At a recent HIPAA seminar, the Office of Civil Rights (OCR) identified that they are evaluating HIPAA audit models. The present model requests certain records, reviews, cites errors/omissions and calls for corrective action. Privacy and security of Protected Health Information (PHI) is of primary concern especially in light of social media and mandated Electronic Medical Record creation in healthcare.
Presently, organizations are reviewing their privacy and security programs. How compliant is your Compliance and HIPAA programs? Perhaps you should conduct a gap analysis.
To conduct a review and analysis of your agency’s compliance program you must know if your program covers the required elements?
- Complete written policies and procedure
- Designation of a Corporate Compliance Officer
- A training and education program regarding confidentiality, commitment to preventing fraud and abuse, and other elements of compliance
- Communication lines to the Corporate Compliance Officer
- Identification of compliance risk areas and a plan to mitigate risk
- Responding to non compliance issues
- Policy of non-intimidation and non-retaliation against employees who identify non compliance
- Disciplinary policies regarding non compliant behavior
Consider the re-signing of the organization privacy policies annually by employees. This act can become a reminder of the importance of privacy and confidentiality in the organization. Identify who will conduct regular internal audits. Conduct this present review and analysis as if it were a surveyor visit, only this time, you get to be the surveyor.
Audit the HIPAA Program
As part of the compliance audit process, be certain to evaluate the HIPAA program. Are there plan objectives? Is an audit and monitoring system in place? Who has the responsibility for completion? Identify the audit checklist. Is it inclusive? Is there a documentation process to record findings?
Are there annual goals to improve on privacy and security in the organization? How are audit findings reviewed? How does follow up occur?
The following checklist should be considered a guideline (not necessarily all inclusive) and would require agency individual application.
- Is the Compliance plan, particularly the HIPAA portion, in compliance with the HIPAA Security Rule? Has an assessment been conducted regarding environmental/operational impact on PHI?
- Can the organization identify how it protects access to information? Is there a policy re access to PHI and “need to know?”
- Can patients obtain their information in a timely manner? Can information be provided in electronic format, as required by HITECH. Has a security risk analysis been conducted?
- Have security measures been implemented to reduce the risk? What are those measures?
- Have the Compliance, Privacy, and Security risk analysis available for an OCR audit or questions from an accrediting surveyor.
- At the very least, for privacy, look at the following:
- Can patients/guests view PHI? See computer screens? Is there any place on the premises that PHI is readily available?
- Are PHI posted on wall boards where those who have “no need to know” have access to the info?
- Is PHI left on desks? Are computer screens left on when the user steps away?
- Are recycling bins used? Is there a BAA with that recycling vendor?
- Are all BAAs in place with all vendors and in compliance with HIPAA HITECH?
- Is PHI faxed? Is there a confidentiality/disclosure statement on each fax coversheet?
- Does the online system require level logins?
- Are screen savers activated in a short period of time?
- Are emails used with PHI? Are the emails encrypted?
- Are phone calls used to give and receive PHI? How is the individuals receiving or giving info identified and confirmed?
- Can each employee identify when PHI enters there area of responsibility?
- Who handles PHI? Where is it stored? What is the back up process? What is the length of storage? Is it secure? How do you know it is secure?
- Have all employees been trained in privacy? Has security at the specific employee level been conducted? Is compliance training mandatory? Is it conducted annually?
- Is there a protocol for new employees? Is there a protocol regarding confidentiality upon employee departure?
- Are BAAs in place holding contractors accountable for PHI protection. Have you seen their policies, procedures, and processes?
- Are reports created that have confidential information? Are they circulated to only those with “need to know”
- Have the reports been reviewed to reduce the amount of sensitive information, if possible? Could de-identified information be substituted?
- Is transmission of report information secure?
- Is there a written policy to protect PHI? Is there policies re computer screens in view with PHI? Are there policies re passwords?
- Are there policies re storage of data and how backup tapes and storage devices are accounted for and monitored?
- Has every station been evaluated as to protection of PHI and view and accessibility to information by those who do not have clearance to that station.
- How are SmartPhones used? Are they ever used to capture pictures of patient wounds?
- Technical Security:
- Does the technical team periodically verify the technological security is in place and working appropriately? Can the technical team identify if an unauthorized user has accessed PHI? What safeguards are in place to protect against unauthorized access?
- Is technology in place to verify identity of users?
- Are passwords and IDs routinely changed per a schedule?
OCR Investigations and Review:
If you have a breach that triggers an investigation by OCR, be certain to promptly respond as to what happened, how it happened, what was done to mitigate outcomes, and what has been implemented to prevent a future occurrence. Be certain to identify the fact you have a full Compliance Program in place. Identify that all employees have routine education re Compliance and HIPAA.
If documents are requested, your counsel may request confidentiality for those documented being sent to OCR. Create and maintain a log of events, completes with dates, times, and people involved throughout the entire investigation process. Save all electronic documents. Keep statements by all employees involved in the incident and the investigation. Obtain counsel’s advice as to phone conversations with OCR as written correspondence maintains an investigation trail.
Focus on internal compliance. If there is a HIPAA breach, there must be remediation/education regarding the process and the prevention of a reoccurrence.
- Keep your plan objectives current.
- Identify who is responsible for the audits and establish times and how findings will be transmitted.
- Have corrective action plans in place.
- Include documentation of audits, results, and remediation/corrective action/education
- Report findings to the BOD, leadership, and counsel.
- If there is an OCR audit/investigation have a team established to quickly respond, pull data, analyze, and report.
- Have an ongoing risk analysis performed as specified by policy. Be certain the risk analysis encompasses the technical requirements of the Security Rule.
- Be certain the Risk Analysis is well documented. Be certain the plan for mitigation of any adverse findings is in place.
Like the clinical documentation rule, “if it wasn’t documented you did not do it,” so it is true here also. Document each step of the plan. If ever there is an audit, the fact a full compliance plan is in place in your agency including a HIPAA Privacy and Security review, can speak volumes about you and your organization.