Preparing Your Work Force
Policies, Procedures and Training for HIPAA
Although obtaining a patient's acknowledgment of receipt of a covered entity's Notice of Privacy Practices is one of the critical elements of HIPAA, compliance does not stop at this step. In addition, the covered entity must make sure that the privacy rights as conveyed in the Notice of Privacy Practices are, in fact, followed. There is no way for a covered entity to accomplish this task without ensuring that its work force is aware of the privacy practices and adequately trained to follow the same.
One of the first steps that any covered entity must take is to perform an internal audit to determine what privacy policies, if any, it already has in place. Once any such policies are identified, they must be reviewed to determine whether they meet the federal minimum required standards as set forth in HIPAA. Any deficiency in existing policies or absence of policies must be remedied by the covered entity by the development of new written policies to meet the privacy standards.
Creation of the Notice of Privacy Practices can be used not only to alert patients of the covered entity's practices but also to educate staff of the protocol the practice will follow. A Notice of Privacy Practices that contains all of the required information will alert all employees as to what steps must be taken to ensure a patient's privacy and, also, what steps are permissible to perform the duties of the covered entity.
In addition to the creation of the Notice of Privacy Practices and acknowledgment, the covered entity must develop a procedure by which all patients are afforded the opportunity to review the Notice of Privacy Practices prior to the dissemination of any protected health information. In addition, a procedure must be established for the covered entity to obtain the required acknowledgment. Finally, procedures must be put in place to recognize the potential use of the information beyond treatment, payment or health care operations and an adequate way to obtain any necessary authorization. In addition, a framework must be established to respond to patients' request for access to, or the right to amend, protected health information as well as request an accounting.
These procedures may vary among covered entities. However, examples include mailing the Notice of Privacy Practices to every patient prior to their first visit after April 14, 2003. Additionally, the Notice may be provided to all patients upon their entry to the covered entity. Acknowledgments can be required prior to treatment. Some mechanism must be established to ensure the executed acknowledgments find their way into the files.
Once the covered entity has evaluated any existing policies and promulgated new procedures to ensure HIPAA compliance, it is then necessary to ensure that all employees understand and follow the procedures. Initial training of employees should have been completed prior to the April 14, 2003 compliance date. In addition, the covered entity should have a mechanism in place to train any new employees as they join the work force. Training of new hires should occur as soon as practicable after their joining of the work force. As the obligation to comply with HIPAA grows more customary, the need for training of new employees will hopefully be lessened to a certain extent because they will have had prior exposure to the privacy regulations.
In addition to the initial training, covered entities should adopt a regular periodic refresher course in which to remind employees of the privacy obligations and review past conduct to determine whether any repeated violations or problems can be detected.
In terms of the substance of the training, all employees should be provided with a copy of the covered entity's Notice of Privacy Practices. It would be impossible for the employees to meet the patients' expectations if they are not, at a minimum, aware of what has been conveyed to the patients. In addition, all policies establishing the method by which the notices are provided to patients, acknowledgments are obtained, and how the office responds to requests for access to records or amendment of the same should be disclosed to the employees. Appropriate notations should be made to each employee's personnel file to reflect and document the completion of the training.
Minimum Necessary Standards
Part of the employee training should also be geared towards educating employees of the obligation to follow what has been called the "minimum necessary standard." In addition to placing general restrictions on the disclosure of protected health information, the HIPAA privacy regulations also limit the breadth of what information is disclosed. The minimum necessary standard has been defined by the regulations as: when using or disclosing protected health information, or when requesting protected health information from another covered entity, a covered entity must make reasonable efforts to limit the use or disclosure to the minimum amount of PHI necessary to accomplish the intended purpose. Following the minimum necessary standard means taking reasonable safeguards to protect a person's health information from incidental disclosure.
Examples of activities that implicate the minimum necessary standard include: sign-in sheets; calling out patients' names in a waiting room; messages on answering machines; and daily schedules. HIPAA does not prohibit the use of these items but, instead, limits the amount of information that should be conveyed. By way of example, sign-in sheets are still permissible and serve a recognized need in alerting the covered entity as to the identity of patients in the facility. However, the only information necessary to accomplish this task is the name of the individual present. As a result, any prior practice of disclosing addresses, telephone numbers, date of birth, or the reason for the visit should be eliminated as violating the minimum necessary standard.
The minimum necessary standard does not apply to disclosures to staff members or another health care provider for treatment purposes. Disclosures to the individual who is the subject of the information need not adhere to the minimum necessary standards. Likewise, any uses or disclosures authorized or requested by the individual need not be so limited, nor any uses or disclosures required for compliances with the HIPAA mandated standard transactions or required to be made to the Department of Health and Human Services or otherwise required by law need to be limited.
The staff must be educated to this concept of minimum necessary standards and indoctrinated in the need to disclose only that information necessary to accomplish the task.
Staff Appointments/Duties and Responsibilities
In order to ensure compliance with the privacy standards, the HIPAA regulations require the appointment of certain office personnel to serve in various capacities as it relates to the implementation and adherence to the privacy standards. The most important of these appointments is the Privacy Officer. The Privacy Officer is going to be that staff person primarily responsible for the development and enforcement of the covered entity's privacy standards. The tasks that will be performed by the Privacy Officer include making any minimum necessary standard decisions encountered by the office staff, receiving patients' requests for access to information or amendments to their records, and ensuring compliance with the time deadlines applicable to the same. In addition, the Privacy Officer should maintain records of all complaints and dispositions. It should be the Privacy Officer's responsibility to track any complaints to determine the existence of any unwanted trends. Furthermore, the Privacy Officer should monitor the covered entities' policies to ensure they are being followed and work.
Further, the Privacy Officer should act as the primary liaison between the covered entity and its Business Associates to ensure compliance by the Business Associates with the terms of their agreement. Finally, the Privacy Officer should be responsible for developing and monitoring the covered entities' employee training.
In addition to the Privacy Officer, the covered entity must appoint a Contact Person. The Contact Person's sole specific responsibility is to receive patients' complaints about the office's privacy practices. The Contact Person must then interact with the Privacy Officer to make sure that the procedure established for the disposition of any such complaints is followed.
The Privacy Officer and Contact Person can be the same individual. There is no specific requirement that either position be held by an owner of the covered entity.
Practice Assessment/Spotting Gaps
Both prior to and continuously after the HIPPA compliance date, covered entities should develop a practice of assessing how information flows into and out of their offices. The focus of this assessment should be on determining compliance with the privacy standards as well as identifying any potential gaps.
The assessment of the office should include, at a minimum, an office walk-through. It is advisable that this walk-through occur at various times of the workday so as to provide a more accurate picture of how information is handled. The focus of the walk-through should be on interaction between staff and patients and the activities in waiting rooms and in treatment areas. Particular attention should also be placed on the location of files and the placement of any documentation where it is visible to visitors.
Attention should also be paid to the technological capabilities of the office. These items include the visibility of computer screens, the ability to overhear telephone conversations and the physical makeup of patients' charts and the records area. The walk-through must be accomplished at a time where the observer can witness the office during its normal operations. Care should be given by the observer to be as inconspicuous as possible so as not to improperly influence the environment.
In addition to attempting to spot potential gaps, thought must be given to identifying reasonable alternative means for conveying confidential information. For example, if discussions with patients regarding their condition occur at the counter while they are leaving the office, some consideration should be given as to whether patients can be staggered so as to provide a minimum level of confidentiality when such discussions occur. In addition, a small table and chairs could be placed in a separate area of the office to handle discussions with any patients who have particular concerns.
In the event any gaps identified pertain to the office staff's failure to follow the covered entity's practices and policies, there must be in place a procedure by which the employees can be appropriately disciplined. Violations of the HIPAA privacy standards could place the covered entity in a precarious situation with its patients and the Department of Health and Human Services. As a result, employees who cannot follow these federal mandates must be dealt with appropriately, including termination of employment if necessary. The same analysis must be conducted with Business Associates to ensure that the covered entity is doing its reasonable best to protect the information.
Mitigating Breeches
As highlighted by some of the defenses to the civil monetary penalties, the Department of Health and Human Services recognizes that some violations of the privacy standards are bound to occur. It is as part of this recognition that the regulations also require that covered entities take reasonable steps to mitigate any disclosures. The duty to mitigate requires a covered entity to limit any known harmful effect of a use or disclosure of protected health information in violation of its policies and procedures or the requirements of HIPAA. This would include taking steps to retrieve any documentation or information improperly disclosed. Likewise, efforts to discipline staff or Business Associates who violate the agreement would be viewed as a reasonable step.
Although no clear guidance can be given as to how to mitigate every particular situation, a general principle is that the covered entity must not ignore an improper disclosure. Instead, it is the covered entity's responsibility to take reasonable steps to limit the extent of the disclosure, limit the impact of the disclosure, and take reasonable steps to reduce the chances of an additional improper disclosure being made in the future.