A practice must take many steps to advance through HIPAAcompliance, and everyone in your billing office should be aware of them, especially the business-associate agreements. Help your practice comply with HIPAAby following these strategies: Work with Your Privacy Officer and Committee Use the HIPAAexpertise created for your benefit. The privacy officer your practice appoints is your HIPAAexpert, and the committee the PO sets up will determine how your office should comply. Read questions and answers for privacy officers (but useful for all billers) in article 2. The privacy officer should organize a committee specifically for HIPAAissues that will be a cross-section of your office. The committee should include a compliance officer and employees from the technology, billing, admissions, medical and clinical departments, risk management, and legal and human resources. If your organization is small, the committee should include fewer departments for fewer tasks. Prepare Business-Associates Compliance April 2004 is not that far away; your department should aim to meet the business-associate deadline as early as possible. Define which people and organizations qualify as your business associates under HIPAA. There's been a lot of confusion about this issue, Caesar warns. Not all vendors who provide you a service or can access protected health information (PHI) qualify as business associates. For example, the cleaning company whose employees come across material they shouldn't see does not qualify as a business associate because the cleaning job doesn't necessitate handling that information. As you determine your business associates, keep in mind that potential business associates include consultants, accreditation organizations, supplemental staffing agencies, storage facilities that hold records, transcription services, attorneys, outside billing companies, and practice management and billing services. Educate Your Billing Office Workforce Your general workforce must understand HIPAAand the changes that your office will implement. Whether it's the HIPAAcommittee or your office manager who's in charge of educating other employees, according to Caesar they should, when preparing their education plans:
As for the training itself, give each staff member a HIPAA manual for quick reference, advises Stacy Burnett, at Medical Practice Management P.C. in Beaverton, Ore. And make a copy for the patient. Also, hold a weekly HIPAAcompliance meeting for 20 minutes to cover one aspect of the rule, she adds. Build on these meetings week-to-week; information is more likely to sink in this way. Have employees sign a sheet at the beginning and end of the meeting to show they've attended, to emphasize personal responsibility, and to protect the office in cases of patient misconduct. $ $ $
As the center of all compliance activities, the privacy officer deals with issues concerning HIPAAimplementation, education, auditing and administering reviews for proactive or reactive purposes. In addition, the privacy officer should outline all of the trials and errors that occur during the compliance program, says Teena George, a certified HIPAAspecialist and owner of Humboldt Medical Solutions.
Often, the privacy officer comes from the physician practice's administrative sector, so beware: You may be the "lucky" candidate. Only large organizations will appoint full-time privacy officers, says Neil Caesar, an attorney with the Greenville, S.C.-based Health Law Center.
If you're not the privacy officer, don't be afraid to approach the PO with your questions and concerns; the privacy officer should be an approachable employee in a high-level position who garners respect from all areas of the office. In other words, you want people who are "good leaders," Caesar clarifies.
Your committee is supposed have the expertise to understand your office policies for issues like privacy and determine practical solutions for dealing with HIPAAcompliance problems that arise, so turn to committee members for help.
The committee should start by developing action plans and allocating tasks. Define completion dates for these early activities for a matter of weeks, and stick to these deadlines.
However, for that cleaning company and other organizations you've contracted that might come in contact with PHI, ask them to sign an agreement promising that they won't disclose that information. Though not a federal law, this suggestion does "tighten up your ship in general," Caesar says.
You should fix as soon as possible the language in your business-associate contracts to reflect the new requirements of HIPAA. That way you'll avoid having to rewrite a bulk of contracts right near the April 2004 deadline. For newly drafted documents and for contracts renewed or renegotiated for reasons other than HIPAA, put business-associates language into contracts immediately.
According to George, your new business-associates contracts should also include several exact points for example, what will happen if someone violates the agreement, and what will you do to keep the violation from occurring again?