HIPAA COMPLIANCE:
Nix Security Problems With Walkthrough Inspections
Published on Sat Jul 01, 2006
Follow this advice to keep your compliance plan in shape.
Your security compliance program could be long overdue for a checkup. Now is the time to begin monitoring your staff so you can knock out violations of compliance with the Health Insurance Portability and Accountability Act (HIPAA) before they occur. Here's how to get started: Recruit Anonymous Reviewers The basics: Much like the safety audits your office already performs, a walkthrough can prevent violations before HHS' Office for Civil Rights gets involved. Whether you announce inspections or execute them without your staff's knowledge, experts agree that you should perform them at least annually for all departments and more often for high-risk areas.
"If you've found a problem area, then you want to do [walkthroughs] more often than [once a year] to get things really ironed out," suggests Patricia Johnston, a consultant for Texas Health Resources in Arlington, TX.
Though not mandated by the privacy rule, third party or anonymous reviewers are often an efficient, if costly, method of examining your facility's HIPAA compliance program. "The big thing is making sure that nobody knows what's going to happen because you want to see what people are doing on a day-to-day basis, not what they're doing on their best behavior," posits Robert Markette, an attorney with Indianapolis' Gilliland & Caudill.
The types of violations often caught in walkthroughs range from simple mistakes--like leaving confidential faxes unattended or discussing protected health information (PHI) in public areas--to trickier situations that may have been overlooked. Many times the problem is not a procedural violation, but an issue that hasn't been thought through all the way, Markette says. Focus On Your Front Lines "Focus on [areas with] a significant amount of interaction with the public or ... patients," advises Brian Gradle, an attorney with the D.C. office of Hogan & Hartson. Waiting rooms, elevators and even fax machines are all areas where the public can accidentally hear or view information, Gradle offers.
Example: In a walkthrough, Markette noted that although the office had obviously positioned computer monitors so that patients could not see them from the waiting room, staff members hadn't considered the glass entryway to be a risk area. "As you walked in, you could look right over the employee's shoulder," he observed.
"Any time a privacy official is walking through, they should have their eyes and ears open," claims Gradle. But experts agree that while privacy officials should conduct informal walkthroughs frequently, there must be some method to document and track violations, and there must be follow-ups.
To solidify the process of monitoring HIPAA compliance, Johnston developed a walkthrough checklist. As a tangible record of violations, you should base your checklist on the privacy policies and procedures central [...]
