Compliance with HIPAA Privacy Regulation and Standards for Electronic Transactions

On April 12, 2001, Health and Human Services Secretary Tommy Thompson announced that the Health Insurance Portability and Accountability Act ("HIPAA") medical records privacy regulations will take effect without substantial changes. Nearly all covered entities, including health plans, health care clearinghouses and health care providers that electronically transmit any health information in a covered transaction, along with business associates of covered entities, will have to comply with the privacy regulations by April 14, 2003. Covered entities must also comply with the HIPAA standards for electronic transactions and code sets by October 16, 2002.

We recommend that you begin your compliance efforts now by doing the following.

Create the Privacy Infrastructure

1. Educate your Board of Directors and Senior Management
   • Make sure your Board of Directors and Senior Management understand the impact of HIPAA through in-house training sessions or outside seminars.
2. Establish a HIPAA Steering Committee
   • The steering committee will be responsible for spearheading your efforts to devise an effective HIPAA compliance system and should be composed of individuals who have the most contact with individually identifiable medical information, known as Protected Health Information or PHI.
3. Appoint a Privacy Official
   • The regulations require covered entities to identify a privacy official who will be responsible for ensuring compliance.

Conduct a Gap Analysis

With a gap analysis, your steering committee or other delegated individuals will compare your organization's existing policies and procedures for handling PHI to the HIPAA privacy requirements. This analysis will enable you to identify the steps necessary for your organization to become HIPAA compliant.

1. Assess the Flow of PHI Through Your Organization
   • Assess and document how PHI is developed, received, utilized, maintained, stored, accessed (by whom, what type and for what purpose), transmitted and disclosed by your organization. This requires that you identify classes of employees who access PHI and under what circumstances.
2. Collect and Catalog All Policies and Procedures that May Be Affected by HIPAA
   • Many of your organization's policies and procedures will need to be modified or augmented in light of HIPAA.
   • For example, your human resource policy related to confidentiality will likely need to be updated because HIPAA requires sanctions to be imposed on employees who use or disclose PHI in violation of HIPAA. Also, you will have to address daily operational issues such as how employees store PHI at their desk, whether screensavers and computer passwords are used to limit access, the use of speakerphones in common areas and whether discussion of PHI occurs in common areas.
3. Collect All Vendor Contracts to Assess Whether Business Associate Contracts Will Be Necessary
   • If a vendor performs a function on your behalf that involves PHI, the vendor is a "business associate."
   • As contracts come up for renewal, amend them to include the HIPAA business associate contract requirements

Review Insurance Policies

• Confirm insurance coverage for inadvertent privacy violations.

Prepare for Electronic Transactions

• Review your organization's readiness to comply with electronic standards and revise vendor contracts to ensure compliance by October 16, 2002.
• Obtain implementation guides at no cost through Washington Publishing Company's website.

Visit the Government's Website for Updates

• The official government website is ASPE.