| HIPAAdvisory > HIPAAction > HIPAAnotes > Archives |  |
|
HIPAAnotes Volume Two, August 2002No. 30 HIPAA Detail -- Business Associate Management: Moving a Mountain "One Spoonful at a Time"Implementing the HIPAA Privacy Rule’s Business Associate (BA) provisions by the April 14, 2003 deadline will prove a major challenge for most healthcare organizations. Unless the recent Privacy Notice of Proposed Rule-Making (NPRM) provides some relief, covered entities (CE) must identify all business partners and negotiate BA Agreements with them. For small providers, this will mean coordinating dozens of agreements; large provider networks may have thousands. This effort will be manageable only if your organization starts its BA management process early. Identifying and documenting who your BA are, under HIPAA definitions, is a first step. Developing one or more Agreement templates and working with your BA to tailor them appropriately is another. Then, getting your staff to follow new procedures is a less-publicized, but equally challenging task. "But we have always done it that way!"We are all creatures of habit. Our HIM professionals, medical staff, and even our volunteers rely on past ways of doing business when releasing information. Physicians and clinicians are currently comfortable with using their medical transcription services, document storage companies, and their software vendors. In the future, getting these individuals to verify that a current BA Agreement exists before releasing personal health information (PHI) will require new habits. BA lists are not static. Your staff should periodically revalidate the BA before releasing PHI, and should be trained to recheck the list routinely. An easy way to manage a CE’s BA list is through a "preferred vendors list." This list ideally will be managed by a central contracts office, and should be updated every time there is a change in BA status and contracts. The list should include the BA’s name and include both the start date and end date for the BA Agreement. For larger covered entities, using an Intranet site is an optimum way to distribute the information. A word of caution: consider disabling printing of this list. As the saying goes, "Give a person a watch and he’ll know what time it is; but give him two, and he will never be sure." There should be only one source for current BA information. Further, BA relationships themselves are not static. With the HIPAA requirement to either sanction or even terminate a BA for non-performance, your staff should be trained to be aware of their partners’ privacy practices, and to follow designated procedures if they have evidence that a partner is not fulfilling its end of the BA bargain. Clyde Hewitt, Principal Read more on the proposed revisions to the Privacy Rule’s
BA provisions: Bone up on other HIPAAterms & acronyms: No. 31 HIPAA Detail -- Fax Management and Business AssociatesOn the surface, sending and receiving protected health information (PHI) in paper and other non-electronic formats, e.g., facsimiles (faxes), may seem difficult to manage under HIPAA Privacy requirements. One way to identify such fax usage and the business associates (BAs) who are involved, is to start collecting facsimile logs. Health information management staff should be able to associate each fax number with a specific BA in a database. When you negotiate your BA Agreements, clearly mark which facsimile machines are authorized to receive PHI, as not all facsimile machines may be in a secure area. Will your organization have to establish a "Fax Policy"? Properly framed and executed, your policies and procedures should be adequate to restrict the release of PHI to only approved BAs. For example, in high-problem areas, there are technical ways to limit where your facsimile machines can dial. If you have an internal telephone network consisting of PBXs and/or Key Systems, several models allow you to restrict where a certain network extension can dial. Since your facsimile is most likely on an extension, consider programming your PBX so that only certain numbers can be reached. Other facsimile machines have ‘pre-programmed’ speed-dial numbers and a handset. For these, pre-program the list of authorized locations. Due diligence is also important. Don’t forget to turn on the facsimile auditing feature and gather up those audit logs. In order to prove due diligence, you should assign a resource to review these logs and document unauthorized or suspicious calls in a variance report. Action must be taken when a variance is found, including determining whether there was an applicable policy or procedure governing the circumstances, or whether human error created the variance. If there was a human error, additional training may be required, unless the variance was obviously a one-time event that can easily be prevented from occurring again. Similarly, if there were errors or inadequacies in policies and procedures, these will require corrective action. Finally, take your releases of PHI seriously. Complaints by patients, "bad press," loss of public confidence and fines could build up quickly if you don’t have a solid, comprehensive Privacy program. Clyde Hewitt, Principal For more information, read our Fax Facts on sending and receiving faxes that contain PHI. No. 32 HIPAA Detail -- "To teach or not to teach": Understanding the Scope of Your Training ProgramThe HIPAA rules require Covered Entities to educate their staff about their HIPAA privacy and security policies. These rules also permit covered organizations to define the scope of their training programs, within limits. Obviously, all staff -- including employees on the payroll, contract personnel under direct supervision, and volunteers -- should receive training. The fuzzy zone starts when determining whether you should provide HIPAA training to non-employees who have routine and non-routine access to your facility and protected health information (PHI). Many hospitals grant privileges to physicians and other licensed medical staff. This group of providers may or may not be included under the scope of your Notice of Privacy Practice. In addition, certain contract information technology professionals may operate on-site, but not under the direct control of your management. These individuals will need to be granted access to your organization's PHI through Business Associate agreements. If, during the course of their duties, such individuals disclose or misuse PHI, and a complaint is later filled, your organization may be shielded from liability if it can show that internal policies and procedures were sound and not violated. . This said, avoiding liability and placing blame are not the point of HIPAA compliance. Protecting patients' privacy and inspiring their confidence that yours is a quality healthcare organization, while remaining a viable healthcare delivery and business operation, IS. Consider the factor of your organization's professional reputation. Reputations can quickly be tarnished with a single negative HIPAA "event," whether generated by internal staff or non-employees. Violations of HIPAA policy or procedure - by anyone connected to your organization -- can result in damaging media or legal attention, from which recovery may be difficult and expensive. It could be argued that HIPAA training of non-employees who have routine and non-routine access to your PHI should be provided by their employers - not by your enterprise. However, remember that if this responsibility is left to the Business Associate organization, you may expect to see some or all of the costs transferred back to your enterprise. Further, since these non-employees could place YOUR protected health information and related systems at risk, prudence suggests that your organization should provide at least some of their HIPAA-related training. Non-employees, such as physicians, other licensed medical staff, and IT personnel will require appropriate HIPAA privacy training by April 2003. When your organization performs a cost-benefit analysis of training non-staff personnel, they should weigh the relatively small cost of expanding the scope of their training program to include all such ancillary staff. Clyde Hewitt, Principal No. 33 HIPAA Detail -- The "HIPAAmark": Limiting your risk when releasing PHI"Out of sight, out of mind (but not out of reach)!" The rules are clear -- release by a covered entity of protected health information (PHI) to anyone other than a patient (or his or her designated representative) or one of the listed exceptions requires a signed Authorization. Unfortunately, once PHI is released beyond your control, you incur a risk that the information will be disclosed inappropriately. If a patient complains about an unauthorized disclosure, it will be up to the covered entity to prove that its processes were not responsible. Given the expense of defending against a potential flood of complaints, you will need to quickly identify if PHI was under your organization's control at the time of release. Examples of the extremes that may await you: With sports teams wrestling with the issue of how to report player injuries, some suggest that the gambling community will use extraordinary measures to learn the condition of an injured player. Similarly, other injured or ill high-profile patients will continue to be the focus of the press, HIPAA or no HIPAA. Hospital staff, team members, and visitors will all be targets of probes from the press and others. If a copy of Joe or Jane's medical records magically appears at the local press club or worse, the evidence room, you should be able to show that any releases of PHI by your organization were clearly made within the scope of HIPAA rules. One quick way to quickly remove suspicions about your organization is to clearly identify any release of PHI as being legally released to another entity. This could be another covered entity, a Business Associate, an excepted entity (such as law enforcement or public health officials), or even the patient. For paper records, consider affixing a watermark, or "HIPAAmark" to the record stating that it was released to the patient, authorized Business Associates, or others officially excepted from HIPAA limitations - and document that you have done so. If the patient or other recipient further releases the information, or if it is later stolen, your organization should not have liability under HIPAA. "This won't hurt a bit" There are easy ways to attach a "HIPAAmark" to a document. Take the case of patient releases of PHI. When you make copies, create a clear slide stating "Released to Patient," add the date released, and place it on the copier's glass before making copies to be released to the patient or designated representative. If these documents show up later in other hands, a covered entity can make the argument that it had no control over materials once they were transferred to the patient. Smaller offices can opt for a slightly lower-tech solution: purchase a custom hand stamp, available at most office supply stores. If your organization experiences a high volume of releases, it might make further sense to purchase a different type or color of printer paper to be used only for such copies. Very large covered entities may even explore having their own customized "HIPAAmark" preprinted on their paper or programming the printer to print the "HIPAAmark" at the top or bottom of the applicable documents. The solution can be simple, but the rewards can be great. Clyde Hewitt, Principal
|
