[ Wednesday, October 09, 2002 ]
From Phoenix Health System's HIPAAnote e-mail for today:
*** Developing Organizational Privacy Policies? Don't Forget Security! Part II ***
So, your privacy and security teams are getting ready to develop or update your organization's policies on the privacy rule for "minimum necessary"? You need to remember that protected access to health information REQUIRES security. Although your Information Systems staff will need to make the necessary changes to enforce minimum necessary through system access, they should not be the only ones involved in decisions about what needs to change.
Other areas, such as Human Resources, Patient Accounting, Medical Records and management should be involved in these important decisions. Many departments may find they need to change job codes, alter roles and functions, and re-establish computer access needs. Once these roles and accesses have been decided, your IS department should determine if there will be any undesirable impacts on system functionality due to the altered plans for system access. Creating a situation where your users are no longer able to access the information they need to perform their jobs, is certainly not what is intended by the "minimum necessary" rule!
You may also need to redesign how system access in your organization is requested, established and changed. Overall responsibility for ensuring the employee has the access necessary to perform their duties should be determined by a governing authority or management.
Will your departmental managers be given the authority to determine what access their staff receives?
Will you need to reassign certain tasks or create special job codes?
As you begin this enormous task, be sure to understand your operational processes, establish a multi-department task force to determine changes and consider how your system access modifications will affect all of the involved parties.
Angie Atcher, Director
Phoenix Health Systems
That's today's HIPAAnote...now, pass it along!
Jeff [3:57 PM]
Blogger: HIPAA Blog - Edit your Template