HIPAA Q&A
[Editor’s note: This column addresses specific questions related to implementation of the Health Insurance Portability and Accountability Act (HIPAA). If you have questions, please send them to Sheryl Jackson, Hospital Home Health, Thomson American Health Consultants, P.O. Box 740056, Atlanta, GA 30374. Fax: (404) 262-5447. E-mail: [email protected].]
Question: Do policies related to HIPAA compliance have to be kept in a separate policy book?
Answer: No, the HIPAA policies do not need to be in a separate book, says Robert W. Markette Jr., an Indianapolis attorney. The HIPAA documentation standards simply require the provider to document the policies and procedures in written or electronic form, Markette explains. “If a provider wants to make the HIPAA policies and procedures part of a larger policy manual, that is acceptable,” he says. As with the rest of the procedures, it is a good idea to have the manual thoroughly indexed and cross-referenced, Markette adds.
The security rule does require the covered entity to make the security documentation available to those who are responsible for implementing the procedures in it, he points out. Whether you have these policies in a larger manual or a HIPAA-specific manual, providers should be fine as long as they are easily accessible, Markette says.
Question: What physical safeguards are necessary to comply with the HIPAA security rule?
Answer: As with the rest of the security rule, physical safeguards need to be complex enough to reduce “reasonably anticipated risks” to a “reasonable and appropriate” level, Markette says. For a home health agency, most of its facility security involves keeping nonemployees out of the administrative offices because patients are not treated at the office, Markette points out. “However, many home health agencies provide their staff with laptop computers to carry with them while they work,” he says.
Because these computers are used to access and enter patient information, these laptops will be the subject of both workstation use policies and workstation security policies, he adds. “Most providers will require the laptops to be password-protected and will require employees to take certain actions to prevent loss or theft, such as keeping the laptops in a locked car,” he says.
Other potential issues with laptops to consider include:
- Are they being used where a third party can see protected health information (PHI) as it is being entered into the laptop? Make sure that employees do not let friends or family members look at the information when the nurse is in the home.
- How are the laptops traced within the agency? In other words, do you know who has the computers? Be sure the employees who have laptops that can access PHI do need the information to do their jobs.
For more information on the security rule, contact:
- Robert W. Markette Jr., Attorney at Law, Gilliland & Caudill, 3905 Vincennes Road, Suite 204, Indianapolis, IN 46268. Phone: (317) 704-2400 or (800) 894-1243. Fax: (317) 704-2410. E-mail: [email protected].
This column addresses specific questions related to implementation of the Health Insurance Portability and Accountability Act (HIPAA).
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.