HIPAA ction
HIPAAdvisory > HIPAAction > HIPAAnotes > Archives Phoenix Health Systems



HIPAAnotes Volume Three, June 2003

No. 23 – Monitoring Your Privacy Compliance

For the past year we have all heard the adage, "Compliance is a journey, not a destination." The real question then becomes, "If you don't know for certain where you are going, how do you know if you have arrived?"

Monitoring and tracking the metrics associated with our journey to compliance is perhaps more important than simply arriving. Why? Two reasons:

  1. Without a proactive metric tracking process, you cannot quantify the incremental level of effort, or incremental expense, involved in maintaining your organization's compliance with the HIPAA Privacy Regulations, and
  2. Having such a process allows you to measure and validate your ongoing compliance with the regulation.

Words such as "metrics" and "validation" conjure up images of intricate statistical methodologies for determining the "costs" related to achieving HIPAA compliance. However, establishing a monitoring process to gather quantitative information to measure effort and expense need not be burdensome. Begin with identifying the specific compliance objectives to monitor; examples might include:

  • We distribute and explain the Notice of Privacy Practices to all our patients.
  • All patients are given the opportunity to opt out of certain uses and disclosures of PHI.
  • We maintain a record of all disclosures of PHI (other than for TPO or required by law).

Each of these monitored objectives has associated activities that have added time, expense, and risk/liability to your operations.

Statistics and metrics to measure your monitored objectives need not be complicated to derive. Let's consider an example:

  1. Identify the "volume" related statistics associated with the process (e.g., number of patients provided Notices of Privacy Practices, number of patients asked if they choose to opt out of receiving fundraising correspondence, or number of requests for release of information).
  2. Then determine the time involved in the standard handling of the process. For example, identify the amount of time it takes to provide a single patient with a Notice of Privacy Practices.
  3. It is a simple calculation to arrive at the total man-hours your organization has dedicated to addressing this specific HIPAA compliance objective. Obviously, from here, you can easily calculate actual costs.

Having statistics and metrics relative to the "cost of maintaining compliance" will not only support your requests to senior management for staffing, computerization of manual processes, or other resources, they may also be useful in future regulatory inspections or reviews. Implementing a monitoring process for measuring your compliance efforts may show the due diligence that the Office for Civil Rights (OCR) or JCAHO would expect should they visit your facility.

Be sure to avoid creating additional bureaucracy when building your compliance monitoring program. Monitor only those activities that will provide meaningful and useful information for your organization. The data is already there for you to track and analyze, so keep the process simple!

John Yates, Principal
Phoenix Health Systems

No. 24 – Contingency Planning and TCS Compliance

Much has recently been written about Contingency Planning for HIPAA. Virtually all of that discussion, however, has focused on Contingency Planning as it relates to the Security Rule. But what about Contingency Planning as it relates to Transactions and Code Sets (TCS) compliance?

As any CFO will tell you, "cash flow is a good thing." Keeping that cash flowing after October 16, 2003 may prove to be somewhat of a challenge if you or your trading partners are not HIPAA compliant. Why? Because HIPAA requires that claims be submitted in the new compliant electronic format or on paper. As if that requirement isn't going to be hard enough to satisfy, ASCA requires that providers submit claims to Medicare in the new electronic format or face the possibility of non-payment of the claim.

Contingency Planning with regard to TCS should follow many of the same basic processes as if applying it to your security processes:

  • Identify areas of risk concern
  • Define the potential impact
  • Define the probability of occurrence
  • Based on the risk, develop mitigation strategies
  • Document the process and outcomes
  • Test, test, test (before you need to implement)

Not ready for testing - how about implementation? You are not alone. The most recent Phoenix Health Systems HIPAA Survey found that as of April 16, 2003, only 40% of providers were testing with external trading partners. Of further concern, only 79% of providers expect to be testing externally by October 2003. Let's point out, these findings relate only to "testing," not "implementation." As if that news doesn't raise alarms over the state of the industry and its status relative to TCS compliance, consider that in the same survey only 35% of those respondents who indicated they were unlikely to be compliant by October had ANY type of contingency plan for alternative transaction processing.

While risk assessment is basic to the Contingency Planning process and strategies will depend on the uniqueness of your organization, let's focus this discussion on several mitigation strategies. Your Contingency Planning process should include the following steps:

> Develop a formal Contingency Plan - using an interdisciplinary approach, gain consensus and ownership from each department's leadership.

> Obtain Senior Management or Board approval for the Plan - get everyone working off the same page.

> Request a waiver from the submission requirements for Medicare claims from the Secretary of Health and Human Services (HHS):

While ASCA prohibits payment of Medicare claims that are not submitted electronically after October 16, 2003, the Secretary of HHS may grant a waiver. In fact, the Secretary must grant such a waiver "if there is no method available for the
submission of claims in electronic form..."

Requesting a waiver does two things. It places CMS on notice that you as a provider are being challenged to comply. It is also another step in the due diligence process of Contingency Planning, whereby you attempt to cover all possible risks.

> Review your Indemnification Clauses within vendor agreements:

Most providers are dependent on their vendor - application or clearinghouse - to provide the tools necessary to assure compliance with the regulation. Have a legal review of your contracts and agreements to fully understand your rights and responsibilities, as well as those of your vendors and clearinghouses.

> Consider alternative vendors and processes:

It may be time to consider a clearinghouse or billing service/clearinghouse arrangement if you: (1) do not have one, (2) have doubts about the status of your current clearinghouse, or (3) have doubts about the status of your current software vendor.

> Consider radical financial alternatives:

As Donald Trump said, "Cash is King." The ability to keep cash flowing during a potential period where claims are being rejected will ultimately determine which providers survive and which don't. An option to consider is "factoring" your receivables. Using this option, you essentially "sell" your receivables to a third party whereby they pay you in cash, less a discount, to cover their fees and required return on investment.

> Obtain compliance plans and "assurances" from your vendors and clearinghouses:

Ask the vendor's account manager to assign someone who is knowledgeable (and authorized to commit the vendor/clearinghouse) to your solution. Get all commitments in writing. (Do not rely on promises from your "sales rep" - this is an
issue beyond the authority of the sales department).

Manage your activities in relation to their plan. If they are to be at point "X" on a certain date and they are not, that should trigger an action in your Contingency Plan.

> Be milestone driven:

As we move closer to October 16, the decisions you are faced with will move from being those of deciding among various alternatives to choosing the appropriate contingency.

Contingency Planning is a must in relation to TCS compliance. Hopefully you are already on your way, but if not: begin now, monitor regularly, and when the appropriate milestone has been reached, make the decision dictated by your plan. Or, as you may have heard before:

"Plan for the worst
 Hope for the best
 But do not be caught by surprise!"

John Yates, Principal
Phoenix Health Systems

No. 25 – Security Training and Awareness

Remember HIPAA Privacy training? Do not retire those training platforms and visual aids just yet. The Final Security Regulation also mandates Security Awareness and Training ((164.308(a)(5)).

The regulation requires covered entities to implement a security awareness and training program for all members of the workforce that includes the following addressable standards:

  • Security reminders
  • Protection from malicious software
  • Log-in monitoring
  • Password management

It is important to note that these are addressable standards. What does "addressable" mean and why is it important? It allows you, the covered entity, to tailor the training content to ensure that your workforce has been made aware of the appropriate security measures and safeguards to reduce the risk of accidental or misappropriate access, uses, or disclosures of electronic protected health information (EPHI) - without compromising the security process itself.

Remember to tailor training programs to the needs of your audiences. Numerous studies have validated that, unfortunately, it is your employees and former employees who pose one of the greatest risks to the integrity of your data and security processes. Keep training on a "need to know" basis - especially when dealing with sensitive policies and procedures.

One final note: remember, "training" is an ongoing process. As threats and vulnerabilities change, so should your organization's response to the changing risk levels. Be sure your training material is updated accordingly so that you deliver the most up-to-date information.

John Yates, Principal
Phoenix Health Systems

No. 26 – Considering Organizational Attention to Safeguarding PHI

Covered entities are required by HIPAA to have policies and procedures for safeguarding protected health information (PHI) that address how PHI needs to be made private and secure. Although there are many technical methods for preventing individuals from gaining access to electronic PHI, what about all of the PHI on paper documents that exists within your organization or PHI that can be viewed or heard by casual observers?

Does your organization have adequate procedures in place to address the safeguarding of ALL PHI? Every member of your workforce should be familiar with these procedures so that they are aware of how to handle PHI in the course of doing their job. Although each organization is different and will have varying procedures, the following "good sense" practices can be used as guidelines for the safeguarding of your organization's paper PHI.

  • Bulletin Boards — if located in areas where they may be seen by patients or visitors should not contain any documents containing PHI, unless the patient has authorized the display in accordance with the HIPAA requirements for authorizations This includes baby pictures (even without a name or other identifying information) and cards and notes of appreciation.

  • Cleaning Personnel — whenever reasonably possible, PHI should be placed in locked containers, cabinets, or rooms before cleaning personnel enter an area. When it is not reasonably possible to lock up PHI, it should be removed from sight.

  • Computer Screens — should be positioned so that only authorized users at that workstation can read the display. When screens cannot be relocated, filters, hoods, or other devices should be employed.

  • Desks and Countertops — any documents containing PHI should be placed with identifying information face down on counters, desks, and other places where patients or visitors might see them. Wherever it is reasonably possible to do so, these documents should not be left on desks and countertops after business hours. Supervisors should take reasonable steps to provide all work areas where PHI is used in paper form with lockable storage bins, lockable desk drawers, or other means to secure PHI during periods when the area is left unattended.

  • Disposal of Paper with PHI — paper documents containing PHI should be shredded when no longer needed. If retained for a commercial shredder, they should be kept in a secure location. Documents containing PHI should never be thrown in the trash.

  • Printers and Fax Machines — should be located in secure areas, where only authorized members of the workforce can have access to documents being printed.

  • Schedules — if they contain patient names or other PHI should not be posted in plain view.

  • Sign-in Lists — the only PHI permitted on a sign-in list is the patient's name. Lists that ask for the name of a physician, or for any medical information, may not be used.

  • Wall Pockets — documents containing PHI should be placed so that no PHI can be read. Whenever possible, opaque wall pockets should be used.

  • Workforce Vigilance — all members of the workforce should be responsible to watch for unauthorized use or disclosure of PHI, to act to prevent such actions, and to report suspected breaches of privacy and security policies to their supervisor, or to the Privacy Officer.

You might find it an interesting exercise to do a walkthrough of your work environment, using the guidelines above, to see how well your organization is doing with respect to safeguarding its PHI.

David Cerny, Sr. Systems Analyst
Phoenix Health Systems

Vol. 03 Archive Index

Go to TOP
HIPAAdvisory.com
Phoenix Health Systems
Copyright 2000-2006. All rights reserved.

HIPAAwareness

HIPAAcompliance

Privacy

Security

Transactions
& Identifiers

E-Health

HIPAA / LAW:
Legal Q/A

HIPAA / SECURE:
Security Q/A

HIPAAnote:
Byte of HIPAA

HIPAAlinks

HIPAAFAQ

Models, Samples
& Templates