Guest Article

(From the Employer's Guide to HIPAA Privacy Requirements, Thompson Publishing Group)

Privacy Audits Should Continue After Compliance Deadline

The process of conducting internal audits and gap analyses to assess compliance with HIPAA's privacy rules needs to continue even in the wake of the April 14 compliance deadline, according to experts who spoke at a recent conference.

Gap analysis "is still an onion" with many layers, and "it's a process you're still going to use in auditing and maintenance," said Lesley Berkeyheiser, a principal with The Clayton Group. "Go back to those places you knew were trouble spots and test the process."

Berkeyheiser and Linda Belcher, privacy officer for Neighborhood Health Partnership (NHP), a Miami-based health plan, described a HIPAA privacy audit performed at NHP and the plan's process for complying with the privacy rules.

"When we first did the gap analysis we found we were nine percent compliant," partially due to confusion over questions such as what constituted a privacy policy, Belcher said. "Our CEO was very concerned," and appointed Belcher as privacy officer in June 2002 to organize NHP's compliance efforts. "We went from the senior management team to the whole management team," from which a privacy team was selected, she said.

The privacy team, in turn, was broken down into sub-teams responsible for separate provisions of the rules, Belcher said. However, it turned out that the teams could not function concurrently because "the same five or six people were on all of these teams," she said. Therefore, the rules had to be addressed one provision at a time, beginning with the privacy notice.

In inventorying its uses and disclosures of protected health information (PHI), NHP found that "generally we were pretty careful with people's information," Belcher said. "We just couldn't prove it to you."

To prepare for a possible influx, starting April 14, of members calling about their HIPAA rights, NHP named one of its top customer service representatives the "privacy professional" to whom difficult privacy questions could be referred, Belcher said. As a result, "on Day One I didn't have to hope everybody remembered" the details of HIPAA's privacy rules, she said.

Audit Focused on Documentation

Clayton's audit of NHP emphasized the plan's documentation, including policies and procedures, without many on-site visits, Berkeyheiser said. "I was also very interested in overall communication and consistency" across the organization, she said.

First, Berkeyheiser interviewed staff from NHP's compliance, customer service and legal departments to determine whether "everyone is up to the same level of understanding on HIPAA." She was impressed with the detailed notes from the sub-team meetings, the detailed PHI use and disclosure inventory and Belcher's spreadsheet indicating who was responsible for which HIPAA provision.

Even if a privacy procedure has not yet been documented, "if you know it's been done, put it in some kind of written format," Belcher suggested.

Compiling a list of business associates was particularly challenging, Belcher said. The business associate sub-team kept coming up with additional ones, so Belcher finally just got a list of check recipients from accounts payable. The team then prepared a spreadsheet of vendors that indicated whether they were under contract and whether they were given PHI.

"There would be certain vendors nobody claimed," including a headhunter (not a business associate) whom Belcher herself had hired as head of human resources. In all, "it was a really good exercise" from an accounting as well as a privacy compliance standpoint, she said. "We tried to make it as beneficial to as many people as possible."

Secret Shopper

To test NHP's handling of outside inquiries, Berkeyheiser conducted anonymous "secret shopper" calls. "Verification of identity is one of the key things I'm seeing the whole industry have trouble with," she said.

Posing as a member, Berkeyheiser found that the member call center was careful to verify her identity and well prepared to answer her HIPAA questions. Calling utilization review as a physician's assistant, she found that office less prepared but still reluctant to disclose PHI. When she posed as a broker, however, her identity was not verified.

"She caught us on this," Belcher said. Now all NHP staff, including those who communicate with brokers and providers, verify at least two pieces of information, or up to four if the caller hesitates, she said.

"I think what's important is that everyone has the same procedure to follow and has documented it," Berkeyheiser said. One useful resource is a memorandum issued by the Centers for Medicare and Medicaid Services (CMS) regarding their own customer service procedures, she said.

Amendment, Accounting

CMS also has issued a memo on handling requests to amend PHI, Berkeyheiser added. Unless customers specify that they are exercising their HIPAA right to amend, health plans apparently may assume that they are simply inquiring about their bill or explanation of benefits in the normal course of business, she said.

Accounting of PHI disclosures is an area that NHP is having to revisit "now that we're starting to turn our focus to that maintenance mode," Belcher said. "Off the top of my head there were very few disclosures we have to track," because the rules simply specify what need not be tracked, but a comprehensive list of disclosures will be more useful, she said.

Health plans also should include, in contracts with business associates, a requirement that the business associate inform the plan when it makes a disclosure subject to accounting, so the plan can track these disclosures as well, Berkeyheiser said. It also is important to ensure that disclosures and other relevant data from business associates will be on hand six years from now, even if the relationship with the business associate has ended, Belcher added.

Belcher and Berkeyheiser spoke May 20 at the Workgroup for Electronic Data Interchange annual conference in Arlington, Va.

Reprinted with permission from the June 2003 newsletter of the Employer's Guide to HIPAA Privacy Requirements, © Thompson Publishing Group, Inc., 2002. All rights reserved.

BenefitsLink is an independent national employee benefits information provider, not formally affiliated with the firms and companies who kindly provide much of the content and advertisements published on this Web site, including the article shown above.