One of the "threshold questions" in the Health Information Portability and Accountability Act (HIPAA) risk analysis is whether to perform the analysis in-house or use outside consultants. Some entities have outsourced the entire gap analysis, while others have done it in-house, says Linda Malek, a partner and chair of the health care practice at Moses and Singer in New York City.
Before beginning a HIPAA assessment process, Malek says compliance officers should educate those within the organization who are going to be the decision makers for implementing HIPAA. "The first thing to do is to give your upper-level staff a general overview of the HIPAA privacy rule," she says. Those with responsibility for implementing HIPAA should then go to key managers within the organization to make sure they all are given some form of HIPAA awareness training.
According to Malek, one of the most important things about the privacy rule is the rights that it creates. "That will be key to your organization in terms of recording and tracking how you use the information," she says. "You need to be thinking about who it is that is in charge of the inflow and outflow of information and who handles patient requests for information."
Malek says another immediate step in a risk assessment is to start gathering information. She says every organization should assign a point person for gathering this information and set up a repository for HIPAA information. She also recommends setting up a steering committee that includes the chief executive officer, chief operating officer, and someone from information technology and the general counsel’s office, because those basically are the people who will handle the information.
Providers also must think about the number of employees who will be affected by the privacy rule, because these are the employees who will have to be trained.
Malek says the next step is to start interviewing high-level personnel. "They are the policy-makers in your organization who set the tone for the rest of the organization," she says. "You need to figure out the chain of reporting to the top-level person, the levels of accountability, and how new policies are disseminated," she says.
According to Malek, this is a useful occasion to get an idea of how the stated policies stack up against staff understanding of those policies. "When you are interviewing people, this is a good opportunity to find out if there is a disconnect between the two, and address that," she explains.
Another important step in the gap analysis process is a walk-through of the facility, says Malek. "This is where you are getting an idea how the information flows in and out of the organization and how the actual practices may or not conflict with stated policies," she says.