Getting HIPAA compliance right

Health care providers, health plans and health care clearinghouses have seen a major compliance date under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) come and go.

The deadline for covered entities to comply with the HIPAA standards for electronic transactions was Oct. 16. Most determined they were not required to meet that deadline (a small health plan is not required to comply until October 2003), availed themselves of a one-year extension or are already in compliance.

But the HIPAA challenge is far from over.

Covered entities have until April 14, 2003, to comply with privacy regulations and many still have significant work to do to meet the deadline.

The process is still manageable, even if compliance efforts have not started. While much of the work can be done by a privacy officer and/or privacy committee, management must not only support the effort but emphasize its importance.

Plan and set goals

Identify who will take a lead role. This person or group must establish a time frame, delegate responsibility for tasks and educate themselves on privacy requirements. This means addressing whether the organization is a covered entity, whether it should designate itself as a “hybrid entity” or an “organized health care arrangement,” what information is protected, what the appropriate terminology is and what each term means.

Assess

Identify how the organization is using individuals’ health information, not only internally, but also in external transmissions to other individuals or organizations. This is critical to identifying where business associate and data use agreements will be required.

An organization may already have significant policies and procedures in place. For example, access to health records, inspection of health records, modification and retention of health records, and reception and processing of complaints are are all things the organization has likely already addressed in its daily operations. While revisions may be necessary, a complete replacement of each policy may not be.

Address the gaps

The entity must compare how it uses health information and what policies it has in place with the requirements of the regulations. This gap analysis leads to the action plan.

The goal is to create a list of policy reforms and/or new policies needed and identify which contracts with outside individuals and entities will need to be updated or put into place.

Evaluating who will handle certain roles is also part of this process. Many organizations impacted by HIPAA do not engage in providing health care as their primary function. These may have small or distinct portions of their organization that are involved in handling health information.

Evaluate whether access to health information by certain departments or individuals is necessary or if the cost of compliance outweighs the benefit of continued access.

Establish the framework

Now it’s time to revise policies and forms and prepare new ones. The organization’s Notice of Privacy Practices is taking shape as the organization has identified how it handles health information and the structure it will use to maintain privacy.

It will need to train its work force with regard to its privacy strategy and policies and create an overall awareness of its strategy. That way, not only will those involved with the policies on a daily basis understand their obligations, but also those who rarely handle health information will know how to get answers to privacy issues.

Finally, if time permits, the organization should do testing to identify flaws and correct them prior to the compliance deadline.

Resources

Resources for compliance efforts must be chosen wisely. Professional advisers and trade groups with which an organization has experience, as well as government sponsored Web sites, may be the best places to start.

No forms, policies or training manuals are applicable to every situation. Each organization must make certain it is getting the advice it needs to tailor resources to fit the nuances of the organization, as well as the legal requirements of HIPAA.Matthew Stockslager is an attorney with Brouse McDowell. He can be reached at (330) 535-5711 or at [email protected].