Although HIPAA has been around for years, there are still questions and fears regarding HIPAA. Just this past week, nearly two dozen employees at Kaiser Permanante Medical Center in Bellflower, California were fired or disciplined for peering into the medical records of octuplet mom Nadya Suleman.
Fifteen employees were fired and eight were disciplined for snooping into Suleman’s records without authorization. Hospital officials discovered Suleman’s medical records had been inappropriately accessed on two different occasions beginning three weeks ago, while security personnel were monitoring Kaiser’s computer network. Kaiser officials notified Suleman about the matter on both occasions, shortly after the employees had either been fired or disciplined.
For the average health care provider , the HIPAA Privacy Rule requires activities, such as:
■ Notifying patients about their privacy rights and how their information can be used.
■ Adopting and implementing privacy procedures for its practice.
■ Training employees so that they understand the privacy procedures.
■ Designating an individual to be responsible for seeing that the privacy procedures are adopted and followed.
■ Securing patient records containing individually identifiable health information so that they are not readily available to those who do not need them.
Responsible health care providers and businesses already take many of the kinds of steps required by HIPAA to protect patients’ privacy. To ease the burden of complying with the new requirements, HIPAA's Privacy Rule gives needed flexibility for providers and plans to create their own privacy procedures, tailored to fit their size and needs. The scalability of the Privacy Rule provides a more efficient and appropriate means of safeguarding protected health information than would any single standard.
For example, the privacy official at a small physician practice may be the office manager, who will have other non-privacy related duties. However, even a small practice needs a designated privacy official. The privacy official at a large practice or health plan, in contrast, may be a full-time position, and may have the regular support and advice of a privacy staff or board.
The training requirement may be satisfied by a small physician practice’s providing each new member of the workforce with a copy of its privacy policies and documenting that new members have reviewed the policies. In addition, a small or large practice may provide training through live instruction, video presentations, or interactive software programs.
The policies and procedures of small providers can be more limited under the HIPAA Privacy Rule than those of a large hospital or health plan. This limitation is justified based on the volume of health information maintained and the number of interactions with those within and outside of the health care system. Nevertheless, there should be policies and procedures as part of a basic compliance plan. HIPAA training and compliance need not be expensive or time consuming but it must be set up. Once it is set up and implemented there is little left to do except ensure that new employees receive the training and sign documentation indicating that they have received the training.
As part of compliance plans, we encourage health care providers to have all employees attend a training overview of HIPAA (which can be conducted in-house), which will prepare them to:
(1) describe what HIPAA is and how it came to be;
(2) identify major components and implementation timeframes of HIPAA (privacy, security, code sets, due diligence, and transactions);
(3) be cognizant of the HIPAA privacy rules, current practice policies and California’s privacy laws regarding medical records;
(4) determine what is considered private vs public information;
(5) identify penalties associated with violations of HIPAA rules;
(6) report suspected violations of HIPAA rules;
(7) identify how to obtain additional assistance or information regarding HIPAA within the practice; and
(8) describe generally how HIPAA could affect them and their work unit.
(1) describe what HIPAA is and how it came to be;
(2) identify major components and implementation timeframes of HIPAA (privacy, security, code sets, due diligence, and transactions);
(3) be cognizant of the HIPAA privacy rules, current practice policies and California’s privacy laws regarding medical records;
(4) determine what is considered private vs public information;
(5) identify penalties associated with violations of HIPAA rules;
(6) report suspected violations of HIPAA rules;
(7) identify how to obtain additional assistance or information regarding HIPAA within the practice; and
(8) describe generally how HIPAA could affect them and their work unit.
Upon completion of HIPAA training, employees will sign a form acknowledging receipt of this training. One copy of the acknowledgement form will be given to the employee and another will be placed in their personnel file.
If your practice is not compliant with HIPAA training and having each employee sign a HIPAA form as part of their personnel file, it's not too late to become compliant. Most health care attorneys or other compliance providers can conduct in-office seminars or draft a training manual that can be reviewed at a reasonable cost. Don't wait for a patient to file a complaint or until an employee improperly discloses protected health information (PHI).
Any
questions or comments should be directed to: tgreen@greenassoc.com. Tracy Green
is a principal at Green and Associates in Los Angeles, Califonria. The firm focuses its practice
on the representation
of licensed professionals and businesses in civil,
business, administrative
and criminal
proceedings, with a specialty in health
care providers and HIPAA compliance.
.
