Privacy experts: Don’t wait for final rules, act now
Privacy experts: Don’t wait for final rules, act now
If you’re not thinking about and planning for new patient medical record confidentiality legislation, you should be, privacy experts say.
"Institutions need to have policies in place and need to begin thinking about this issue," says privacy expert Bob Gelman of Gelman & Associates in Washington, DC. "Much of what a health care institutions will need to do is pretty clear and a fair amount of it can be done — or at least started — right now. They’re going to have to do it one way or the other eventually."
That’s because Congress is working hard on a set of privacy laws that must be passed by Aug. 21 or the Department of Health and Human Services (HHS) will establish its own set of privacy regulations next year.
"Most health care institutions don’t have adequate privacy policies," says Gelman. "They don’t understand what kind of records they have, where the information comes from, or where it goes." They often do not have clear rules for regulating its use internally and its disclosure, he adds. "All of these things will be required in some fashion by the legislation or regulations."
Sandra Fuller of the Chicago-based American Health Information Management Association (AHIMA) points out that her organization has drawn up just such a list that it is urging providers to review. According to AHIMA’s "HIPAA Checklist" the first thing providers should do is assign responsibility for tracking the progress of regulations as they develop. AHIMA also recommends these steps:
Plan internal educational programs to describe HIPAA requirements to those responsible for implementing the changes. Perform a gap analysis of existing policies and procedures compared to the requirements of the proposed standards. Become familiar with the Notice of Proposed Rule Making for the employer identifier number. Become familiar with information security standards and standards development organizations. Discuss the proposed requirements with current vendors who may be supporting your organization’s information systems.Doug Peticord, a health care information expert with Washington (DC) Health Advocates, reports that one new feature just added to the Senate’s privacy bill is the requirement for an Information Protection Officer. "This would mean that every hospital and provider group would have to designate a person with the authority and obligation to establish and maintain safeguards over the confidentiality of patient information," he says.
"I think it is a good idea for every institution to have somebody assume this role right now if they have not already done so," adds Peticord. "Even if this concept gets dropped from the bill itself, it is a step that makes a lot of sense."
Also, the security requirements providers will have to live by have already been outlined under the Health Insurance Portability and Accountability Act of 1996 regulations published as a proposed rule, says Gelman. "Institutions don’t have to wait for that to become final because those regulations are probably not going to be much different than the draft regulations," he says. "That is where a lot of time and effort and money will be required."
"It is not just a matter of protecting your patients; it’s also [a matter of] protecting yourself," warns Gelman. "Stories about health privacy violations find themselves on the front-page of the local newspaper and it is only a matter of time before institutions get caught or sued — or both."
For AHIMA’s complete "HIPAA Checklist," go to www.ahima.org/publications/2a/pract.brief.499.html.
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.