The Implementation of HIPAA

Joan M. Kiel, Ph.D., C.H.P.S.

Duquesne University

Pittsburgh, Pennsylvania

HIPAA Parts

• HIPAA: 6 of 11 Parts Released:

• Transactions & Code Sets [2002]

• Privacy [2003]

• Unique Identifier- Employer [2004]

• Security [2005]

• Enforcement [2006]

• Unique Identifier – Provider (NPI) [2007]

HIPAA Parts

• HITECH: Health Information Technology for Economic & Clinical Health Act [2/2010]

• HIPAA Compliance Audit Protocol [7/2012]

• HIPAA “MegaRule” [1/25/2013]

HIPAA Personnel Role

• Privacy Person [45CFR164.530(a)(1)(i)]

• Security Person [45CFR164.308(a)(2)]

• The Federal Government mandates that covered entities have both a privacy person and a security person.

• This person(s) implements and manages the previously mentioned policies

What Needs to Be Done

• For each of the policies, the HIPAA person will do the following 11 items.

• This is an ongoing process as an item is truly never done; just like your other work.

1. HIPAA Committee

• Representatives from health services and medical records, information technology, management, finance, and policy.

2. Policies & Procedures

• For the six HIPAA Rules to date, develop policies from the law, not secondary sources

• The laws are released in the Federal Register

3. Training & Awareness

• Live or on-line, but must be ongoing

• Staff meeting awareness

• Payroll stuffers/emails as awareness

• Integrate awareness to daily activities

4. Documentation

• Documentation must be retained for six years

• Critical with July 2012 HIPAA Compliance Audit Protocol & MegaRule

5. Risk Assessments & Audits

• Quarterly• Authentication: most

likely passwords• Data integrity checks• Have a policy and

process to act on the findings

6. Complaint Process

• People need to be aware of how to file a complaint; thus, post process to file complaints

• Complaints are only to be HIPAA related

• Have a policy & process to act on the complaints

7. Sanction Process

• Sanction only for the HIPAA violation

• Internal investigation and/or OCR

• Civil and criminal penalties per Enforcement Rule

• Follow-up on the sanction and charge

8. Web Site

• If the covered entity has a web site, the Notice* of Health Information Privacy Practices must be prominently displayed on the web site.

• Keep the web site updated

• *Notice as of February 2009 & MegaRule – July 15, 2014

9. Formage

• Develop forms from the laws.

• May or may not be able to use from other covered entities (ie. addressable Security Rule policies)

• Educate staff on the formage

10. Business Associate Agreements

• Assess all those external to the workforce who have access to the covered entity’s PHI

• Both the Privacy Rule & the Security Rule cover BAA’s. HITECH & MegaRule brought tougher BAA requirements

11. Research

• Play an integral role with the covered entity’s Institutional Review Board

• Ensure minimum necessary standards for data used in research

• Look for changes in 2013 or 2014

Summary

• Position outlined by the Six Rules of HIPAA that have been released; stay informed on changes and upcoming Rules

• Communication

• Organization

• Keep current