Health Information Compliance Alert

Published on Sat Nov 11, 2006 PDF

Simple fixes like moving the cash register can save you money.

Coming up with a HIPAA budget plan has left many providers, health plans, and other covered entities bereft of hope. Many covered entities are frustrated over the lack of a governmental framework for producing a HIPAA budget, but there's a good and sensible reason for the lack of a template: No two covered entities are alike.

While that answer may seem simplistic, it is undeniably valid. Physicians' practices, for example, can range in size from one doctor to 100. And gauging the progress of physicians' practices in generating a budget for compliance is further complicated by the revisions to the privacy rule.

One attorney tells Eli he's heard vastly different budget proposals from different covered entities. For instance, a fairly large ophthalmology practice of about 20 to 30 full-time employees was quoted an extreme end of about $100,000, but that figure only related to the privacy rule and did not include technical components to ensure that their data systems ran standard transactions and code sets.

On the flip side of the coin: There are even larger practices that may choose to create a budget without external counsel. Some practices create budgets based on their own internal time and energy plus their own $500 compliance program. On technical issues, many practices choose billing companies to enter all of their standard electronic transactions for them.

Renovations Won't Always Be Necessary

One of the crucial aspects of any budget and an element that the Department of Health and Human Services has provided guidance on is the physical restructuring of the workplace. The good news is that providers can comply with the physical modifications guidance without it costing a bundle.

Physical restructuring is not required, as long as "reasonable steps are taken to prevent inadvertent disclosures" of protected health information," advises Brian Gradle of the DC office of Epstein Becker & Green.

Gradle cites pharmacy areas as an example. He says facilities containing areas where drugs are dispersed also counsel patients at their counter. A simple remedy that may be applied to prevent the inadvertent disclosure of PHI may involve simply moving the cash register away from the area in which patients are counseled. "And taking [the register] away from where there's going to be patient counseling or where people might come up to look at over-the-counter medications" means a covered entity is taking "reasonable precautions" to obviate potential eavesdropping.

Privacy Officers Need Help

But no matter what the extent of one's practice, privacy officers represent the essential players in creating and implementing the specific requirements of a budget proposal. Many CEs are putting together teams to come up with a plan that ties together all the multi-faceted aspects of compliance with HIPAA.

Gradle says the privacy officer, as well as another member from the Human Resources department and yet another representative from the Internet Technology group, commonly spearhead a compliance team's budgetary proposals. That group must "come together and take a look at how protected health information comes into the organization, who looks at it, for what reason, how it flows" and where it ends up.

Ultimately, though, privacy officers must start with a gap analysis and proceed from there. Determining a budget depends on a CE's specific size and circumstances. And as one expert tells Eli, "any [dollar figure] would be useless" without first assessing the gap analysis of one's organization.