| |
If the HIPAA Privacy Rule applies to you, you need
to construct a HIPAA compliance plan. You can then bring yourself
into compliance based on that plan. The firm is available to help
you do this. For a complimentary consultation, email the firm at
info@jkhipa.com or call Kazu
Sano at (415) 773-2861.
Three basic premises should be kept in mind in constructing
any HIPAA compliance plan.
| • |
HIPAA compliance should not be treated
as a one-time fix. It requires the adoption of policies and
procedures that you can live with on an ongoing basis. |
| • |
In light of the fast-approaching
compliance deadline, rapid compliance should be the primary
goal. This means that you should find technological HIPAA solutions
within your current information technology capabilities. Once
you become compliant, you can consider any subsequent transformations
of your system capabilities with and on the timetable already
set forth in your strategic plan. |
| • |
You should change your policies and
procedures to the least extent possible consistent with complying
with HIPAA to ease your ability to comply going forward. |
A standard HIPAA compliance plan involves (1) compiling
an assessment of your current policies and procedures; (2) comparing
those policies and procedures with the relevant HIPAA standards
to find the gaps; and (3) developing an action plan to correct any
deficiencies. This process might take a 200 to 300-bed hospital
from eight to ten weeks.
(1) Assessment of Current Policies and Procedures
| • |
You should focus mainly on your business
office, information technology functions, and clinical operations. |
| • |
Your review should consist of (1)
a review of current policies and procedures manual, if any,
and (2) a discussion with your personnel to determine the “real-world”
policies and procedures with respect to security and privacy
of protected health information. |
| • |
Your goal should be documenting your
current official and unofficial policies and procedures. |
(2) Gap Analysis
| • |
You should compare the results of
your assessment with the relevant HIPAA standards to determine
your current level of compliance and to determine the effect
of HIPAA on those policies and procedures. |
| • |
You should identify alternative solutions
to HIPAA compliance, assess the risk presented by current policy
or procedure, model the potential impact of each solution on
the workings of your personnel, and create a preliminary cost
assessment of each proposed solution. |
(3) Develop Action Plan
| • |
You should review your gap analysis
and then approve a particular remediation plan, discuss and
develop individual projects, time frames, and budgets, and designate
particular individuals to be responsible for overseeing those
activities. |
|
