Download - ADVANCE for Physical Therapy & Rehab Medicine
Download - ADVANCE for Physical Therapy & Rehab Medicine
Download - ADVANCE for Physical Therapy & Rehab Medicine
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
HIPAA Privacy and RoI:<br />
the Adventure Continues<br />
A good foundation <strong>for</strong> privacy/security is<br />
just the beginning in avoiding audits<br />
By rita Bowen, MA rhiA, ChiPs, ssgB<br />
mation unconstrained by physical<br />
boundaries. Healthcare organizations<br />
now live in a virtual world, and<br />
HIM professionals must provide privacy leadership<br />
across the institution and beyond.<br />
Although it is easy <strong>for</strong> us to succumb to tunnel<br />
vision, paying attention only to that which<br />
is perceived to be in our realm, our responsibilities<br />
<strong>for</strong> patient privacy go further-much<br />
further. Our vision must expand to encompass<br />
a complete data governance policy <strong>for</strong><br />
the entire organization.<br />
We’ll provide the remainder of a complete<br />
ROI checklist and discuss three critical areas<br />
within an organization-wide privacy and<br />
security policy where HIM professionals can<br />
lend an important hand: PHI location and<br />
JEFFREy lEESER Technology has made patient in<strong>for</strong>-<br />
data classification audits, understanding<br />
privacy and security laws and establishing a<br />
global encryption policy.<br />
ROI Checklist Continued<br />
Be<strong>for</strong>e we try to influence the privacy of the<br />
rest of the institution, we need assurance that<br />
our own house is in order. The ROI process is<br />
your best place to start. These checklist items<br />
are general and not all-inclusive. You must<br />
tailor them to your specific needs and situation.<br />
That being said, all of them need to be<br />
implemented to some extent.<br />
• Policy/procedures <strong>for</strong> chart pulls if you are<br />
in a paper or hybrid environment;<br />
• Principles <strong>for</strong> patient identity controls and<br />
patient look-up if you are totally electronic;<br />
• Mail opened and logged—same day;<br />
[MANAgEMENt FoCus]<br />
• In<strong>for</strong>mation maintained in secure/private<br />
manner on desks;<br />
• If material is printed—disposal is made<br />
within shred-bins;<br />
• Are shred bins locked prior to shredding;<br />
• Scanned document validation of patient ID<br />
and second identifier;<br />
• EHR validation of patient ID and second<br />
identifier;<br />
• Processing of subpoenas observed—standards<br />
met;<br />
• Knowledge of who to report MPI issues to;<br />
• Employees can verbalize understanding of<br />
privacy standards.<br />
Be sure to document all processes, training<br />
and validation. This is important should you<br />
ever need to show that all these steps have<br />
been taken. Validation of your ef<strong>for</strong>ts is the<br />
best way to minimize any penalties, fines or<br />
investigations should a breach occur. Good<br />
faith best ef<strong>for</strong>ts go a long way and are proof<br />
that everyone was doing their part should the<br />
inevitable occur.<br />
Beyond Checklist 101<br />
A good foundation <strong>for</strong> privacy/security is just<br />
the beginning of the process. There is a need<br />
<strong>for</strong> considerably more broad work to be done<br />
to create a complete data governance program,<br />
as mentioned in the beginning of this article.<br />
More advanced ef<strong>for</strong>ts may be the purview of<br />
management, but those ef<strong>for</strong>ts must translate<br />
to action. Three areas of concern that HIM<br />
directors should participate in or lead are:<br />
• PHI location and data classification audit;<br />
• Federal/state privacy and security law<br />
analysis;<br />
• Global encryption policy.<br />
Where Is It?<br />
It is amazing the number of places you can<br />
find PHI. Ask IT, the business office, case management,<br />
utilization review and all clinical<br />
areas where PHI resides, and you will have<br />
a good starting point <strong>for</strong> defining the world<br />
of privacy. After compiling your list, walk<br />
around and classify the type of data. Then<br />
you should work with IT to verify the list.<br />
You will often find areas that are overlooked<br />
such as unattended computer terminals and<br />
<strong>ADVANCE</strong> <strong>for</strong> <strong>Physical</strong> <strong>Therapy</strong> & <strong>Rehab</strong> <strong>Medicine</strong><br />
9