230 likes | 315 Views
Discovering The Secrets Of HIPAA Compliance. HIPAA Compliance Officer. ( Chief) Privacy Officer (CPO) Job Description
E N D
HIPAA Compliance Officer • (Chief) Privacy Officer (CPO) Job Description • The HIPAA privacy officer oversees all ongoing activities related to the development, implementation, maintenance of; and adherence to the organization’s policies and procedures covering the privacy of; and access to, patient health information in compliance with federal and state laws and the healthcare organization’s information privacy practices.
HIPAA Compliance Officer • Responsibilities: • Provides development guidance and assists in the identification, implementation, and maintenance of organization information HIPAA policies and procedures in coordination with organization management and administration, the HIPAA Privacy Oversight Committee,3 and legal counsel. • Works with organization senior management and corporate compliance officer to establish an organization-wide Privacy Oversight Committee. • Serves in a leadership role for the Privacy Oversight Committee’s activities.
HIPAA Compliance Officer • Responsibilities: • Performs initial and periodic information privacy risk assessments and conducts related ongoing compliance monitoring activities in coordination with the entity’s other compliance and operational assessment functions. • Works with legal counsel and management, key departments, and committees to ensure the organization has and maintains appropriate privacy and confidentiality consent, authorization forms, and information notices and materials reflecting current organization and legal practices and requirements. • Oversees, directs, delivers, or ensures delivery of initial and privacy training and orientation to all employees, volunteers, medical and professional staff, contractors, alliances, business associates, and other appropriate third parties
HIPAA Compliance Officer • Responsibilities: • Participates in the development, implementation, and ongoing compliance monitoring of all trading partner and business associate agreements, to ensure all privacy concerns, requirements, and responsibilities are addressed. • Establishes with management and operations a mechanism to track access to protected health information, within the purview of the organization and as required by law and to allow qualified individuals to review or receive a report on such activity. • Works cooperatively with the HIM Director and other applicable organization units in overseeing patient rights to inspect, amend, and restrict access to protected health information when appropriate.
HIPAA Compliance Officer • Responsibilities: • Establishes and administers a process for receiving, documenting, tracking, investigating, and taking action on all complaints concerning the organization’s privacy policies and procedures in coordination and collaboration with other similar functions and, when necessary, legal counsel. • Ensures compliance with privacy practices and consistent application of sanctions for failure to comply with privacy policies for all individuals in the organization’s workforce, extended workforce, and for all business associates, in cooperation with Human Resources, the information security officer, administration, and legal counsel as applicable. • Initiates, facilitates and promotes activities to foster information privacy awareness within the organization and related entities.
HIPAA Compliance Officer • Responsibilities: • Reviews all system-related information security plans throughout the organization's network to ensure alignment between security and privacy practices, and acts as a liaison to the information systems department. • Works with all organization personnel involved with any aspect of release of protected health information, to ensure full coordination and cooperation under the organization's policies and procedures and legal requirements • Maintains current knowledge of applicable federal and state privacy laws and accreditation standards, and monitors advancements in information privacy technologies to ensure organizational adaptation and compliance.
HIPAA Compliance Officer • Responsibilities: • Cooperates with the Office of Civil Rights, other legal entities, and organization officers in any compliance reviews or investigations. • Works with organization administration, legal counsel, and other related parties to represent the organization's information privacy interests with external parties (state or local government bodies) who undertake to adopt or amend privacy legislation, regulation, or standard. http://www.ouwb.ohiou.edu/hipaa/ohic-oucom/pages/documents.htm This document was created from the American Health Information Management Association (AHIMA) Web site (http://www.ahima.org/infocenter/models/privacyofficer2001.htm) and is provided here for your convenience.
HIPAA – How to Implement, Audit & Reinforce HomeTown Health 2-28-2012
Implement, Audit & Reinforce! Privacy Notices: Is the Privacy Notice provided to new patients at the time of registration? • Is the Privacy notice up to date? • If the hospital maintains a Web site that employees or patients access for information, is the Privacy Notice prominently posted on the site?
Implement, Audit & Reinforce! • Training: • 1) Are new employees trained on the requirements of HIPAA Privacy and Security? • 2) Do you keep records documenting the training programs for such employees, such as having employees sign statements certifying they attended the training?
Implement, Audit & Reinforce! • Use of PHI for Employment Purposes: • 1) Do you have an appropriate "firewall" between your employee health services and other human resources functions? • 2) Particularly for companies with relatively small human resources staff, do your employees know about the prohibition on using information obtained for other employment-related purposes?
Implement, Audit & Reinforce! • E-mails: • 1) Are you careful about disclosing PHI in e-mails that travel over open networks, unencrypted? • 2) Do employees use common-sense precautions to limit the amount of PHI used in e-mails?
Implement, Audit & Reinforce! • Information Security: • 1) Has your HIPAA security risk assessment been updated to incorporate any new software, applications, or information technology systems purchased by your company? • 2) Does your Security Officer keep up to date on developments in information technology, and monitor warnings and reports regarding external PHI security threats such as viruses and worms?
Implement, Audit & Reinforce! • Business Associates: • 1) Do you have the appropriate contractual language in place with all your vendors that potentially access PHI? This can include suppliers, attorneys, health plans, and IT consultants, 2) Have these agreements all been updated for HIPAA Security and new HITECH Law?
Implement, Audit & Reinforce! • Privacy Complaints/Security Incidents: • 1) Have you reviewed records logging any privacy complaints or security incidents? • 2) How were these situations investigated? • 3) What sort of documentation was maintained? • 4) If there have been any complaints or security incidents, do they suggest a pattern that should be addressed?
Implement, Audit & Reinforce! • Minors/Personal Representatives: • 1) How do your medical records staff handle complicated questions relating to disclosing minors' health information to parents, or disclosing a spouse's information to the other spouse? • 2) Are they aware of the HIPAA and state law limits on doing so?
Implement, Audit & Reinforce! • Physical Safeguards: • 1) Are records containing identifiable information secured, such as in locked file cabinets or offices? • 2)Are records containing PHI generally removed from view on desks, computer screens, etc.?
Implement, Audit & Reinforce! • Telecommuting: • 1) Do personnel ever work from home? If so, what sort of safeguards does your company use to protect paper records taken home with employees, transmitted to a home computer or communicated over a VPN? , etc.?
Implement, Audit & Reinforce! • Documentation: • 1) Do you document the steps taken to monitor and audit compliance? • This can include written audit work plans, regularly completed checklists, or simple "notes to the file" indicating what you did, when you did it, and what you found.
Implement, Audit & Reinforce! • A HIPAA compliance audit program is only as good as the follow-up efforts you put into remedying any identified problems. • Failing to address identified and documented problems can lead to an increased liability risk. • Part of your program should include developing corrective action plans to address what you find through the audit process, monitoring how any fixes are implemented, and documenting how problems are resolved.
Monitoring Results • Be prepared to revise policies and procedures or reeducate your workforce if compliance audit indicates some aspect of your HIPAA compliance plan isn't working, or that your existing policies aren't being followed. • If your monitoring does identify problems, revise your training materials to incorporate these "lessons learned," and consider additional training on any trouble spots revealed through your monitoring.