[ Wednesday, September 17, 2003 ]
A few checklists:
I’ve been catching up on some old HIPAA reading and have come across a handful of recent articles that had “checklists” or quick bullet point lists that I think could be pretty useful. In no particular order:
Five easy steps to identify HIPAA security risks
(from Medical NewsWire):
1. Do both risk assessment and risk analysis
, but recognize the difference. An assessment looks for vulnerabilities in your system, but an analysis looks for risks. Think of these as the active and passive types of troubles you might have, the yin and yang of security trouble.
2. Assign one person
to be ultimately responsible for HIPAA security issues, but give them help, responsibility and authority.
3. Scale your threat level
: high, moderate, or low. Where you come out depends on your analysis and your assessment. Also, what you do about it will depend on the same type of scaling of your costs of fixing problems and the likelihood of damage.
4. Keep a good documentary record
of your efforts. Recordkeeping is half of HIPAA compliance. Plus, if you’re writing it down, it makes it more likely that you’ll do what you ought to.
5. Go little by little, but get started now
. It’s a journey of a thousand miles, but you can get there if you get started and keep going. Don’t be daunted.
Three steps to better Psychotherapy Notes
(from Medical NewsWire):
As you know, if you keep psychotherapy notes, you don’t need to provide them to the patient; that is one of the few exceptions to the patient’s right to access to his or her medical records. But what if the patient demands the records? You might want to still provide them, to shut the patient up or keep him from suing you. Here are three steps you can take:
1. Don’t write down anything you don’t want the patient to see. How helpful are these notes anyway?
2. If the patient asks for the notes, find out what the patient really wants. You might be able to give the patient what he wants without having to give up your notes.
3. Offer a summary of your notes. The notes may be illegible or not easily understandable, so you might want to offer a summary so you can keep private what the patient really shouldn’t see.
If you deal with psychotherapy notes, keep in mind that you need patient authorization for most disclosures of psychotherapy notes.
Six steps to compliance with business associate requirements
(also Medical NewsWire):
1. Know your business associates. Figure out what they are, then figure out who they are.
2. Know what the deadlines are.
3. Consider language and form. You may want more or less than what is in the form promulgated by HHS.
4. Set a timeframe for your BAs so they give you the information you need within the time frame you need to give it to someone else. For example, you must respond to certain access requests within 30 days; make sure your BA responds in 20 days.
5. Be prepared to pay more. Having to renegotiate, and putting more burdens on your BA, will make them want to charge you more. If you pay more, though, get your money’s worth: make them agree to an indemnification in exchange for a price hike.
6. Have an exit strategy. Always have other options for business associates if possible. It really helps your negotiating position.
Organizational Tips for safeguarding your PHI:
1. Bulletin boards: If they’re where patients can see them, make sure there’s no PHI there, or get patient authorizations. This includes baby picture boards.
2. Cleaning personnel: If you can, keep PHI out of sight of cleaning people. Better yet, put it in a locked cabinet.
3. Computer screens: Turn them so nobody can see them, or install screen filters to block the view of them.
4. Desks and countertops: Don’t keep PHI on top of desks or countertops if you can avoid it. If you can’t avoid it, turn the files upside down.
5. Disposal of paper with PHI: Shred it. If you don’t do it on site, make sure it is secure when transported to the shredder.
6. Printers and fax machines: Keep them in a secure area, where only appropriate staff can access them.
7. Schedules: Don’t place them in plain view if they have patient names or other PHI.
8. Sign-in lists: Don’t put anything more than patient name on a sign-in list Clearly don’t put the diagnosis on there, but also don’t put doctor name there.
9. Wall pockets: Use opaque wall chart-holders if available. If not, put the charts in the wall pocket so that the name and information is turned away from the view of anyone passing by.
10. Workforce Vigilance: all workforce members should watch out for unauthorized uses and disclosures, act to prevent them, and notify the security officer and privacy officer.
HIPAA Security and Privacy overlap areas
1. Appropriate and reasonable safeguards to protect PHI.
2. Mapping PHI dataflow, so you know where the information goes. You can’t do either privacy or security if you don’t know how the information travels.
3. Protecting the appropriate data. You don’t need to protect all data, just PHI (or ePHI) in a regular medical record. Limited Data Sets, de-identified information, and other methods of limiting information can limit what needs to be protected.
4. Access control: user based, context based, role based, or encryption. Role based access is required in the Privacy Rule, and the remainder may be part of the Security rule.
5. Business Associate Agreements.
6. Accountability: a specific person must be accountable for privacy and security (the privacy officer and the security officer).
7. Training and awareness of employees and others.
Three specific overlaps:
1. Privacy requires reasonable safeguards of PHI; Security requires a contingency plan, regular audits, information integrity, formal process for terminating an employee, control of media, control of physical entry into a CE’s office, proper functions and locations of workstations, change control procedures, incident response procedures, and the protection of PHI sent over the internet.
2. Privacy requires reasonable steps to enforce minimum necessary requirements; Security requires the development and implementation of security policies that enforce appropriate access controls and audit the use and disclosure of PHI.
3. Privacy says individuals have the right to an accounting of disclosures; Security requires the CE to develop policies and procedures to track and log the use and disclosure of PHI.
Just some food for thought.
Jeff [9:52 AM]
Blogger: HIPAA Blog - Edit your Template