BP Criteria: HIPAA Implementation

Best Practices Process

Background & Purpose

Who Can Nominate

The Process

Best Practice Criteria

Application Form

Best Practices Forum

Co-Sponsors

Presenters

Best Practice Areas

Registration

Awards

BP Home

Best Practices Selection Criteria:
HIPAA Implementation (Draft)

SUMMARY:
As various date-effective milestones have passed in the HIPAA Privacy, Administrative Simplification and Security Regulations, we wonder how reality compares with prognostication. Implementation of these regulations are important both for demonstrating compliance with substantial federal requirements (that carry financial penalties) and enhancing industry safeguards for the confidential information obtained and used in the patient care process. The regulations called for improvement and development of several rigorous systems that may not have existed prior. This best practice recognition will identify candidates that have implemented, operationalized and evaluated one or more such systems.

DEFINITION:
Policies and procedures, communication and training and implementation are all elements of a successful response to the many and varied HIPAA requirements. Some examples of elements we wish to learn about are:

Implementation and tracking of Privacy Disclosure Notifications
Implementation and tracking of Disclosures not Requiring Authorization
Breach reporting, investigation and Outcomes
Disciplinary criteria, application and monitoring

ACHIEVEMENT TO WARRANT FINDING OF BEST PRACTICE:
In evaluating whether a program has achieved a “Best Practice” in this element, look for the evidence meeting the following criteria:

1. Policies and procedures:

Written policies should be in place that establish at a minimum:

Acceptable practices relative to the use and disclosure of personal health
Information
Definitions that are specific as to scope and responsibility
Mechanisms in place to achieve acceptable practice
Identification of responsible parties:

2. Documentation

Training and communication materials
Record keeping documenting completion by affected staff
Evaluation of training effectiveness

3. Role of the Compliance Officer

Audit and monitoring activities
Reporting structures and activities to management
Sanctions and disciplinary processes associated with HIPAA violations
Has the organization identified Privacy/ Security officer and what is the relationship to the Compliance function

4. The HIPAA Security Regulations require a covered entity to implement security measures and solutions that are reasonable and appropriate for the organization. We would be interested in learning of best practices related to the administrative, physical and technical safeguards outlined in the Security Regulations, such as:

Risk analysis
Unique security awareness and training techniques
Access control and validation procedures
Device and media controls
Emergency access procedures
Audit controls and review of audit reports: What kind of data is being gathered and how often audit reports are being reviewed.

download the complete best practice criteria