Chapter 3 A Blueprint for Compliance with the
Chapter 3: A Blueprint for Compliance with the Privacy Rule Copyright © 2011 Wolters Kluwer Health | Lippincott Williams & Wilkins
Where Do You Start? • Gap Analysis – Identify where you need to be, where you are now, analyze the gap, and ZAP the gaps! • Vendor Compliance Checklist – List all vendors and their access to PHI to determine what you need to do • Training Checklist – Keep a list of all staff trained and the topics covered Copyright © 2011 Wolters Kluwer Health | Lippincott Williams & Wilkins
Policies to Create • Privacy Officer Policy – Be sure you have a privacy officer named and list their duties and responsibilities • Policy for the Use of PHI – How will PHI be used in the organization • Policy for the use of PHI in QA and Education – It is okay to use PHI here, just protect it. • Training Policy – Must be done initially and when policies change Copyright © 2011 Wolters Kluwer Health | Lippincott Williams & Wilkins
Policies (cont’d) • Computer Security Policy – How will your computers be secure to protect PHI? • Confidentiality Agreements – Everyone must sign a confidentiality agreement • Work Area Arrangements – Work area policies for offices – Work area policies for home workers • Access Policy for Digital Dictation Systems – Who can access this and how will you protect the information during access? Copyright © 2011 Wolters Kluwer Health | Lippincott Williams & Wilkins
Policies (cont’d) • Policy for the Use of Hard Copy PHI – Be sure that hard copy PHI is shredded when you are done using it • Policy for Use of the Fax Machine – Be sure you have a privacy notice on all fax cover sheets • E-Mail Policy – When used, e-mail should be encrypted for ultimate protection Copyright © 2011 Wolters Kluwer Health | Lippincott Williams & Wilkins
Policies (cont’d) • Disaster Recovery Policy – How will you continue to provide both access and protection during a disaster and how will the data be recovered? • Policy for Offsite Workers – What special considerations need to be covered if you have offsite workers? • Termination Policy – Be sure access is removed when someone is terminated. Copyright © 2011 Wolters Kluwer Health | Lippincott Williams & Wilkins
Policies (cont’d) • Breaches and Sanctions Policies – How will breaches be reported? – What sanctions will be used when someone breaches PHI? • Complaint Policy – If someone has a complaint, who do they contact and what is the procedure for addressing it? • Vendor Policy – What will you require of your vendors to protect the PHI they access in providing services? Copyright © 2011 Wolters Kluwer Health | Lippincott Williams & Wilkins
Policies for Business Associates • Business Associate Contract – Agreement to protect the PHI – A statement that says they comply with the laws as if they were a covered entity – Outlines how breaches will be handled – Assures that their subcontractors will also protect the PHI Copyright © 2011 Wolters Kluwer Health | Lippincott Williams & Wilkins
What about Using Offshore Labor? • Offshore labor is not prohibited by the rule • Obtain assurances that the offshore worker is capable of protecting the information • Require full disclosure about where the work is done • Offshore labor is a decision entities needs to make for themselves; just make it a well informed decision! Copyright © 2011 Wolters Kluwer Health | Lippincott Williams & Wilkins
Indemnification • Protection in case of a breach of information • Will you require it of your business associates? • Will your business associates require it of you? Copyright © 2011 Wolters Kluwer Health | Lippincott Williams & Wilkins
Always Remember the Goal: It is about protecting the patient’s information in all circumstances. Copyright © 2011 Wolters Kluwer Health | Lippincott Williams & Wilkins
- Slides: 11