A significant number of providers continue to believe that HIPAA compliance in long-term care requires only modest or even minimal change that can be accomplished shortly prior to the compliance deadlines. This view is inaccurate; in fact, there are numerous HIPAA risk areas for long-term care, including:
- Access and control of medical charts, medical records and Minimum Data Set information (including electronic data)
- Access to and control of protected health information (PHI) at nursing stations, in offices and on resident floors
- Security of storage areas where resident files are kept
- Security of printers, fax machines and computers in offices and elsewhere
- Security of offices themselves, including offices occupied (or partially occupied) by non-facility-controlled staff
- Security of admission information
With proper planning, most long-term care providers can comply with HIPAA requirements in a timely fashion. Careful thought and planning will get them there with minimal wasted time and effort. Steps to consider now (if you haven't already) include:
1. Initiate HIPAA compliance planning.
- Assign a specific HIPAA planning officer and appoint members to a planning team.
- With these individuals, review HIPAA requirements as they apply to the facility.
- Brief key executives on HIPAA compliance requirements, compliance planning steps, resources needed (staff and budget) and timetable.
- Determine organizational structure requirements (e.g., use of planning resources across multiple organizations and development of standardized HIPAA procedures for patient consent, patient authorizations and complaint documentation).
2. Evaluate HIPAA compliance risks.
- Review and document all major types of protected health information in the facility, including that documenting routine care. Evaluate and prioritize solutions to protect data and information that appear to be at risk.
- Review/evaluate electronic and paper records and operational security procedures needed.
- Identify HIPAA-related software applications and contact software vendors to obtain their HIPAA compliance plans.
- Identify business associates and (if applicable) Chain of Trust Contracts to which HIPAA standards will apply.
- Identify and contact vendors providing transaction codes and obtain HIPAA compliance plans/assurances from them.
- Prior to adopting "final" new procedures, evaluate recent modifications to HIPAA provisions arising from proposals published in the Federal Register (e.g., the recent HHS proposal to eliminate the need for patient consent for provider use of PHI for patient/resident treatment, payment and operations, which could be finalized as soon as this month).
- Review possible HIPAA compliance barriers possibly unique to long-term care facilities, e.g.: frequent access to PHI by multiple staff members; significant volume of PHI because of required documentation for pharmacy, therapy, medical treatments, medical notes, etc.; and common use of paper records, which are more difficult to protect.
3. Develop a compliance plan.
- Assign staff to specific responsibilities for major compliance areas, i.e.: staff communication and education; consents, authorizations, notices, etc.; clinical coding, patient care documentation, auditing methods; procedures for complaints, grievances, compliance violations, tracking; transaction codes, contracts, contacts with vendors; physical security of plant and operations; electronic data (computer) security; disaster planning/recovery procedures; and special HIPAA provisions for psychotherapy records.
- Develop a detailed workplan, with assignments, time frames and due dates. Schedule periodic reviews of policies and procedures. Provide briefings of top management and board.
- Develop a system for documenting all decisions, procedures and policies.
4. Monitor plan results.