Here’s your checklist for HIPAA compliance
Here’s your checklist for HIPAA compliance
Conduct risk assessment, expert advises
It’s just a matter of months until implementation of the Health Insurance Portability & Accountability Act of 1996 (HIPAA) begins. With that in mind, access managers should follow these steps, according to Mary D. Brandt, MBA, RHIA, CHE, vice president of professional services for San Rafael, CA-based QuadraMed Corp., a provider of software solutions and consulting services for the health care industry.
1. Obtain copies of the proposed rules from the U.S. Department of Health and Human Services (HHS) comprehensive HIPAA Web site at http: //aspe.os.dhhs.gov/admnsimp/. For a summary, see http://aspe.os.dhhs.gov/admnsimp /pvcsumm.htm. Look for any gaps between the regulations and your practices, Brandt suggests. The proposed security regulations require, for example, that awareness training be provided for all personnel, including management, and that periodic security reminders be issued.
2. Sign up with HHS for e-mail notification of publication of documents related to HIPAA implementation. To receive e-mail on HIPAA documents, send an e-mail message to listserv@ list.nih.gov and include "Subscribe HIPAA-REGS [your name]" in the body of the message.
3. Work with other individuals in your organization to identify the right people to spearhead compliance efforts. "Most hospitals are finding that the multidisciplinary group put together for Y2K is the perfect place to start," Brandt says. "Hopefully, access managers were part of this. They certainly should be included."
4. Educate staff, physicians, and other key individuals about HIPAA. Many groups, including QuadraMed, are offering educational seminars on HIPAA, into which the hospital’s own security policies can be incorporated, Brandt says.
5. Conduct a risk assessment to identify potential risks and vulnerabilities. "It’s important to note that HIPAA at this point applies only to electronic records," Brandt says. "Records are considered to be electronic if they are maintained in the computer system, transmitted electronically, or printed to paper."
That leaves a lot of documents that are still paper-based, she adds, including progress notes and nurse’s notes at most institutions. "Most hospitals don’t have an electronic order-entry system." However, Brandt says she believes paper- based records are "more secure because they don’t have the broad accessibility that electronic records do."
Electronic records, on the other hand, "can be much more accessible," she notes. "They could be rifled through from remote access if not properly secured."
To secure records, she advises, hospitals must design their systems in the right way and evaluate their physical office areas. "Do a walk-through of the registration area. Are the computer terminals private? If I am a patient giving you information, can someone walk by in the hallway or by the desk in the emergency department and read that information? Are there private areas for conducting patient interviews, or am I sitting on a plastic chair in the middle of the admitting department while people race around me? Are unattended terminals left logged on when employees go to lunch? Do you see passwords written on sticky notes’ on computers?"
6. Educate staff about security policies and enforce them. For example, Brandt says, there should be policies for assuring that passwords are kept secret and are changed often. To underscore the importance of patient confidentiality, it may be necessary to make examples of staff who ignore the policies, she advises. "When they violate policies, you may have to let some people go."
7. Assess the accuracy of the master patient index (MPI) in conjunction with hospital information management (HIM) personnel. "Depending on how recently the MPI has been cleaned up, we typically see a 10% to 15% error rate," Brandt says. "We see duplicates, where one patient has more than one [medical record] number, and what we call overlays,’ where more than one patient has the same number. That’s usually with patients who have the same name and a similar birth date." In such cases, she adds, hospitals could be "mixing records together. It’s a serious problem for patient care, and it’s a confidentiality breach."
If the MPI has a million entries, and those of large hospitals do, a 10% to 15% error rate means 100,000 to 150,000 errors, Brandt points out. "You have to clean those up in the database, but you also have to physically combine those records. Those are major projects, and most hospitals don’t have the internal resources to do them."
What she suggests, Brandt says, is for access managers and HIM managers to work together to assess the accuracy, and then get help from reputable vendors.
[Editor’s note: For more on QuadraMed, call (800) 393-0278 or visit the company’s Web site at www. quadramed.com.]
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.