HIPAA Smarts

Subscribe | Advertise | About Us | Contact Us | Home

January/February 2003

By Corrine P. Parver, JD, PT

You are a health care provider, a rehab manager, or an owner or CEO of a rehabilitation health care company. You finally can say you have a functioning Health Insurance Portability and Accountability Act (HIPAA) compliance program in place at your facility. In designing the compliance program, you followed the criteria announced in the seven elements of the US Department of Justice’s Federal Sentencing Guidelines. You understand that, as a “Covered Entity” under the HIPAA regulations, your health care company must develop written, company-wide policies and procedures that articulate a commitment to prevent unwarranted uses and disclosures of protected health information (PHI).

Your HIPAA compliance program’s development was genuinely supported by your company’s Board of Directors, who provided sufficient funding authority for program design and implementation. You did as much work as you could in-house, used outside consultants such as security and computer experts, and legal counsel where appropriate and necessary, and appointed a credible HIPAA Privacy Officer to oversee the ongoing program. You are still visible and involved in staff orientation, education, and training, and the staff appears to have bought into the HIPAA compliance program. However, you are now wondering whether all the time, money, and effort are really making a difference in preventing unwarranted uses and disclosures of PHI, and in assuring the HIPAA compliance status of your business.

Given the effort necessary to implement an effective HIPAA compliance program, it is natural to expect that a sense of well-being will result once such a program is in place. But reports on the number of calls regarding PHI that your company’s Privacy Officer is addressing and the amounts of unauthorized uses and disclosures of PHI are not satisfying your need for reassurance. Further, you are uneasy about the lack of guidance on how else to evaluate your compliance program’s effectiveness. So, the question now becomes: What steps must you take next to ensure the effectiveness of your company’s HIPAA compliance efforts?

THE SEVEN COMPLIANCE ELEMENTS

HIPAA compliance programs generally are built around the following seven elements, as described in the Sentencing Guidelines: written policies and procedures relating to the privacy of PHI, including “standards of conduct” and Code of Ethics; designation of a Privacy Officer responsible for operating and monitoring the compliance program; regular employee education and training programs; reporting mechanism to receive complaints anonymously; corrective action and disciplinary policies, to respond to allegations of noncompliance; periodic audits to monitor compliance; and investigations and corrections of identified systemic problems.

Corrine P. Parver, JD, PT

Compliance structures that do not reflect every element may be fatally flawed. Taking each element separately, then: the Privacy Officer serves as the focal point for compliance activities. He or she is responsible for implementing and operating the compliance program, handling complaints, overseeing investigations and problem resolution, and reporting to the chief executive and governing body. A routine training regime allows companies to communicate their compliance standards and procedures to all employees and other agents. Anonymous reporting procedures, such as hot lines, are desirable, especially where a confidential reporting mechanism encourages compliance activities. These procedures should be supplemented with more personal avenues for reporting and discussing potential problems involving nonallowed uses and disclosures of PHI.

Appropriate disciplinary mechanisms and a written policy statement setting forth the degrees of disciplinary actions that may be imposed for various infractions are essential. If credible evidence of misconduct is given from any source, a reasonable inquiry should be made. Where justified, misconduct should be reported to the appropriate governmental authorities. Auditing and monitoring should be both integrated into the program and periodically supplemented by outsourced reviews. These audits can be a basis for measuring a compliance program’s effectiveness.

The operation of a HIPAA compliance plan should be viewed in the context of a “hub and spoke” wheel (see Figure 1 ). At the center or hub sit the Privacy Officer and Privacy Task Force. At the top of the wheel are the policies and procedures, which perform the following functions: assert control over the company’s actions, provide direction, serve as planning guides, and assist with resource allocation. The HIPAA compliance program should both assure compliance with these polices and procedures, and keep them up-to-date.

Next and clockwise around the wheel are the education components for the policies and procedures, supported from the hub by the spokes of employee access to the Privacy Officer and Privacy Task Force, and their facilitation of and participation in the training. Program auditing and monitoring then follow. Internal monitoring can include peer review and self-assessments, ongoing policy and procedure implementation, new information integration, and updating. External reviews focus on legal, security, and computer audits.

The bottom of the wheel finds the planned, routine activity necessary to integrate HIPAA policies and procedures into the daily job functions of the affected departments, right down to an individual’s job functions. The supporting spoke includes the capacity for feedback to the Privacy Officer and anonymous complaints. This feedback leads to ongoing self-assessment and opportunities to integrate new information from regulators into the individual’s or department’s job functions. This activity can be built into department meetings or job function reviews, and should generate written compliance reports and recommendations for policy or procedure revisions and updates. The company then can use its review body, generally the Privacy Task Force, to both evaluate the recommendations and authorize the appropriate revisions and updates.

MEASURING METHODS

Effectiveness can be viewed in several ways: penalty avoidance; regulation compliance enhancement; and system activity, including training, reporting, problem correction, and disciplinary actions.

Penalty avoidance effectiveness considers government representations that an effective compliance program will minimize the extent of the penalties and sanctions that apply in cases where the HIPAA regulations are violated. Penalties are severe. The HIPAA regulations set forth fines of $100 for each violation, with a cap of $25,000 per year for violations of the same type. If the Department of Health and Human Services (HHS) determines that your company did not know of or could not reasonably be expected to discover the violation, it should not be able to impose any fines on the company as a covered entity. Violations determined to be willful or intentional can result in fines of between $50,000 and $250,000, and 1-year to 10-year prison sentences.

An effective HIPAA compliance program increases the company’s awareness of privacy risk areas, and provides ways to minimize those risks. To achieve the requisite level of risk area awareness and compliance, the seven elements must function as intended, beyond a mere “paper representation” of the program. A HIPAA compliance program can be considered effective to the extent that training is occurring, auditing and monitoring are being done, reports are being generated, the hot line or other communications method is in place, complaints and tips are investigated, and corrective and disciplinary actions are undertaken. More than just the activity is necessary: positive outcomes must be demonstrated.

Several methods exist to measure HIPAA compliance program effectiveness. Each method has its strengths and weaknesses.

The “system checking” method regards the compliance program as an operating system or machine. To the extent that each part is functioning, the system can be considered to be working and effective. Effectiveness measures used here are generally structural and empirical. For example, presume that, under the program element for training, the plan calls for quarterly training sessions and 100% attendance by affected employees by the end of the first year. Checking to assure that the training sessions were indeed held as scheduled, and attendance levels were achieved, would be one measure of the effectiveness of meeting implementation goals. Other system checking examples include: setting up a reporting system and hot line on schedule; maintaining operating hot-line hours and logging calls; tracking the number of reported incidents of PHI uses and disclosures and corrective actions; achieving written policies and procedures for the designated departments; and conducting audits as scheduled. The problem with relying on the system checking method as the sole measure of effectiveness is that it only monitors activity. System checking is necessary, but not an end in itself.

The “feedback” method relies on building self-verification activities into the compliance program as a means to enhance the company’s culture of compliance. This method pushes responsibility for compliance activity and policy and procedure evaluation down to the individuals involved in high-risk activities. Effectiveness is achieved through: continual self-assessments; group interaction; company-supported, employee access to regulators and information sources; routine interactions with the Privacy Officer and Privacy Task Force by those persons who are responsible for achieving compliance in their job functions; and fluid, responsive policy and procedure updating.

This method is intended to be proactive, using the company’s full resources to monitor changes in pertinent health care regulations and requirements. By requiring the end-users to serve also as monitoring agents, early detection helps the company to implement changes and adjustments prior to the occurrence of noncompliant actions. This method should produce a stream of documentation indicating that the monitoring activities, self-assessments, and recommendations for policy and procedure revision are occurring.

One major downside to this method is the intense level of commitment on the part of management and affected employees that is necessary to make it work. Maintaining an open, ongoing, critical self-assessment system is time- and resource-intensive. Conducting regular meetings and reports means the company will incur a certain level of nonproductive time costs, as well as training and monitoring expenses. Additionally, the discovery of problems in a manner where confidentiality may be compromised is more likely—a potentially negative factor in subsequent investigations and corrective actions.

The “audit and outcomes” method relies on testing and evaluation of objective standards to determine HIPAA compliance effectiveness. Here, the company establishes a baseline of the original privacy compliance status in selected areas. Common areas measured include: PHI use and disclosure procedures; business associate relationships; other legal relationships; and privacy/confidentiality awareness, either as a general measure of the company’s culture or as a check on the efficacy of the training program. Subsequent benchmarking is accomplished through follow-up surveys and audit, and any improvement noted as a measure of effectiveness.

Meaningful audits require the selection of the appropriate standards for the areas that are measured. Determining what to measure is often more important than quantifying the measurement. For example, measuring a 10% decrease in the amount of unwarranted uses or disclosures of PHI may be misleading, if the overall ratio masks an activity increase in specific, high-risk areas. Management is susceptible to inadvertent manipulation when relying on reports that provide only aggregate measures of compliance, based on general standards. Other problems with audits include their retrospective viewpoint and the company’s diminished control and expense when conducted by outside auditors.

The “purpose” method considers the audience receiving the evidence of program effectiveness. Different audiences have different expectations and standards for effectiveness, implying that different methods and measures will be required. Potential PHI privacy audiences include: law enforcement, including the Office of Civil Rights (OCR), the Department of Justice, and state Attorneys General; other regulators; and company Boards of Directors. Standards by which compliance plan effectiveness will be measured can, for example, focus on management’s commitment and efforts to implement a compliance program, as evidenced by program funding and support provided to the Privacy Officer, among other criteria. Management and Boards of Directors might be more interested in measures of cost-effectiveness of program implementation, and the “bottom-line” avoidance of fines and penalties.

To match this effectiveness measure to the right audience, a company should start with three questions: who is asking for the proof of effectiveness, what are the standards or questions that the audience wants met or answered, and is the system gathering and presenting the information to meet those tests? Invariably, it is better to ask these questions sufficiently in advance of when delivery of the effectiveness proof is required, and avoid collecting data and documentation that do not meet the reviewer’s expectations. TIPS FOR SUCCESS

No single method should be used as the only method for proving a HIPAA compliance plan’s effectiveness. Companies should consider several key components, including: the various audiences that will want effectiveness proof; whether the company is meeting its internal implementation and reporting schedules; how involved personnel are in identifying and keeping the organization abreast of new developments and emerging risk areas; and the capacity to gather and present information in a meaningful way. Toward that end, here are several pointers for designing effectiveness measures:

Keep documentation for the following areas: hot-line logs; audit reports; corrective and disciplinary actions; policy reviews and updates; training logs; and comprehension tests.
Summarize this documentation for the company’s Board of Directors in an Annual Report.
Keep a “Proof of Plan” book, documenting implementation and operations.
Conduct proactive reviews of the following: self-identified risk areas; integration of new regulations and policy and procedure changes; new personnel, including training comprehension; evidence of increased activity in unwarranted uses and disclosures of PHI.
Conduct reactive reviews and audits on risk areas drawn from: news reports, OCR Bulletins, and previously identified risk areas.
Encourage communication between departments on compliance issues, as the activity of one department can affect the compliance capacity of a different department.
Encourage the Privacy Officer to keep employees and management actively involved in the compliance program.
Other important tips include the following:
Obtain copies of the final and proposed rules from HHS’ HIPAA Web site. Identify gaps between your current practices and these rules.
Sign up for email notification of documents related to HIPAA standards to keep current on the latest developments.
Identify key individuals in your organization to spearhead compliance efforts. Be sure to include senior management for top-down support.
Educate your Board, staff, physicians, therapists, and other key constituents about HIPAA.
Inventory the electronic PHI your organization maintains, including information kept on personal computers, on other electronic devices, and in research databases.
Evaluate potential risks and vulnerabilities to this PHI to include the possibility of outside attacks. Develop a tactical plan to address the identified risks, placing highest priority on the areas of greatest vulnerability.
Collect existing security policies regarding PHI and evaluate them to see if they are current and consistent, and provide adequate protections.
Identify policies you still need to develop and assign responsibility to appropriate individuals to draft those policies.
Educate staff about your security policies and enforce them. Establish a confidential reporting system, so employees can report security breaches without fear of repercussions. Impose sanctions for violations. Be prepared to deal with system disruptions or data corruption that may result from security violations.
Evaluate current billing systems to see if the standards outlined in the required HIPAA transaction standards are being used.
Compare your company’s current procedures for disclosing PHI with the government’s final HIPAA privacy standards.
Review all “Business Associate” agreements to assure they will be HIPAA compliant.

Finally, make sure that your company’s approach is both flexible and reasonable.

Corrine P. Parver, JD, PT, is a partner in the Health Law Services Practice of Dickstein Shapiro Morin & Oshinsky LLP, Washington, DC. She may be reached at (202) 775-4728 or ParverC@dsmo.com. Michael J. DeCarlo, Esq, formerly Counsel to the law firm, assisted in the preparation of this article.

LOOKING FOR EXPERT ADVICE?

Experts here are available to answer all your questions!

Please contact us for more information about this feature, or to become an expert.

MEDIA CENTER

Interactive Media

Resources

	Calendar
	Consumer Resources
	Media Kit
	Advertiser Index EAB Reprints Submit an Article

ADDITIONAL ONLINE RESOURCES

Allied Media
24X7mag Clinical Lab Products (CLP) Orthodontic Products The Hearing Review Hearing Review Products Rehab Management		Physical Therapy Products Plastic Surgery Practice Imaging Economics RT Magazine Sleep Review