Compliance Program Development - Part I
All medical practices, regardless of size, must be in compliance with the following federal and state compliance programs. Failure to implement the regulations mandated under these compliance programs could result in exclusion from the Medicare Program; exposure to civil lawsuits; audits by the Department of Health and Human Services and/or state governmental agencies, and/or substantial fines and penalties, including imprisonment;
HIPAA Privacy & Security Rule Compliance
The regulations implementing the Health Insurance Portability and Accountability Act of 1996 (HIPAA) were established to protect the privacy and security of patient health and medical records. Any health or medical records that directly identify a patient or can be traced to a patient using identity-laced information such as (but not limited to) a name, address, phone number or social security number is included in the class of information covered by the HIPAA regulations.
With few exceptions, HIPAA regulations cover all medical practices (and other covered entities) and include three major components: transaction regulations, privacy regulations and security regulations. The transactions regulations became effective October 16, 2003 and concern the transmission of data (i.e., protected health information). However, unless the practice had created its own proprietary software, compliance with this set of regulations is principally a responsibility of the practice's software vendor as opposed to the medical practice.
The privacy regulations which became effective on April 14, 2003 require all medical practices to establish reasonable safeguards for handling all means of "protected health information" (PHI). The privacy standards require the adoption and implementation of formal policies and procedures to protect individually identifiable health information and to effectively manage the personnel who come in contact with the information through education and enforcement of policy guidelines.
The required elements for compliance under HIPAA's privacy standards include the following:
- Appointment and training of a privacy/security officer for the practice;
- Performance of an initial base-line assessment of organizational processes to identify potential areas of risk (including review of personnel and operational policies/procedures, observations of employee practices and review of physical facilities);
- Development of a compliance plan, including the required privacy and security standards, policies and procedures;
- Preparation of an inventory of the practice's existing "business associates";
- Development and implementation of a written business associate agreement for any vendors used by the practice that may come into contact with protected health information;
- Preparation and implementation of a "Notice of Privacy Practices," to be signed by all of the practice's active patients;
- Creation of a "Patient Authorization" form for release of protected health information; and
- Utilization of specific reporting forms and logs to record information required under HIPAA's privacy standards.
The third component of the HIPAA legislation is the security regulations which became effective on April 21, 2005. The security standards take the privacy regulations one step further by expanding the practice's obligations in the area of how the practice maintains its electronic protected health information (ePHI).
The security regulations generally require medical practices to:
- Ensure the confidentiality, integrity, and availability of ePHI that the practice creates, receives, maintains and/or transmits;
- Protect against any reasonably anticipated threats or hazards to the security or the integrity of that electronic data;
- Protect against any reasonably anticipated uses or disclosures of that electronic information which are not permitted by the privacy regulations; and
- Ensure that the practice and its workforce understand and comply with these regulations.
Like the privacy regulations, the security regulations are scalable, in that they incorporate a sliding scale of expected compliance. The regulations explicitly permit a medical practice to "use any security measures that reasonably and appropriately implement" the security standards. Thus, a small practice is not held to the same standard as a large medical group or clinic.
HIPAA's Security Rule establishes 22 security safeguard standards that apply to information that a medical practice receives, transmits, or stores electronically. These standards are grouped under the headings of administrative safeguards, physical safeguards, and technical safeguards. The 22 security safeguard standards define 42 implementation specifications, which are more detailed statements of what must be done to comply with the standards.
The Security Rule distinguishes between "required" and "addressable" implementation specifications. Of the 42 specifications, 20 are "required" and 22 are "addressable." All medical practices must implement the "required" implementation specifications but are given more flexibility with the "addressable" implementation specifications. A medical practice may take into consideration the below-listed four factors in deciding how to comply with the "addressable" implementation specifications. Unfortunately, the Security Rule does not provide any guidance that will assist a practice in weighing these various factors:
- The size, complexity and capabilities of the medical practice;
- The medical practice's technical infrastructure, hardware and software security capabilities;
- The costs of alternative security measures; and
- The probability and criticality of potential risks to ePHI.
Marc H. Bailey & Associates will prepare a HIPAA Compliance Manual tailored to your practice which meets all requirements under HIPAA's Privacy and Security Rules. The Privacy Compliance Plan will address all of the required core elements. The Security Compliance Plan will address all of the 22 security safeguard standards including the key requirement to "conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of ePHI. The risk analysis, will identify and assess the risks in your practice and provide recommendations to reduce these risks to a reasonable and appropriate level. This process will enable practice management to understand your organization's risks associated with ePHI, and to allocate appropriate resources to reduce and correct potential losses.
Continue to Part II
Marc H. Bailey and Associates 5013 Butterfield Court Culver City, CA 90230 Tel. 310.838.9170 firstname.lastname@example.org