Practice Safeguards and Notice of Privacy Practices

Let’s discuss safeguards within the practice. These include Administrative, Physical, and Technical Safeguards. The HIPAA Security Rule became effective on April 20th, 2005. The Security Rule Standards define how we are to ensure the integrity, confidentiality, and availability of our patient’s ePHI. The Security Rule requires that we have Administrative, Physical, and Technical Safeguards for protecting all ePHI. The Privacy Rule Standards require appropriate safeguards to be established within the practice to protect the privacy of PHI, and it also sets limits and conditions on the use and disclosures that may be made of such information without patient authorization.

 

Administrative Safeguards are administrative functions that should be implemented to meet the security requirements. These include:

  • – A signing or delegating security responsibilities to an individual, also known as Chief Security Officer.
  • – Training employees and all workforce members on security principles, and reviewing organizational policies and procedures at the start of a new employment. You must also review this training on an annual basis. This includes obtaining an individual attestation from your employees, and documentation of these annual trainings with a participant signature log to be kept within your HIPAA manual.
  • – Next, terminating workforce members’ access to information systems.
  • – Last, reporting and responding to security risks and incidents in a timely manner.

 

Physical safeguards are key components that must be implemented to protect electronic systems, equipment, and the data that they hold from threats, environmental hazards, and unauthorized intrusion. Ensure that you work with your IT department. This includes:

 

  • – Limiting physical access to information systems containing ePHI. For an example, a server room.
  • – Preventing inappropriate viewing of ePHI on computers.
  • – Properly removing ePHI from computers before disposing or reusing them.
  • – And backing up and storing ePHI correctly.

 

And last, we have Technical Safeguards. Technical Safeguards are automated processes used to protect data and control access to data.

 

  • – Providing users with unique identifiers for accessing ePHI.
  • – Processes for accessing ePHI during an emergency.
  • – Encrypting ePHI during transmission when sending by fax or electronically.
  • – Logging off of workstations as we leave them or automatically logging off users after a determined time period.

 

These safeguards are all extremely important to our practices because they help us to ensure we are remaining HIPAA compliant, and that we are protecting our patient’s health information. Looking at additional guidance on HIPAA compliance, it is important to understand that we derive information from multiple sources, but they all lead back to the US Department of Health and Human Services. You can view their website at www.hhs.gov. HIPAA requires organizations working in healthcare to conduct Annual Self Audits. Self Audits are meant to analyze an organization’s privacy and security practices, to ensure that they adhere to HIPAA standards.

 

Security Risk Assessment – This assessment analyzes an organization’s overall security to determine gaps, allowing for remediation plans to be created to close these gaps.

 

Security Standards Audit requires organizations to have security policies in place in accordance with HIPAA standards.

 

The HITECH Subtitle D Audit ensures that documentation and procedures are in line with HIPAA breach notification requirements.

 

Asset and Device Audit requires organizations to create a list of all of the devices that access ePHI. The device list should include who uses the device, and what protections are in place securing the device.

 

Physical Site Audit ensures that each of an organization’s physical locations are secure, utilizing alarm systems, cameras, and keypad locks for example.

 

Privacy Assessment, although not required for business associates, assesses an organization’s privacy policies ensuring that PHI use and disclosure guidelines are in line with HIPAA standards.

 

Let’s take a closer look at the Security Risk Assessment. There are 5 steps within the Security Risk Assessment that practices must review.

 

  1. Gap identification and Remediation – By completing self-audits, we allow organizations to determine any gaps in protecting our patient’s health information. A remediation plan is meant to address those gaps by creating a plan to fix issues. Remediation plans must be documented, including dates in which remediation efforts will be implemented.
  2. Policies, Procedures, and Training – Policies and procedures must be created for an organization’s specific needs. An effective compliance program includes policies and procedures created for your specific practice. You should also store this within your HIPAA Manual.
  3. Employee Attestation and Tracking – An organization is not HIPAA compliant if they don’t document their efforts. You must have a way to prove that your employees have completed HIPAA training. Employee attestation is when an employer reads through an organization’s policies, procedures, and training materials, and legally confirms that they have read and understand all of the materials.
  4. Business Associate Management – Organizations working in healthcare must secure business associate agreements or BAA’s with any vendors or business associates that may have access to PHI. A BAA must be executed before PHI can be shared between these parties. It also ensures that each party is HIPAA compliant. It limits the liability for both parties involved, as it states that parties are accountable for themselves meaning that in the event of a breach, only the responsible party will be held accountable. However, organizations that don’t properly obtain a BAA with their vendors, will also be held accountable if a breach occurs. Business associate agreements must be reviewed annually to incorporate any changes in the nature of an organization’s relationship with the vendor.
  5. Incident Management – In the event of a data breach, healthcare organizations and the vendors that service them are required to report the incident. The HIPAA Breach Notification Rule requires organizations to report breaches to the Department of Health and Human Services, as well as affected individuals.

 

There are FIVE steps in providing you guidance when it comes to a privacy risk assessment:

 

Step One: You must define the flow of PHI within your practice. Identify the first entry of PHI within the practice, what happens as it flows throughout your practice, and identify how and when the PHI or ePHI is transferred to ensure it is adhering to the policies in place.

 

Step Two: You must identify any flaws within your flow of PHI and any possible threats that may occur. Identify vulnerabilities or flaws within your flow, potential threats for an information breach by a person or software, and identify the risks that can potentially impact your practice.

 

Step Three: Analyze your HIPAA compliance risk level and the potential impact it would have on your practice. Define the likelihood of the risk associated within your practice. Determine the impact, and assign each threat a high, medium, or low-risk level.

 

Step Four: Implement security measures based on your risk assessment. Document and understand your practice risks. Identify the security measures to resolve the risk, and implement those measures within 30 days of identifying the risk.

 

Step Five: Repeat step 4 for all identified risks. This helps to ensure all of the risks are addressed, documented, and resolved within the practice. Repeat this assessment as often as desire, but at minimum, on an annual basis to ensure your practice is staying HIPAA compliant.

 

When it comes to understanding patient Privacy, Security, and Technology, it is important to know those rules and regulations when it comes to protecting PHI and ePHI. As we use technology to improve patient care, we are faced with additional challenges to protect this information from unauthorized use and disclosure. We must understand the form of technology being used, and the precautions we must take to safeguard patient information. It is also important that you as an employee follow HIPAA and organizational policies and procedures to prevent violation. Violations can lead to an organizational, as well as individual fines, penalties, and also termination of employment. Our patients entrust us with their health information; therefore, we must protect it against deliberate or inadvertent misuse or disclosure. The consequences of not complying with HIPAA or too great.

 

Now, within the Privacy Rule, requirements for covered entities to distribute a notice of privacy practices, or NPP, are defined:

 

– The NPP must describe the uses and disclosures of PHI that a covered entity is permitted to make.

– The covered entities’ legal duties in privacy practices with in respect to PHI and also the individual’s rights concerning PHI.

– A CE must also include separate statements about permitted uses and disclosures that the covered entity intends to make, including those for certain treatment, payment, or even healthcare operations.

– The Privacy Rule currently requires that the NPP contain a statement that any use or disclosures other than those permitted by the Privacy Rule will be made only with written authorization by the individual. And, that the individual has the right to revoke an authorization at any time.

The following pieces of information must also be included within the Notice of Privacy Practices:

– The NPP must have an effective date, and if updated at any time, you have to ensure that you update all documents also.

– The following statement is also required on the NPP. It reads “This notice describes how medical information about you may be used and disclosed, and how you can get access to the information. Please review it carefully.”

– You’ll also want to ensure that the NPP has your practice contact and complete information, as well as the Chief Security Officer information for your practice.

 

Where is your Notice of Privacy Practices located? It is a requirement that the NPP is displayed within your practice and also on your website. It’s also important to know and understand that as a covered entity, you must make your notice available to any person who asks for it. You are required to prominently post within the office and make the notice available on your website. You also need to provide the notice to the individual no later than the date of first service delivery, as well as make a good faith effort to obtain the individual’s written acknowledgment of receipt of the notice. If an acknowledgment cannot be obtained, the provider must document his or her efforts to obtain the acknowledgment, as well as the reason as to why it was not obtained. If communicating with a patient electronically, you must send an electronic notice automatically in response to the individual’s request for service. The provider must make a good-faith effort to obtain a return receipt from the individual in response to receiving the notice. In an emergency situation, which doesn’t happen as often in our industry, you must provide the notice as soon as it is reasonably possible to do so after the emergency situation has ended. At the end of this program, we will provide you with a sample Notice of Privacy Practices for review. We will also reference the hhs.gov website, where you can find other models or samples that may be helpful in reviewing and revising your Notice of Privacy Practices.

williamsgroup