Make HIPAA Compliance a Top Priority Avoid these missteps in your ASC BY CRISTINA BENTIN

Despite extensive media coverage regarding the Department of Health and Human Services Of- fice of Civil Rights (OCR)

Health Insurance Portability and Ac- countability Act of 1996 (HIPAA) com- pliance audits and penalties, HIPAA compliance programs still are not given top billing in some ASCs. With OCR compliance audits in full force, it is imperative that detailed HIPAA compliance programs are established, implemented and maintained. ASC leaders can take steps to avoid some rudimentary compliance concerns that could arise in their facilities.

Retail HIPAA compliance kits/man- uals. Err on the side of caution when purchasing generic HIPAA compliance packages or kits that promote automatic compliance upon purchase, with the only effort needed being applying your facility logo to an assortment of canned policies and procedures (P&P). A facil- ity must have a HIPAA compliance pro- gram tailored to its operational needs and structure. A program established for a small group physician office or an 800-bed inpatient hospital will not meet your ASC’s needs. Your facility must tailor its policies, procedures and forms to its specific daily operations.

HIPAA compliance program is not maintained. With the purchase of a car or other vehicle comes an under- standing that the vehicle must be main- tained by both routine oil changes and other servicing. The same applies with regard to a compliance program. It is not enough to develop a HIPAA com- pliance program and call it a day. Many facilities “shelve” their policies and procedures once drafted, falsely believ-

ing that having a hard copy manual or electronic copy ensures compliance. Establishing a compliance program means maintenance of the program since the slightest change in a process that involves protected health informa- tion (PHI) might warrant a modifica- tion to a policy or procedure. In addi- tion, your facility is now accountable to prove that it is enforcing each and every policy and procedure should it find itself involved in a HIPAA audit. If there are policies that are no longer applicable, then the policy should be retired as long as not having the pol- icy does not put your facility at risk according to the Privacy and Security Rules. When in doubt, consult with your facility’s legal counsel.

No risk assessment protocol. Change is a certainty for most ASCs whether it is change in personnel—new hires


or revised job roles—access modifica- tions (changes in authorized access to accounting or billing systems due to change in personnel), processes, busi- ness environment or technology. Any of these areas can potentially wreak havoc on a facility’s security leaving it vulner- able to threats. A risk analysis or assess- ment will determine whether additional security measures are indicated as well as provide specifics regarding the risks to the confidentiality, integrity and accessibility of PHI. According to the Office of Civil Rights (OCR), “. . . The Security Man- agement Process standard in the Secu- rity Rule requires organizations to ‘[i]mplement policies and procedures to prevent, detect, contain, and cor- rect security violations.’ (45 C.F.R. § 164.308(a)(1)(ii)(A).” Risk analysis is one of four required implementation specifications that provide instructions

The advice and opinions expressed in this column are those of the author and do not represent official Ambulatory Surgery Center Association policy or opinion.

Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42