Publications
Final Privacy Compliance: Still a Few Loose Ends
April 2003 has arrived and with it key milestones on each HIPAA front. This update addresses the status of each major HIPAA component, including the recently adopted final Security Rule.
A. Final Privacy Compliance: Still a Few Loose Ends
On April 14, we will celebrate with many of you the near completion of many months of hard work in setting the HIPAA privacy compliance framework; coordinating the effort; developing numerous policies, procedures, forms, and documentation; contacting all those business associates and training the workforce. As these efforts begin to wind down, please keep in mind the following:
Document your compliance efforts. Even if a problematic incident or other noncompliance event occurs, documentation of a comprehensive implementation effort and compliance structure will be very helpful in demonstrating your responsible good faith efforts.
Use care to avoid creating additional obligations. Whether you have adopted a “boilerplate” set of policies or have carefully drafted your own, remember that language used in your policies and procedures may unintentionally result in additional obligations beyond HIPAA which can create legal responsibilities. Be sure to continue to review your new policies and procedures to assure they do not unnecessarily create new requirements that go even beyond HIPAA.
Be alert for further interpretations and guidance. Evolving interpretations will come from the Office for Civil Rights (OCR) and industry sources as implementation issues and questions surface. These may lead to some fine-tuning of your new policies and procedures. Provide updates to staff as needed, and remember to update your compliance documentation.
Consider your compliance as a Business Associate. Many health care providers and health plans have affiliates or divisions that are not HIPAA covered entities but serve as business associates to the covered entity or to others. Several state agencies will be issuing business associate agreements to programs that receive state funding. Most of the HIPAA privacy requirements for covered entities also apply to business associates because of the required language in the business associate agreements (such as restrictions on uses and disclosures, minimum necessary, use of authorizations, tracking and accounting for disclosures, etc.) It may be necessary to expand your privacy compliance efforts and structures to include related business associates. Also, remember that subcontractors of business associates also must sign agreements containing similar business associate language.
Keep an eye on your state law. Implementation of HIPAA has shined a spotlight on state privacy laws. If you used “boilerplate” policies that did not address the laws of each state in which you operate, give careful consideration to any state law implications that may impact your operations. Also, remember that like HIPAA, state law, regulations and interpretation will be evolving. Be alert to changes and be proactive in addressing questions or concerns.
Build HIPAA compliance into your organization’s overall compliance program. A final step in HIPAA privacy implementation should be building a program of self-audits and other compliance monitoring into your overall corporate compliance structure. Assure that ongoing responsibilities are maintained and documented including ongoing training and education; updating the Privacy Notice, forms and policies when needed; documenting HIPAA-related activities; handling complaints and incidents in coordination with risk-management; and imposing sanctions and disciplinary action when necessary to enforce privacy requirements.
Congratulations on making it to April 14, 2003! Even though you undoubtedly still have at least a few tasks left on your HIPAA privacy list, you are on your way to integrating these new requirements into your operations.