Chapter 9 Discussion Questions
1. Who would you include on a steering committee that is responsible for ongoing HIPAA privacy compliance? Who should lead this committee?
The steering committee should be composed of the privacy officer, a HIPPA officer, HIM department, compliance, legal, IT department, supervisors from most other different departments. Also possibly someone from the BOD
I believe the Privacy officer should lead the committee as they should be the person most up to date on the HIPPA rules.
2. What type of ongoing educational activities would you provide for the workforce of your organization to facilitate compliance with the HIPAA privacy rule? Who would be included in these educational activities?
All pertinent aspects of the HIPPA rules should be covered with all employees. Training classes should be formed for any new employee. Existing employees should be retained periodically to assure they still understand the HIPPA rules and any new information covered.
I would have a power point presentation that covered each department requirements with a quiz at the end to make sure the employee understood what they learned. These would be a mandatory job requirement. Prove of the education in the form of a signature from the employee would be best to have to prove compliance.
3. How would you ensure that you have identified all of your organization's current business associates and developed business associate agreements with them?
I would have the IT department make up a software program that compiled a list of each and every current business associate. It would also include a copy of the signed agreement covering HIPPA rules. Any missing documentation would then be obtained immediately before any further business was transacted. Safeguards would need to be put into place to avoid and new businesses from not having an agreement in place prior to doing business with us.
4. As the privacy officer for a covered entity, you are aware that protected health information has been accessed by an unauthorized individual. What type of analysis will you conduct to determine whether it constitutes a "breach" under HIPAA?
I would need to find out if the information was disclosed to an unauthorized person that would not reasonably be able to retain the disclosed information. Or if the information was unintentionally acquired or accessed in good faith, in their area of authority and not re-disclosed or used improperly. And that it wasn't inadvertently disclosed from a CE or BA to someone else authorized at the CE or BA.
The breach would have fit into the following HIPPA's rule: "an impermissible use or disclosure of PHI is presumed to be a breach unless the covered entity or business associate demonstrates that there is a low probability the PHI has been compromised."
5. Do you believe that the twelve "public interest and benefit" exceptions to the authorization requirement are warranted? Do you believe that any of these exceptions should require the patient's authorization under the HIPAA Privacy Rule?
Most of the exceptions have merit and are even necessary. They are not unreasonable and some are there to assure the safety of people who cannot take care of themselves.
I do though, object to number 11. The wording is too broad and specific instances should be addressed. What exactly is: "protection of others" and "public benefits"? I would not want any government official someday having the power to pick out a certain group of people for any reason. I think if something like this was needed, the public should be informed and somehow authorization should have to be given. Maybe I have watched too many Syfi movies.
Chapter 10 Discussion Questions
1. Why is knowledge of the HIPAA Security Rule important for HIM professionals?
HIM professionals should have a though understanding of the HIPPA rules and regulations. They should be well educated in the field of Health Information Management. They must be able to effectively plan and implement an plan to keep the organization in compliance to avoid monetary, regulatory and criminal penalties.
2. List examples of how an organization can be in compliance with the addressable security standards.
Under the workforce security section, an organization can implement authorization and supervision procedures, along with clearance and termination procedures. Security Awareness training is another example of ways to in compliance. They can have security updates, malicious software protection, monitoring of log-in attempts, and password safeguards in place.
3. What are the essential parts of a successful HIPAA Security Compliance Program?
It is essential to keep it as an ongoing project and use risk analysis of the business. First assess any current security, risk or gaps. Then develop a plan, find, implement and document solutions and reassess the plan regularly. This is to assure that they are in compliance with the constantly changing rules.
4. What policies and procedures are necessary for compliance with the HIPAA Security Rule?
The policies and procedures for compliance are outlined in: "Information Security: A checklist for Healthcare Professionals" that the AHIMA has published. It's a tool that can be used when developing a security compliance program. I read through the checklist and it really does cover any situations I could think of along with ones that I never would have thought could be a security issue. I never realized that all works, even volunteer, should sign confidentiality agreements.
5. Outline the general requirements of the security rule.
The security rule has 5 key components:
1) General Requirements, four actions that must be taken: "ensure confidentiality, integrity and availability of all ephi created, received, maintained or transmitted", "protect the security or integrity of ePHI from anticipated threats and hazards", "Protect against any anticipated use or disclosures not permitted or required., and to ensure compliance by ALL the workforce.
2) Flexibility of Approach: four factors for security protection, measures for their organization size, complexity, infrastructure, security capabilities for hardware/software, costs, and probability and criticality of potential risks.
3) Standards: standards that all organizations, regardless of size must comply with. Divided into five categories: Administrative; Physical; and technical safeguards, organizational requirements; policies, procedures and documentations.
4) Implementation Simplifications, instructions for how standards should be implemented: "implements the addressable specification as written, implements and alternative, documents risk for which addressable implementation specification was provided either does not exist in the organization or exist with a negligible probability of occurrence"
5) Maintenance: Is the required review of the security measures. The reasonableness and appropriateness of the security measures needs to be reviewed, modified and updated
APPLICATION EXERCISES chapter 10
Catholic Healthcare has hired Ron to review the security policies and procedures related to employee selection and termination. Ron has been instructed to meet with the HIM director and determine where the HIM department may have additional requirements for its remote coding staff.
1. For which of the administrative safeguards should Ron expect to see policies or procedures relating to the HIM Department? He would find policies and procedures in workforce security, information access management, security awareness training, security incident reporting, contingency plan and business associate contracts.
2. Which of the physical safeguards apply to the remote coders?
The Facility security plan requires protection from unauthorized access tampering and theft. He needs to make sure the proper procedures and policies are in place to protect the equipment.
Access control and validation procedures needs to be addressed so that only the coder would have access to the information.
3. Which of the technical safeguards may apply to the remote coders? Access control, unique user identification, automatic log off, encryption and decryption of the information being sent remotely apply. Audit controls, Integrity and person or entry authentication along with transmission security also apply to the remote coders.
4. What other risks should the HIM director address?
The three main risks are access, storage and transmission. A risk analysis should be performed to find out areas that are not in compliance and need to be addressed. A two factor identification should be implemented so it is not simply a password that gains access. Session termination can be set up for inactive devices. Firewalls and virus-protection software should be required. Protection and tracking for lost devices needs to in place.
Back-up of information should be automatic and download of information should be prevented unless justified. All remote codes need to be thoroughly trained.
Transmitted data needs to be protected from interception and modification. Secure networks and encryption along with virus protection should be used.