The compliance date of April 14,
2003 for the HIPAA (Health Insurance Portability &
Accountability Act of 1996) Privacy Rule is fast approaching
O&P businesses. Are you ready to comply?
What is Required of an O&P Organization?
The following items would be required for an O&P
organization that has been identified as a covered entity, to be in
compliance with the Privacy Rule.
- Designate a Privacy Officer
- Designate a contact person
- Outline a sanction policy
- Document your complaint process
- Determine if any state laws preempt the HIPAA Privacy
- Document your accounting of disclosure procedures
- Develop the following mandatory forms and documents: Notice of
Privacy Practice, Authorization Form and Business Associate
- Provide training to all of your staff that come in contact with
protected health information (PHI) on your policies and
- To reasonably safeguard PHI from any intentional or
unintentional use or disclosure
How To Prepare Your Organization For Privacy Compliance
There are numerous experts and sources that outline the steps
for your organization to take in preparation for privacy
compliance. The following steps seem to be a consistent theme with
Step 1 – Study the final Privacy Rule.
Become familiar with the final Privacy Rule. Make sure that you
have looked at any amendments that the Department of Health and
Human Services (DHHS) or the Office of Civil Rights (OCR) has
issued as well. For a copy of the Privacy Rule and latest updates
Step 2 – Designate a Privacy Officer.
The privacy officer will be responsible for creating a
comprehensive compliance plan, developing policies and procedures,
administering education and training programs, maintaining and
documenting the policies and procedures for compliance with the
HIPAA regulations, and monitoring ongoing compliance. This person
will be responsible for all HIPAA initiatives within your
Step 3 – Start a HIPAA awareness program for top-level
Your privacy officer should develop a program to help the
top-level management get a better understanding of HIPAA Privacy
and its importance within the organization.
Step 4 – Organize a HIPAA compliance task force within
Ideally, a HIPAA compliance task force should be created to
include representatives from each component of your health care
system such as hospitals, clinics, physician practices, and
departments such as HR, administrative, IT, and health care
professionals. The privacy officer should lead the HIPAA compliance
task force in addition to their required duties defined by the
Step 5 – Perform a “gap analysis.”
Have each department assess where they currently are in respect
to the final Privacy Rule regulations versus where they need to be.
The difference between their current practices and what their
practices should be is considered the gap. Examine how your
organization uses and discloses protected health information, and
then track and document existing flow of protected health
information inside and outside the organization. Determine the
inputs, roles, and outputs along with the type of information they
have access to. Examine each database in the organization to
determine what protected health information you maintain. And
identify business associates as well.
Step 6 – Develop a HIPAA Compliance Plan.
Based from the gap assessment, create a HIPAA Compliance Plan
detailing completion dates and responsible individuals. Your HIPAA
task force should review the plan and endorse it before it is
executed. The task force must also publicly express that the
privacy officer has the authority to require individuals to
complete their assigned tasks.
Step 7 – Define a HIPAA budget.
The privacy officer should define a budget for your HIPAA
Privacy initiatives based off of the approved Compliance Plan.
Create an estimated total budget and a 6-12 month detailed budget.
The budget should be presented to the executive management for
Step 8 – Review state statutes.
Work with your legal counsel to determine if any state laws
supersede or conflict with the HIPAA regulations. You can visit http://cms.hhs.gov/hipaa/hipaa1/default.asp for
a link to some state statute databases.
Step 9 – Identify a contact person.
Identify who your contact person is going to be. The contact
person will answer patients’ questions concerning forms, questions,
Step 10 – Identify all of your business
Identify who your business associates are. You will be required
to have a Business Associate Contract in place for every current
business associate by April 14, 2004.
Step 11 – Develop your policies, procedures and
Develop your policies, procedures, and forms for each of the
HIPAA initiatives. Sanctions for violations should be included.
Present them to your legal counsel for their opinion. Ensure that
your Standard of Conduct include the HIPAA Privacy Rule.
Step 12 – Have vendors update your current IT
If you use packaged software, the software vendors should
provide you with updates that help meet the HIPAA Privacy
standards. The Privacy Rule does not require updating your
Step 13 – Ensure all of the Privacy Rule Administration
requirements are implemented.
Walk through all of the Privacy Rule requirements and check to
ensure you have met the appropriate standards.
Step 14 – Develop a customized training program for
The Privacy Rule requires all staff to be trained on their
organization’s policies and procedures. The privacy officer should
work with human resources to develop a customized training program
for the Privacy Rule. Make sure the training is documented and that
every employee has taken the training.
Step 15 – Monitor your policies, procedures, and
The privacy officer should monitor compliance to ensure that the
HIPAA regulations are being followed and are working properly.
Step 16 – Stay current on HIPAA Privacy rules and
The privacy officer should regularly review the DHHS and Centers
for Medicare & Medicaid Services (CMS) websites to stay current
on HIPAA Privacy rules and regulations. The privacy officer should
subscribe to the DHHS HIPAA update notification service at http://cms.hhs.gov/mailinglists.
Jay Masci is the principal consultant of Provaliant, a
company providing IT consulting services, including HIPAA
compliance and customized training. For more information,
Editor’s note: Additional information about HIPAA
can be obtained at a website provided by CMS:www.hipaa.org
Jay Masci is the principal consultant of Provaliant, a company providing IT consulting services, including HIPAA compliance and customized training. For more information, visit www.provaliant.com.