Avoiding the ‘Deer in the Headlights Look’ When it Comes to Compliance
Oftentimes, a client asks me why I can’t just make a “simple” HIPAA solution. That is what they really need and want because they are just too busy dealing with all the other obligations in their office and life to take on HIPAA requirements. Unfortunately, there is not a real simple fix for compliance. That leaves many CEs and BAs with, as we call it in the South, the deer in the headlights look.
While I can’t give any of these people a simple solution to HIPAA compliance, I can try to give you a very simple list. No, this isn’t a perfect list and it certainly could contain many more items. The goal here is to define a list that gives a small business owner or practice manager an assessment of what needs to be done to be compliant.
- Officer Training. You can’t just start doing this stuff. You need to get the people in charge trained in some manner first. Trying to do it on your own through books and articles will be very time-consuming, but freely available. Crash courses can be overwhelming. Figure out what will work for you and get training soon or everything you try to do from this point forward will take longer or have to be completely redone. Look into your options. Some training solutions just take you through the rules and explain what anyone needs to do to be compliant. Others are more personalized for your specific environment and cover not only what you need to do, but also help you figure out how to do it.
- Develop your documentation systems. HIPAA 2.0 compliance is not just about saying you are doing the compliance work but being able to prove it. Document your activity and you are clearly showing you are not neglecting your obligation to comply. Your documentation is how you will be able to tell your compliance story, if anyone asks. It is how you and your staff will know what to do when something comes up out of the ordinary. Most importantly, it will be the reference system when you are trying to recall why you made decisions and set your policies. However, if you just start keeping electronic and printed versions of spreadsheets and documents all over the place on your systems, then you won’t be able to locate it when you need it. You also need to show the history of changes you make along the way. There is so much documentation required it is imperative you have a system designed to manage it.
- Complete a proper Risk Analysis. Yes, there are many other steps that everyone thinks they need to do first, but if you start here you will be better for it in the long run. Most people want us to just hand them over a bunch of Policies and Procedures and off they will go. The process of a proper Risk Analysis has you think through all your processes at some level. You need to make an inventory and figure out all the things you need to protect. You may even put policies in place as you are going along. Bottom line, if you try to develop Policies and Procedures before doing this you will likely have to do them over again once you do this step.
- Do an overall compliance review. If you don’t end up doing this during your Risk Analysis, do it next. Look at the Privacy Rule and Breach Rule requirements that weren’t addressed already. You need to know where you stand before you actually know what to do.
- Define your Compliance Action plan. This is about defining projects, tasks, follow up, reporting, training, documentation, and reviews that should happen on a regular basis. Failing to plan is planning to fail, as they say. After your first analysis of the situation there will be many projects that need to be completed. You need to know who, what, where, when and how you will get that list done. Also, in order for you to perform the tasks for ongoing compliance and review, you must have a plan for when and how all the ongoing work will be done, monitored, reviewed, and managed.
- Complete your written Policies and Procedures. Most folks use a template of some sort to get started. However, they often overlook what the templates leave for them to fill in. That is the most important part where they define what they are actually going to do to meet the requirements. You have to review each one of the template documents to determine and document what your office will do or not do. If you have written Policies and Procedures in place you should review them to make sure they are appropriate and don’t require changes.
- Implement your plan. At this point you should know where you are and what you need to get done now and in the future. This is where you actually do the compliance work to address your shortcomings and do the things that must be done regularly to create your culture of compliance.
So there you go. Is it a perfect list? No. Is it a general list? Pretty much. The idea is you just loop through this list over and over from now on. The first time through is often frustrating and very time-consuming. Subsequent loops are obviously much easier if you follow the steps each time. Skipping any step won’t help much. You will likely deal with that pain point eventually. Personally, I believe in doing it right but also keeping in mind what is reasonable and appropriate for each environment. The trick is figuring out what that balance really is in each case. No matter what, don’t lose site of the reason you are doing these things, which is to protect your patients from harm.
ABOUT THE AUTHOR: Donna Grindle, CHPSE has been writing medical practice software as a programmer since 1987. She is currently the owner and president of Karden Technology, which specializes in IT and HIPAA compliance services, working with small healthcare providers and businesses that support them.
story by DONNA GRINDLE, CHPSE