HIPAA update for LTC facilities. (Computer Quarterly Update).Although you have heard about delays in federal implementation of the Health Insurance Portability and Accountability Act The Health Insurance Portability and Accountability Act (HIPAA) was enacted by the U.S. Congress in 1996. According to the Centers for Medicare and Medicaid Services (CMS) website, Title I of HIPAA protects health insurance coverage for workers and their families when (HIPAA (Health Insurance Portability & Accountability Act of 1996, Public Law 104-191) Also known as the "Kennedy-Kassebaum Act," this U.S. law protects employees' health insurance coverage when they change or lose their jobs (Title I) and provides standards for patient health, ), most of the more important provisions are now scheduled for implementation in 2003. (That is, the Privacy Standards must be implemented by April 14, 2003, and the Transaction and Code Sets provision must be implemented by October 16, 2003, so long as the facility provides a compliance plan to HHS HHS Department of Health and Human Services. by October 2002.) A significant number of providers continue to believe that HIPAA compliance in long-term care long-term care (LTC), n the provision of medical, social, and personal care services on a recurring or continuing basis to persons with chronic physical or mental disorders. requires only modest or even minimal change that can be accomplished shortly prior to the compliance deadlines. This view is inaccurate; in fact, there are numerous HIPAA risk areas for long-term care, including: * Access and control of medical charts, medical records and Minimum Data Set information (including electronic data) * Access to and control of protected health information protected health information Health informatics Any individually identifiable health informatlon that is used or circulated by an entity that falls under the governance of HIPAA; the privacy regulations mandate safeguards for protected health information, and the (PHI phi n. Symbol  The 21st letter of the Greek alphabet.PHI, n See health information, protected. ) at nursing stations, in offices and on resident floors * Security of storage areas where resident files are kept * Security of printers, fax machines and computers in offices and elsewhere * Security of offices themselves, including offices occupied (or partially occupied) by non-facility-controlled staff * Security of admission information With proper planning, most long-term care providers can comply with HIPAA requirements in a timely fashion. Careful thought and planning will get them there with minimal wasted time and effort. Steps to consider now (if you haven't already) include: 1. Initiate HIPAA compliance planning. * Assign a specific HIPAA planning officer and appoint members to a planning team. * With these individuals, review HIPAA requirements as they apply to the facility. * Brief key executives on HIPAA compliance requirements Compliance requirements are a series of directives established by United States Federal government agencies that summarize hundreds of Federal laws and regulations applicable to Federal assistance (also known as Federal aid or Federal funds). , compliance planning steps, resources needed (staff and budget) and timetable. * Determine organizational structure  This article has no lead section.To comply with Wikipedia's lead section guidelines, one should be written. requirements (e.g., use of planning resources across multiple organizations and development of standardized HIPAA procedures for patient consent, patient authorizations and complaint documentation). 2. Evaluate HIPAA compliance risks. * Review and document all major types of protected health information in the facility, including that documenting routine care. Evaluate and prioritize solutions to protect data and information that appear to be at risk. * Review/evaluate electronic and paper records and operational security procedures needed. * Identify HIPAA-related software applications and contact software vendors to obtain their HIPAA compliance plans. * Identify business associates and (if applicable) Chain of Trust Contracts to which HIPAA standards will apply. * Identify and contact vendors providing transaction codes and obtain HIPAA compliance plans/assurances from them. * Prior to adopting "final" new procedures, evaluate recent modifications to HIPAA provisions arising from proposals published in the Federal Register (e.g., the recent HHS proposal to eliminate the need for patient consent for provider use of PHI for patient/resident treatment, payment and operations, which could be finalized as soon as this month). * Review possible HIPAA compliance barriers possibly unique to long-term care facilities long-term care facility n. See skilled nursing facility. , e.g.: frequent access to PHI by multiple staff members; significant volume of PHI because of required documentation for pharmacy, therapy, medical treatments, medical notes, etc.; and common use of paper records, which are more difficult to protect. 3. Develop a compliance plan. * Assign staff to specific responsibilities for major compliance areas, i.e.: staff communication and education; consents, authorizations, notices, etc.; clinical coding, patient care documentation, auditing methods; procedures for complaints, grievances, compliance violations, tracking; transaction codes, contracts, contacts with vendors; physical security of plant and operations; electronic data (computer) security; disaster planning/recovery procedures; and special HIPAA provisions for psychotherapy psychotherapy, treatment of mental and emotional disorders using psychological methods. Psychotherapy, thus, does not include physiological interventions, such as drug therapy or electroconvulsive therapy, although it may be used in combination with such methods. records. * Develop a detailed workplan, with assignments, time frames and due dates. Schedule periodic reviews of policies and procedures Policies and Procedures are a set of documents that describe an organization's policies for operation and the procedures necessary to fulfill the policies. They are often initiated because of some external requirement, such as environmental compliance or other governmental . Provide briefings of top management and board. * Develop a system for documenting all decisions, procedures and policies. 4. Monitor plan results. * Review the facility's risk analysis and priority compliance areas to ensure that their requirements are addressed according to according to prep. 1. As stated or indicated by; on the authority of: according to historians. 2. In keeping with: according to instructions. 3. plan. * Conduct "tests" of new policies and procedures. * Ensure functioning of incident tracking/review system. * Ensure functioning of auditing system. * Ensure functioning of complaint/grievance tracking and resolution. * Monitor results of staff communications and education. * Establish a procedure to resolve new issues, questions and complaints about compliance policies and procedures. * Test and retest all electronic security procedures. * Test and retest disaster planning/recovery procedures. This appears to be a major effort and, often, long-term care facilities have neither the financial nor the staff resources to support a large HIPAA planning and compliance effort. Furthermore, many facilities have only limited electronic data technology but have large quantities of paper records. Many facilities have multiple contractual and vendor arrangements that must be accounted for in HIPPA Hip´pa n. 1. (Zool.) A genus of marine decapod crustaceans, which burrow rapidly in the sand by pushing themselves backward; - called also bait bug ltname>. See Illust. under Anomura. compliance. Clearly, compliance efforts must be prioritized. The most important factor in ensuring HIPAA compliance is managing the compliance planning and change effort so that a clear HIPAA compliance plan is developed, put in place and monitored. Ample time remains to develop and execute such a plan, even with the limited resources and staff time available. It all comes down to thinking out a plan and working it. Waiting until HIPAA requirements are about to go into effect is a recipe for trouble. Malcolm H. Morrison, PhD, is president and CEO (1) (Chief Executive Officer) The highest individual in command of an organization. Typically the president of the company, the CEO reports to the Chairman of the Board. of Morrison Informatics, Inc., an information technology and data analysis consulting firm Noun 1. consulting firm - a firm of experts providing professional advice to an organization for a fee consulting company business firm, firm, house - the members of a business organization that owns or operates one or more establishments; "he worked for a specializing in long-term care and postacute care. He can be reached atinformatic@informaticinc.com or by calLing (800) 559-8410. Materials from James R. Albert, vice-president and chief information officer of Masonicare, presented at the 2002 Health Information Management and Systems Society (HIMSS HIMSS Healthcare Information and Management Systems Society ) annual conference were referenced in this article. |
|
||||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion