HIPAA update for LTC facilities. (Computer Quarterly Update).
Wednesday, May 1 2002
Although you have heard about delays in federal implementation of the Health Insurance Portability and Accountability Act (HIPAA), most of the more important provisions are now scheduled for implementation in 2003. (That is, the Privacy Standards must be implemented by April 14, 2003, and the Transaction and Code Sets provision must be implemented by October 16, 2003, so long as the facility provides a compliance plan to HHS by October 2002.)
A significant number of providers continue to believe that HIPAA compliance in long-term care requires only modest or even minimal change that can be accomplished shortly prior to the compliance deadlines. This view is inaccurate; in fact, there are numerous HIPAA risk areas for long-term care, including:
* Access and control of medical charts, medical records and Minimum Data Set information (including electronic data)
* Access to and control of protected health information (PHI) at nursing stations, in offices and on resident floors
* Security of storage areas where resident files are kept
* Security of printers, fax machines and computers in offices and elsewhere
* Security of offices themselves, including offices occupied (or partially occupied) by non-facility-controlled staff
* Security of admission information
With proper planning, most long-term care providers can comply with HIPAA requirements in a timely fashion. Careful thought and planning will get them there with minimal wasted time and effort. Steps to consider now (if you haven't already) include:
1. Initiate HIPAA compliance planning.
* Assign a specific HIPAA planning officer and appoint members to a planning team.
* With these individuals, review HIPAA requirements as they apply to the facility.
* Brief key executives on HIPAA compliance requirements, compliance planning steps, resources needed (staff and budget) and timetable.
* Determine organizational structure requirements (e.g., use of planning resources across multiple organizations and development of standardized HIPAA procedures for patient consent, patient authorizations and complaint documentation).
2. Evaluate HIPAA compliance risks.
* Review and document all major types of protected health information in the facility, including that documenting routine care. Evaluate and prioritize solutions to protect data and information that appear to be at risk.
