HIPAA, compliance programs fit like gloves

Erik L. Ridley
Jan 31, 2002

ATLANTA - Healthcare institutions can take advantage of existing corporate compliance programs as they work to implement Health Insurance Portability and Accountability Act (HIPAA) standards.

The two programs are a natural fit, according to a presentation Wednesday at the 2002 Healthcare Information and Management Systems Society (HIMSS) meeting.

Many healthcare facilities have implemented compliance programs to prevent, detect, and correct unwanted conduct and avoid financial loss, legal liability, and harm to their reputations, said Patricia Carter, an attorney with Minneapolis law firm Gray, Plant, Mooty & Bennett.

The U.S. Office of the Inspector General (OIG) has encouraged careful attention to such programs, which analyze operations, assess risks, and direct compliance efforts in healthcare facilities.

"Those same skills, and individuals involved in that process, will serve you well for HIPAA purposes," Carter said, listing seven core elements of an effective compliance program:

  • Written standards and procedures

  • A compliance officer

  • Training

  • Open and effective lines of communication

  • Internal audits and evaluations

  • Enforcement of standards through clear disciplinary guidelines
  • Response to offenses and correction of errors

The same steps can be applied to compliance with HIPAA's privacy and security regulations, Carter said. HIPAA demands documented policies to address all components of privacy and security, she said. A security policy should cover a high code of conduct.

A HIPAA privacy officer should be appointed, with responsibility for development and implementation of privacy policies and procedures. This person would work with the compliance officer, and could also fill that role as well, she said.

A security officer should also be appointed, tasked with overseeing security measures and the conduct of personnel regarding protection of data. The security officer should not serve as the compliance officer or privacy officer, she said.

Privacy training covering policies and procedures needs to be developed to satisfy regulations, with specific training of select employees depending on job responsibilities, she said. Security awareness training should be provided for all employees, including training on viruses and password management. As with privacy, specific security training of select employees should be given depending on job responsibilities.

All new employees should receive training, with all employees receiving training at least annually. Attendance should be documented. Information on sanctions, as well as reporting processes for noncompliance, should be disseminated, Carter said. It's a good idea to integrate privacy and security training with compliance training as well, she said.

A contact person should be designated to receive privacy complaints, and a process should be formed on how to receive, document, and respond to complaints. For HIPAA security, documented security incident procedures should be formulated. A formal mechanism should be instituted to document security incidents, and formal rules should be set up spelling out the response to security incident reports, Carter said.

While specific auditing is not required for HIPAA's privacy regulations, auditing is recommended to verify adherence to privacy policies and procedures, she said. Institutions should track disclosures, as they must account for all disclosures upon request.

Security monitoring efforts should be focused on identified risk areas. Officials should review records of system activity, but also focus review on improper access and patterns of system activity, she said.

As for disciplinary guidelines, institutions must develop and apply appropriate sanctions for noncompliance with privacy regulations. Sanctions and discipline policies and procedures for security violations should be communicated to all employees, agents, and contractors, Carter said. Background checks should be performed.

The compliance team should develop procedures to mitigate any harm from improper use or disclosure of information, and spell out formal procedures covering incident reporting and response procedures for security-related matters.

Carter said it's important to keep records, both for the compliance and HIPAA programs. These records should cover reports, responses, internal investigations, and corrective action.

While security regulations are still in proposed form, institutions must comply with HIPAA privacy regulations by April 2003, she said.

"Now is a good time to start," Carter said. "Apply lessons that you learned from the compliance program to help smooth the transition to implementation of the HIPAA privacy and security standards."

By Erik L. Ridley
AuntMinnie.com staff writer
February 1, 2002

Related Reading

HIPAA extension becomes law, January 10, 2002

A roadmap for implementing HIPAA in radiology, July 26, 2001

HHS pushes 'reasonableness' in HIPAA guidance document, July 19, 2001

RBMA president says it’s time to make HIPAA critical, June 8, 2001

NEMA offers help with privacy and security laws, April 18, 2001

Copyright © 2002 AuntMinnie.com

Latest in Practice Management
Entrance To Emergency Room At Hospital
Study finds high percentage of inappropriate imaging orders in the ED
April 29, 2024
IMV’s Oncology in Diagnostic Imaging Market Outlook Report
Sponsored
IMV’s Oncology in Diagnostic Imaging Market Outlook Report
March 15, 2024
Screenshot (1150)
Radiologists can take steps toward environmental sustainability
April 23, 2024
Breast Screening Van 400
Mobile health screening model lowers costs, promotes sustainability
April 22, 2024
Related Stories
2001 04 19 09 56 29 706
Administration
Budget monitoring reveals practice's financial health
2001 11 16 10 13 24 706
Practice Management
New diagnosis guidelines could affect your operations and reimbursement
2001 11 16 10 13 24 706
Administration
Order compliance equals payment for outpatient radiologists
IMV’s Oncology in Diagnostic Imaging Market Outlook Report
Sponsor Content
IMV’s Oncology in Diagnostic Imaging Market Outlook Report
More in Practice Management
Study finds high percentage of inappropriate imaging orders in the ED
By Erik L. Ridley
A significant percentage of imaging exams ordered in emergency departments (EDs) may be inappropriate, according to new research.
April 29, 2024
Entrance To Emergency Room At Hospital
State of the RT profession more palpable than ever
By Liz Carey
As the ASRT prepares to announce changes to its professional-entry pathways and practice standards at its June meeting in Orlando, FL, Board President Brandon Smith said the state of the field is "more palpable than ever."
April 24, 2024
Asrt Be Seen Campaign 2024
Radiologists can take steps toward environmental sustainability
By Amerigo Allegretto
Radiology departments can take proactive steps to promote environmental sustainability.
April 23, 2024
Screenshot (1150)
Mobile health screening model lowers costs, promotes sustainability
By Amerigo Allegretto
A new cancer screening service model can reduce costs and improve environmental sustainability for breast cancer screening and other screening exams.
April 22, 2024
Breast Screening Van 400
What's brewing in RT and RRA legislation, policy, and standards?
By Liz Carey
A range of federal and state legislation and other developments in the works could have a significant impact on radiologic technologists (RTs) and registered radiology assistants (RRAs).
April 22, 2024
Asrt Be Seen Campaign 2024
Pisano speaks with AuntMinnie.com on new ARPA-H leadership role
By Amerigo Allegretto
Etta Pisano, MD, spoke with AuntMinnie.com on leading the Advancing Clinical Trials Readiness initiative, part of ARPA-H.
April 18, 2024
Screenshot (1143)
AdvaMed urges Congress prioritize R&D tax credit
By AuntMinnie.com staff writers
Medical technology trade association Advanced Medical Technology Association (AdvaMed) is urging Congress to pass a tax provision to change how small businesses deduct their research and development expenses.
April 17, 2024
Us Flag
ACR lays off 11% of workforce
By Kate Madden Yee
The American College of Radiology (ACR) has reduced its workforce by 11%, according to a statement released by the organization.
April 16, 2024
Acr Logo 2023 400
MICI Q2 2024: Radiology administrators remain optimistic about growth
By Kate Madden Yee
Radiology administrators are confident that diagnostic and interventional radiology will continue to grow as a profit center, according to The MarkeTech Group's Medical Imaging Confidence Index (MICI) report for the second quarter of 2024.
April 15, 2024
Graph Arrow Up
Radiologists experience modest pay increase
By Will Morton
Radiologist have jumped up a spot in earnings among the top 10 specialists in the U.S., according to a Medscape survey.
April 12, 2024
Cash
NIH: Occupational radiation dose to RTs needs careful monitoring
By Kate Madden Yee
Occupational doses to radiologic technologists imparted by assistance with fluoroscopically-guided interventional procedures are generally low, but they do need careful monitoring, a team of National Institute of Health (NIH) researchers has found.
April 12, 2024
Radiation Logo
UltraCon: Work-related MSK disorders tied to sonographer burnout
By Amerigo Allegretto
Work-related musculoskeletal (MSK) disorders are tied to work-related burnout among sonographers, according to research highlighted April 10 at UltraCon.
April 11, 2024
Jennifer Bagley from the University of Oklahoma Health Sciences Center presents results at UltraCon suggesting that work-related musculoskeletal disorders are tied to burnout among sonographers.
Page 1 of 1166
Next Page