Over the last several weeks we have discussed a wide variety of things you need to do maintain the privacy of Protected Health Information (“PHI”) and be HIPAA compliant. Today we will discuss how to combine all of those individual parts into one complete program.It all begins with the security officer and privacy officer roles.
One person can serve both roles, or a different person can be selected for both. These individuals will be tasked with the day-to-day implementation and leadership of protecting the PHI within your organization. They will be the ones who receive and investigate complaints, develop and implement new safeguards, and ensure everything is documented accordingly. They need not have a specific background or certification, but because your safeguards must protect all of the PHI within your organization, they should have a significant understanding of the entire operation. Having the security officer and privacy officer roles filled is a critical step in creating a complete and ongoing compliance program.
Also important in that goal is establishing a periodic schedule in which safeguards are evaluated to determine if they are still effective in protecting the PHI.
Typically, this is completed through a review of your policies, procedures, plans, and documentation of log review. This review is two-fold. First, it allows you an opportunity to review the safeguards in place and make a quick determination of whether they are effective. It also serves as an opportunity for you to ensure that your documentation is all up to date. As we have discussed prior, you need to ensure that your policies and procedures are an accurate reflection of the security and privacy program you have in place. This is a review you want to conduct periodically; at least annually, but for more critical aspects of your organization, you will likely want a more frequent review.
Creating and implementing a HIPAA compliance program that maintains the privacy of PHI is not as hard as it may seem.
It takes an investment of time and certain resources, but with dedication, it can be done.The keys to establishing a complete program rest on establishing security and privacy officers and a consistent review of your safeguards. With these steps, you will be well on your way to creating an ongoing compliance program rather than a one-time project.