Stop problems before the Office for Civil Rights stops you You've spent months developing policies and procedures in order to comply with HIPAA's privacy rule deadline - so what comes next? Now is the time to begin monitoring your staff so you can knock out compliance violations before they occur. Here's how to get started: Conduct a Walk-Through Much like the safety audits your office already performs, a walk-through can prevent violations before the HHS Office for Civil Rights gets involved. Whether inspections are announced or executed without your staff's knowledge, experts agree that they should be done at least annually for all departments and more often for high-risk areas. Focus on Your Front Lines "Focus on [areas with] a significant amount of interaction with the public or ... patients," says Brian Gradle, an attorney with the D.C. office of Hogan & Hartson. Waiting rooms, elevators and even fax machines are all areas in which information can accidentally be heard or viewed by the public, Gradle says.
"If you've found a problem area, then you really want to do [walk-throughs] more often than [once a year] to get things really ironed out," says Patricia Johnston, a consultant for Texas Health Resources in Arlington, Texas.
Though it is not mandated by the privacy rule, third- party or anonymous reviewers are often an efficient, if sometimes costly, method of examining your facility's HIPAA compliance program.
"The big thing is making sure that nobody knows what's going to happen because you want to see what people are doing on a day-to-day basis, not what they're doing on their best behavior," says Robert Markette, an attorney with Indianapolis' Gilliland & Caudill.
The types of violations often caught in walk-throughs range from simple mistakes - like leaving confidential faxes unattended or discussing patient health information (PHI) in public areas - to trickier situations that may have been overlooked. Many times the problem is not a procedural violation, but an issue that hasn't been thought through all the way, Markette says.
In a recent walk-through, Markette noted that although the office had obviously positioned computer monitors so they could not be seen from the waiting room, staff members hadn't considered the glass entryway to be an area of risk. "As you walked in, you could look right over the employee's shoulder," he says.
"Anytime a privacy official is on the ground walking through, they should have their eyes and ears open," Gradle says. However, experts agree that while privacy officials should conduct informal walk-throughs frequently, there must be some method to document and track violations, and there must be follow-ups.
To solidify the process of monitoring HIPAA compliance, Johnston developed a walk-through checklist. As a tangible record of violations, the checklist should be
based on the privacy policies and procedures central to your organization.
It can also include how many times the violation was observed. "It gives you something to start tracking to see if you see any improvement or not," Johnston says. Once the walk-through has been performed and the violations logged, compliance officers and others can review the document to see what went wrong and where. "The two main areas we look for are our training and the clarity of our policies," Johnston says. If a violation is observed multiple times, you have to ascertain the causes behind it. Some questions you can ask are: