Effective Compliance with HIPAA Requires More Than Initial Training
By:
David S. Barmak, JD
Although your facility may have had a HIPAA Privacy training program, there are a number of reasons you should consider holding both a refresher course for those already trained, and sessions for staff hired after the original training program. Your budget may be tight this year, but money spent on training is assuredly less than the cost of questions raised as a result of the State Department of Health’s survey, which includes compliance with privacy items or a potential investigation if a complaint is made with the Department of Health and Human Services Office of Civil Rights.
If litigation were to arise as a result of a physical injury to a resident in a nursing home or assisted living facility, there is also a potential breach of privacy claim to be made by the resident’s attorney based on how information was handled. In this hypothetical case, the expected baseline of compliance with privacy will be HIPAA rules and regulations. If the facility can’t prove that it met the minimum standards required by the federal HIPAA law, then a jury might find that the facility did not adequately protect the resident’s privacy. The jury will then have to decide if the breach of privacy is compensable. The most effective way to defend a facility would be to have the Privacy Officer get on the stand and say that the facility met the minimum guidelines required by HIPAA and perhaps more. HIPAA requires effective protection of resident privacy. Clearly, that requires on-going training. But if the Privacy Officer can attest to on-going training, updating policies and procedures, using an outside consultant/lawyer to ensure compliance through periodic (even annual) auditing, and monitoring by the staff on a periodic basis (in-between the annual audits), then it would be likely that a jury will, even if it finds there has been a breach of privacy, not find a reckless approach to protecting the resident’s privacy, but a concerted effort to protect privacy and that “mistakes happen.”
Primarily, the HIPAA regulations require effective compliance programs. Effective compliance can only be had by:
- Training new employees
- Retraining employees who have already been trained
- Continually updating policies and procedures
- Monitoring compliance
Litigation Results and Annual Surveys
With litigation underway, the courts are interpreting actual compliance with HIPAA regulations. When these decisions are handed down, my offices will keep you informed of their impact on your compliance procedures. In addition to the changes these decisions may require, the State Department of Health annual surveys are focusing on compliance with HIPAA.
- Are there policies and procedures in place?
- Are staff acting properly and in accordance with policies and procedures?
- Are active and discharged medical records kept in a secure location, and is access to those records monitored?
- Are protected passwords in place to limit access to resident data in your computer system?
- When nurses give medications, is the med-book/computer screen left unattended?
- Are consent forms provided by residents included in the medical record, and are there assurances that they were obtained from properly informed residents or their authorized responsible party/parties?
Response to Requests for Medical Records
Some clients have told me that they do not honor subpoenas from lawyers for medical records. Instead, they insist on an explicit authorization from the resident or a court order. If you have questions as to whether you should respond to a specific subpoena or require a court order, you should consult your legal counsel.
What You May Not Know About Med-Net Healthcare Consulting
Our Comprehensive Services Include:
- Behavioral Healthcare Review Program
- Census Development
- Informal Dispute Resolution (IDR)
- Medical Record Request Review
- Mock Survey
- Focused Mock Survey
- Modified Mock Survey
- Plans of Correction
- Rapid Response Program
- Rehabilitation Management Program
Med-Net Podcasts
Check out our latest podcast series, hosted by healthcare attorney and CEO of Med-Net Concepts, David S. Barmak, BA, JD. This series offers listeners another platform for discussing a variety of topics in the healthcare industry and supports our mission to give long-term care and post-acute healthcare providers the power to stay informed while maximizing rewards and minimizing risks.
Our podcasts will launch each month on our Spotify channel HERE.
