September 11, 2018
Author: W. Bradley Gilmer
Organization: The Hardison Law Firm
If your organization is audited, either through a randomly chosen HHS mandated audit or as a result of a patient complaint, your company needs to be able to tell a compelling narrative to HHS on how you have taken steps to implement the Act into the culture of your organization. Here is a framework for implementing a step by step compliance program. It is a best practice for the CO and compliance team to maintain a written record of each of the following steps in creating a “Culture of Compliance.”
1. ______ “IMPLEMENT A COMPLIANCE TEAM” Without an educated leadership group charged with the responsibility of implementing and enforcing the Act, it will be difficult to implement compliance. Someone in your organization must be charged as being the designated Hipaa Privacy Offices or “Compliance Officer” (“CO). The larger your organization is, the more Privacy Committee members the CO will need working under them to implement compliance measures and then follow up to gauge the efficacy of these measures.
2. ______ “COMPLIANCE TEAM IMPLEMENTS EMPLOYEE TRAINING” The Act requires the CO and team to train every employee on the rigorous privacy measures for PHI discussed at length above. This training can be through written materials, live in?house seminars or video presentation, or outside vendor training (through seminars such as this one…..) We would recommend documenting some sort of training for every employee in their personnel file, as well as keeping a separate file containing copies of the written and video training materials, as well as the dates and attendees for the training sessions. All of your workforce privacy Policies and Procedures are best kept in a written format, easily accessible to your employees for reference…and also easily referenced to provide to HHS auditors.
3. _____ “REVIEW AND REVISE DOCUMENTATION OF NOTICE PROVIDED TO PATIENTS OF THEIR PRIVACY RIGHTS” The Act requires covered entities to educate their patients (most easily through the patients intake or admission paperwork) of their rights. This includes but is not limited to the patient’s opportunity to agree / object regarding the use of their PHI, education on when the covered entity may release PHI without the patient’s permission for public policy, insurance issues, and research projects. The patient should also be informed of their right to request an audit disclosure of their PHI, to request the covered entity to restrict the uses and disclosures of their PHI (as well as the fact that the covered entity is not required to honor all such requests), to request that confidential communications from the covered entity to the patient only be made in a specific manner (ie. Using only a specified address / phone number). The patient must also be informed that they have the right to request copies of their PHI, and also to request that their PHI be sent to a third party, such as a family member or insurance company. In addition, the patient must be put on notice that they have the right to request an amendment to their PHI, but also informed that the covered entity has the right to refuse these amendments under certain circumstances.
4. ____ “IMPLEMENT SAFEGUARDS AND ENFORCMENT MECHANISMS” The Act requires that the physical and electronic safeguards discussed at length above must be implemented. Whatever the CO and team decide to do to implement these measures should be documented in a list format so that it can be provided in one document to the HHS auditor. These should include all of the main objectives communicated to your staff through employee training, as well as the “behind the scenes” measures your company instituted, such as the use of encrypted data, secure servers, etc….. Part and parcel of implementing these measures is that that your company has enforcement mechanisms in place to sanction and retrain your employees who violate the Privacy Rules and Procedures. The Act does not specify how employees should be sanctioned, but the CO and team are advised to create a written document setting forth how an employee will be sanctioned…and then retrained, in order to prevent future violations.
All of your workforce privacy Policies and Procedures are best kept in a written format, easily accessible to your employees for reference…and also easily referenced to provide to HHS auditors.
5. ____ “SET FORTH COMPLAINT AND MITIGATION PROCESSES” The Rule requires the covered entity has a process for patients to make complaints to the entity’s of any suspected Rule violations. Likewise, this complaint policy should be extended to set forth a process for the covered entities’ own employees to file a complaint on the organizations possible violations of the Rule. The complaints should go directly to the CO and their team, who should rigorously document the complaint, as well as what was done in follow up investigation, and then a report on whether a violation occurred or not, and if so, what was done in response, A covered entity is required by the Rule to mitigate any breach, and to the extent practical to lessen the potential harm by one of the covered entities workforce members or by a Business Associate. All mitigation measures implemented should be documented in writing.
6. “CREATE AN INTERNAL AUDITING / SELF ANALYSIS PROGRESS REPORT” The Rule has no written requirement that an organization do any formal self?audits or review. However, in order to best implement a “Culture of Compliance” and readily show the HHS auditor that your company is on track for implementing the Rule’s requirements, best practices include for the CO and team to periodically (or at least annually) meet to examine the progress the covered entity has made in creating a “Culture of Compliance.” Minutes from these meetings should be maintained in a file to show that the CO and team have analyzed any past breaches, attempted to mitigate those breaches, notified the patient (and HHS and the media when necessary), and what steps the CO and team implemented in attempts to prevent future similar violations. This self?analysis should include an annual review (and written minutes that there was a review) of the covered organization’s internal Privacy Policies and Procedures, employee training programs, and the Notice documentation provided to patients’ of their Privacy Rights.
Neither the handouts provided in this seminar or the seminar itself create an attorney / client relationship. All materials and statements made in conjunction with this seminar should be reviewed and approved through your Hipaa Compliance Team and legal counsel of your choosing.