|
The Centers
for Medicare and Medicaid Services (CMS) just recently
released its final results of a compliance-program
effectiveness program. This particular emphasis was on
reducing billing errors and to identify best practices
commonly employed by hospitals and other large
providers. However the lessons learned apply directly
to covered entities and others affected by HIPAA privacy
and security- and offer some basic steps which equate to
a successful compliance process. The five steps gleaned
after conducting a series of on-site hospital visits
included the following:
(1) Code
of Conduct- CMS suggests the code of conduct be issued
under the signature of the organization’s CEO or
President. In other words- it needs to be a concise and
easy to understand message which is disseminated and
supported throughout the entire organization from the
top down. Applying this to HIPAA should be an easy step
such as “We take Patient confidentiality and HIPAA
seriously”, or “Use and Disclose Patient Information for
Treatment, Payment and Operations”.
(2) Policies
and Procedures- Policy and procedure documents should
have been thoroughly integrated into the organizations
business practices. They should be current, reviewed
regularly, and employees should be familiar with those
that affect their job functions. In fact, some of the
most effective training programs leverage the base
content of the actual policies and procedures in order
to assure there is no miscommunication between the way
the organization wants them to act and what is told to
the workforce members.
(3) Education
and Training-CMS suggests that there is no one method
which must be followed, but having a program that is
supported by all management, with ongoing and routine
reinforcement is best. N-Tegrity Solutions suggests
that a HIPAA privacy and security training curriculum be
based upon the organization’s policies and procedures,
and include customized scenarios which reflect the
organization’s common business challenges so that the
workforce members gain a clear understanding of
expectations especially related to using and disclosing
protected health information.
(4) Lines
of Communication- CMS suggests that keeping ongoing
compliance activity systems in place to monitor
maintenance items such as tracking complaints. NSG
suggests employing the same kind of tracking mechanisms
to assure that all of the HIPAA privacy rights (access,
amendment accounting of disclosure etc...) are responded
to according to state and federal laws and in accordance
with organizational policy.
(5) Auditing
and Monitoring-CMS suggests that audits themselves are
planned, tracked and staff reeducated when needed. NSG
recommends adopting auditing and monitoring steps as
part of the initial implementation of each
privacy/security policy and procedure.
Healthcare organizations can learn from the CMS
compliance program effectiveness pilot and leverage the
best practices set forth in the findings above to
implement effective HIPAA compliance (and other
compliance programs).
|
