JANUARY 24, 2012- As the new year gets underway, it is common for us to reflect back on the prior year and set goals for the upcoming year. Whether it is losing weight or maintaining better relationships with loved ones, New Year's resolutions are on everyone's minds this time of the year. Health care providers should also consider setting a New Year's resolution--updating your HIPAA privacy and security plan. To be effective and beneficial, HIPAA policies and procedures should periodically be revised and updated, and the beginning of the year is as good a time as any to undertake such revision.

Many health care providers enacted HIPAA policies and procedures shortly after the passage of HIPAA and its corresponding regulations, but have failed to revise their HIPAA plan since. With changes in the law, operational transitions, and increased enforcement and penalties from the Office of Civil Rights ("OCR"), providers should consider reviewing and updating their existing HIPAA policies and procedures.

The enactment of the Health Information Technology for Economic and Clinical Health ("HITECH") Act in 2009, and its corresponding regulations, made sweeping changes to the HIPAA Privacy and Security Rules. For example, health are providers are now required to notify patients and OCR when there has been a "breach" of "unsecured protected health information." Yet many providers have not enacted a policy to address when there has been a "breach" of "unsecured protected health information" or the process for providing the required notification.

Further, providers are seeing increased enforcement from OCR on the HIPAA front. In 2011, we saw increased focus on HIPAA compliance and the first imposition of civil monetary penalties for HIPAA violations. Additionally, OCR recently announced a HIPAA audit program designed to ensure that providers remain in compliance with HIPAA requirements.

Based on changes in the law and increased enforcement activities, having an up-to-date HIPAA plan is extremely important. As you revise your HIPAA policies and procedures, consider the following:

• Are your employees adequately informed of your commitment to following the HIPAA plan and are they properly trained regarding the HIPAA policies and procedures? In this regard, I recommend that all health care providers require their employees and other members of their workforce to sign an acknowledgement that a copy of the HIPAA plan has been made available to them, that they are aware of the consequences of not following the plan (e.g., disciplinary action or termination), and that they agree to abide by the plan. Further, routine training regarding the plan's policies and procedures must be conducted. Training can be conducted in a variety of forms: web-based tutorials, attendance at seminars, self-study, etc. Many providers are performing training initially upon hire and once a year thereafter. While the law does not mandate how frequently training must occur, for many providers, annual training is not frequent enough. Consider the type of training that is appropriate for your organization and how often training should be conducted based on the culture of your organization. 
• Have there been any changes in applicable health care laws since the last revision of your HIPAA plan? For example, do you have a breach notification policy and have you revised your Notice of Privacy Practices to reflect changes in the use of protected health information under HITECH? To be effective, HIPAA plans should reflect recent changes in the evolving law.
• Are your policies and procedures written to address your particular risks and the operations specific to your particular organization? It is important to document in written form how you have addressed the risks and possible types of misconduct within your particular organization. Although there are several risk areas that are common to most health care providers, every provider is different. Therefore, during the revision process, conduct an internal review to determine your specific risk areas and verify during the revision process that those areas are addressed.
• Have you properly addressed issues arising since the last revision? It is important that when a HIPAA issue or violation arises, it gets addressed. After addressing the problem, you need to ensure that it does not arise again. This includes revising the ineffective provisions of your HIPAA plan. To be effective, HIPAA compliance plans should build on issues encountered by your organization. For example, if an unauthorized disclosure occurred because a provider removed protected health information from the premises, you should revise your policies and procedures to limit the instances when information can be removed from the premises and to provide safeguards for when such information is removed.
• Is your Privacy Officer and/or Security Officer still the appropriate person for the job? The Privacy Officer and/or Security Officer oversee the HIPAA plan and its implementation. They are the persons responsible for auditing and documenting the results of the plan, training employees, responding to concerns or questions, conducting internal investigations, and carrying out disciplinary actions. Therefore, these officers should be trustworthy, effective at communication, able to handle large amounts of authority and responsibility, and able to influence organizational practices and behavior. Upon review of your HIPAA plan, consider whether the appropriate persons are filling these roles.

Tags:

Bookmark:

Digg

Facebook

Technorati

Newsvine

Google

Related: