Does your security compliance program require a checkup? If so, now the time is rife to start monitoring your staff so you can knock out compliance violations before they take place.
Read on to find out three steps that’ll help you get started:
1. Recruit Anonymous Reviewers. Pretty much like the safety audits that your office already carries out, a walkthrough can prevent violations before the Department of Health & Human Services gets involved. Irrespective of whether inspections are announced or executed without your staff’s knowledge, experts agree that they should be done at least annually for all departments and more often for high-risk areas.
“If you have figured out a problem area, then you want to do more often than once a year to get things ironed out,” according to Patricia Johnston, a consultant for Texas Health Resources in Arlington, TX.
Although not mandated by the privacy rule, third party or anonymous reviewers are often an efficient, if costly, method of probing your facility’s HIPAA compliance program. “The big thing is ensuring that nobody knows what is going to happen as you want to see what people are doing on a day-to-day basis, not what they are doing on their best behavior,” Robert Markette, an attorney with Indianapolis’ Gilliland & Caudill says.
2. Focus on your front lines. “Focus on areas with a considerable interaction with public or…patients,” advises Brian Gradle, an attorney with the D.C office of Hogan & Hartson. Waiting rooms, elevators and even fax machines are all areas where information can accidently be heard or seen by the public, he says.
Gradle claims, “Any time a privacy official is walking through, they should keep their eyes and ears open.” But experts agree that while privacy officials should carry out informal walkthroughs regularly, there must be some method to document and track violations, and there must be follow-ups. A walkthrough checklist can be priceless here. See to it that you base it on your organization’s privacy policies and procedures.
3. Be tough and enforce sanctions. You should take HIPAA violations seriously, if and when they do occur. This means you will have to outline and impose sanctions as per the gravity of the violation. Not only does failure to apply penalties mar your compliance program, it’s also against the law not to have a sanctions policy in place.
Following your sanctions policy will be to your advantage in the long run, explains Markette as it proves to your employees the importance of maintaining privacy standards, while at the same time preventing them from using past inconsistencies to excuse or eliminate their responsibility to protect health information (PHI).