue says.

And the rule states that essentially all businesses that do business with covered entities must be HIPAA compliant. To ensure their compliance, you must draw up so-called "business associate agreements" with these contractors.

Agencies can use the model language HHS has published as the basis for these contracts, or they can develop their own, Hogue counsels. "As a practical matter," HHAs simply should incorporate the HIPAA business associate language into their regular contracting agreement with these service providers instead of drawing up two separate documents, she tells Eli.

Editor's Note: To see a copy of the business associate contract language, go to www.accessgpo.gov/su_docs/fedreg/a020327c.html.

Other Articles in this issue of

OASIS Alert

View All