Look at rights’ created
One of the "threshold questions" in the Health Information Portability and Accountability Act (HIPAA) risk analysis is whether to perform the analysis in-house or use outside consultants. Some entities have outsourced the entire gap analysis, while others have done it in-house, says Linda Malek, a partner and chair of the health care practice at Moses and Singer in New York City.
According to Malek, one of the most important things about the privacy rule is the rights that it creates. "That will be key to your organization in terms of recording and tracking how you use the information," she says. "You need to be thinking about who it is that is in charge of the inflow and outflow of information and who handles patient requests for information."
Providers also must think about the number of employees who will be affected by the privacy rule, because these are the employees who will have to be trained.
This is a useful occasion to get an idea of how the stated policies stack up against staff understanding of those policies, Malek says. "When you are interviewing people, this is a good opportunity to find out if there is a disconnect between the two and address that," she explains.
Another important step in the gap-analysis process is a walk-through of the facility, Malek adds. "This is where you are getting an idea how the information flows in and out of the organization and how the actual practices may or not conflict with stated policies."
Before beginning a HIPAA assessment process, Malek recommends that hospitals educate those within the organization who are going to be the decision makers for implementing HIPAA. "The first thing to do is to give upper-level staff a general overview of the HIPAA privacy rule," she says. Those with responsibility for implementing HIPAA should then go to key managers within the organization to make sure they all are given some form of HIPAA awareness training.
Another immediate step in a risk assessment is to start gathering information, Malek says. She suggests that every organization assign a point person for gathering this information and set up a repository for HIPAA information. She also recommends that hospitals have a steering committee that includes the chief executive officer, chief operating officer, and someone from information technology and the general counsel’s office.
The next step is to start interviewing high-level personnel, Malek says. "They are the policy-makers in your organization who set the tone for the rest of the organization. You need to figure out the chain of reporting to the top-level person, the levels of accountability, and how new policies are disseminated."
The final HIPAA security regulations, meanwhile, still are uncertain, says Janice Roach, executive director of Tri-City Regional Surgery Center in Richland, WA.
"We are still a little nervous about the fact that the final security regulations are not yet finalized, yet we are supposed to ensure the privacy of our patients’ information," she adds. "We expect to make some minor changes to improve security of patient data, but we already have had to begin staff awareness and training." Her awareness efforts include discussion at monthly staff meetings, she says. Privacy training for all employees is mandatory under HIPAA.
The Chicago-based American Hospital Association warns that the rule, even with its modifications, still requires "sweeping operational changes."
"Because it will affect every department, employee, and business associate of the hospital, it will take intense education of hospital workers and patients," the association states in a recent report.
"We are reviewing our policies and procedures to make sure that we are protecting the privacy of patient information," Roach says. Most covered entities have until April 14, 2003, to comply with the patient privacy rule. Certain small health plans have until April 14, 2004, to comply.