Head On and Reasonably
By Bernard J. Smith
This short overview is offered as part of the continuing series by the Health Law Department at McDonald, Hopkins, Burke and Haber to help physicians plan for HIPAA compliance. It describes a four phase implementation process leading to satisfaction of the HIPAA privacy regulations.
The HIPAA privacy rules are here and some form of them is here to stay. Physicians should begin now to consider how they will bring their practices into full HIPAA compliance by the rules’ (at least for now) effective date of April 14, 2003. While compliance will no doubt involve some effort and burdens, smart planning can make the task easier. We suggest physicians strike a balance between taking steps toward full compliance and keeping an ear to the ground for future changes in the privacy rules. The realistic possibility of such modifications indicates that a full headlong rush to meet the standards of the HIPAA privacy rules in their present form might not be advisable.
Generally, the process of becoming “HIPAA compliant” should be undertaken in phases. This will allow physicians to move gradually from the initial steps of education, staff involvement and awareness, to planning for meeting the compliance effective date, right through actual modifications to practice procedures related to protected health information. This phased approach will permit compliance efforts to get underway while possibly preventing wasted efforts on actions which might become unnecessary to at least some extent in light of the Department of Health and Human Services’ (“HHS”) continued tinkering with the privacy rules. The proposed phases described below will guide physicians in their efforts to implement the HIPAA privacy requirements. However, as discussed below, there are HIPAA related matters that are worthy of immediate attention.
Phase I: Initiation
The purpose of Phase I, Initiation, is to become educated and familiar with the HIPAA privacy rules. This should include a review of the history and background of HIPAA, an investigation of how HIPAA will affect physician practices and staff, and exploration of how to integrate HIPAA compliance within the overall strategic goals of the practice. This phase should also include an analysis of the scope and compliance timeframes, identifying systems that will be affected, setting objectives, and evaluating the costs of compliance.
Phase II: Compliance Assessment
The second phase of implementation, Compliance Assessment, determines the potential impact of HIPAA upon the physician practice. The purpose is to uncover gaps and vulnerabilities, thereby enabling the practice to identify necessary process changes, system remediation, and policies and procedure development for all areas. Using a structured approach, the following processes should occur in this phase:
· Appoint a Privacy/Compliance Officer: Privacy/Compliance officers will be responsible for coordinating the development and modification of the practice’s privacy policies and employment handbooks, coordinating the education of practice staff, and overseeing the development and implementation of the practice’s compliance strategy. Privacy officers should coordinate their efforts with members of the practice’s billing, information technology, and staff to ensure that compliance efforts include all aspects of the practice.
· Promote awareness and initial training. This includes all employees working within the office.
· Evaluate major information and electronic systems. Evaluate all those in use by the practice , including related privacy policies and procedures.
· Identify gaps and weaknesses in office practices.
· Develop an implementation budget. This budget should be developed after the overall impact that HIPAA will have has been reviewed, along with recommendations for actions to achieve compliance.
Phase III: Compliance Improvement
Once the Compliance Assessment is complete, a number of key issues will have been identified for this project. A critical issue to keep in mind is that appropriate resources are required to accurately complete and achieve compliance. Not only is it important to identify sufficient resources but also the correct resources or experts. In addition, the support of all physicians is vital to ensure that staff understand the priorities of HIPAA and the efforts involved in meeting compliance. Initial analysis of the Compliance Assessment will demonstrate a number of key areas that will require implementation of policies, procedures and process changes, as well as system remediation and strategic planning. These areas include:
· Revise and improve and document existing security and privacy policies;
· Deploy new physical and technical safeguards to support policies and procedures;
· Educate all employees through a formal training program and retrain users;
· Integrate new processes and systems;
· Work with counsel to review current contracts and relationships with business associates, such as billing companies.
Phase IV: Monitor and Audit Compliance Activities
Phase IV, Monitoring and Audit Activities, will focus on due diligence to compare actual policies, procedures and practices against HIPAA standards. HIPAA compliance should be on-going and requires continuous and/or periodic monitoring of practices. The following practices should be conducted:
· Create reporting and documentation procedures with feedback mechanisms;
· Test and validate compliance of each remediated system;
· Maintain HIPAA Privacy/Compliance Officer;
· Implement necessary ongoing changes;
· Continuously train employees regarding policies and procedural changes;
· Maintain awareness to deal with possible problems.
Two areas worthy of immediate attention as circumstances warrant concern business associates and any remodeling/renovation or construction of practice facilities. Business associates are persons or entities who provide or perform functions, activities or services that involve the use or disclosure of protected health information. Physicians should begin now to make sure that any arrangements with their business associates are “HIPAA compliant.” This means the physician obtains satisfactory assurances that the business associate will use the protected health information only for the purposes for which they were engaged by the physician, will safeguard that information from misuse and will help the physician comply with his or her duties to provide individuals with access to health information about them. Physicians will obtain these “satisfactory assurances” primarily by including in contracts with business associates commitments on the part of the business associates to satisfy all HIPAA requirements.
In the case of remodeling, renovation or construction, physicians will want to become even more sensitive to privacy concerns. This might mean insuring that computer stations, record storage areas and the like are reworked or designed to insure the maximum amount of protection for all protected health information. In short, if a physician anticipates a significant outlay with respect to office facilities, he or she should keep HIPAA concerns in mind .
Enforcement of HIPAA has been delegated by the Secretary of HHS to the Office of Civil Rights. Congress has prescribed penalties for non-compliance with any provision of the HIPAA mandates. For non-criminal violations, including disclosures made in error, the civil money penalties are $100 per violation up to $25,000 per year. For knowing violations, criminal penalties will go up to $50,000 and one (1) year in prison for obtaining or disclosing Protected Information; up to $100,000 and five (5) years in prison for obtaining or disclosing Protected Information under “false-pretenses”; and up to $250,000 and ten (10) years in prison for obtaining Protected Information with intent to sell, transfer, or use it for commercial advantage, personal gain, or malicious harm.
We anticipate that during these two pre-compliance years, HHS will issue further guidance and refinements to what are nevertheless being called the “final” HIPAA privacy rules. As soon as these changes, guidance or other information are available, we will issue an update so you will be able to review the changes and incorporate them into your compliance planning.
The uncertainty as to the finality of the HIPAA privacy rules, the nevertheless impressive array of tasks to be performed and the limited 24-month timeframe for compliance all point to the need to initiate a structured and defined approach to starting the job of becoming HIPAA compliant. The major work that should be anticipated for adequate implementation will involve the consensus and support of the practice, the documentation of policies and procedures, and the implementation of these policies and procedures into daily practice. By recognizing the major efforts that will be required under HIPAA and starting with a structured approach now, you can expect to have the necessary information needed to guide your planning and budgeting process to customize your practice’s compliance efforts.