HIPAA Q&A
[Editor’s note: This column addresses specific questions related to implementation of the Health Insurance Portability and Accountability Act (HIPAA). If you have questions, please send them to Sheryl Jackson, Same-Day Surgery, Thomson American Health Consultants, P.O. Box 740056, Atlanta, GA 30374. Fax: (404) 262-5447. E-mail: [email protected].)
Question: Do policies related to HIPAA compliance have to be kept in a separate policy book?
Answer: No, the HIPAA policies do not need to be in a separate book, says Robert W. Markette Jr., an Indianapolis attorney. The HIPAA documentation standards simply require the provider to document the policies and procedures in written or electronic form, he says.
"If a provider wants to make the HIPAA policies and procedures part of a larger policy manual, that is acceptable," Markette explains. As with the rest of the procedures, it is a good idea to have the manual thoroughly indexed and cross-referenced, he says.
The security rule does require the covered entity to make the security documentation available to those who are responsible for implementing the procedures in it, Markette points out.
Whether you have these policies in a larger manual or a HIPAA-specific manual, providers should be fine as long as they are easily accessible, he says.
Question: What physical safeguards are necessary to comply with the HIPAA security rule?
Answer: As with the rest of the security rule, physical safeguards need to be complex enough to reduce "reasonably anticipated risks" to a "reasonable and appropriate" level, Markette says.
For surgery centers, facility security is a large concern, he adds. Locked doors to rooms with computers that can give access to electronic protected health information (PHI) are essential for times that the surgery center is closed, he says. Physical safeguards also must be taken during normal business hours, Markette says.
"The surgery center manager may determine that a formal access control policy is needed in order to keep track of individuals in the building," he says. A simple policy would include signing in and having guests wear badges, Markette suggests.
If a surgery center has a small number of staff on the surgery center’s computers, and these staff members and their computers are not visible or easily accessible from areas where patients and their visitors are located, the center might rely on an even more informal policy where guests sign in and are allowed to proceed to the appropriate room unescorted, he says.
"This less formal policy approach relies upon staff recognizing when nonemployees were in areas they shouldn’t be and taking time to escort them out of unauthorized areas," Markette adds.
Question:How can PHI be used in credentialing and peer-review activities without violating any of the HIPAA privacy rules?
Answer: Credentialing and peer review are acceptable uses of PHI, Markette explains.
"Because a same-day surgery program is required to have minutes and records of the credentialing and peer-review process and PHI is part of the process, the inclusion of PHI in the minutes or records is allowed," he says. "The key to HIPAA compliance in this case is to secure the minutes and the documentation in a manner that only allows access to those people who need the information."
For example, the individual in charge of credentialing and peer review can be designated as responsible for ensuring the documentation is secured, Markette suggests. Surgery centers might consider removing PHI from the records, but depending upon the requirements of the peer review and credentialing standards, that may render the documentation useless from a compliance standpoint, he points out.
The short answer to this question is that a same-day surgery program should secure the minutes in the same manner that other forms of PHI are secured, Markette says.
"If these minutes are part of a regular board meeting or other meeting, the full minutes could have the peer-review portion removed with a reference that information was removed for HIPAA purposes," he suggests. This removal will eliminate the concern that some individual who needs to review the rest of the meeting minutes will not also see the PHI contained in the minutes, says Markette. "At the same time, this process also ensures that the peer-review portion is available in order to prove compliance with peer-review and credentialing requirements," he adds.
This column addresses specific questions related to implementation of the Health Insurance Portability and Accountability Act (HIPAA).Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.