The following is a very preliminary and sketchy overview of
some of the step required to implement the HIPAA privacy regulations. This list
should not be considered complete.
I. Assembly of Privacy Implementation Committee,
appointment of interim Privacy Official, and setting of preliminary goals.
II. Preliminary training of Interim Committee on basics of HIPAA.
III. Comprehensive assessment of all departments to determine:
- which have protected information
- what protected information is present
- how privacy is currently protected
- whether new policies and procedures or information system software would be the most
efficient way to comply.
IV. Identification of implicated HIPAA issues and analysis of
which state or federal laws apply and under what circumstances (on-going).
V. Identification and reconciliation of related
certification requirements (e.g., JCAHO, NCQA, etc.)
VI. Create/update new disclosure policies for disclosures to
non-patients, including:
a. Procedures for accounting for
disclosures.
b. Procedures recognizing
minimal necessary disclosure principal
VII. Create/update procedures for disclosures to patients, including:
a.
Acces to any "designated record set," not solely in
their medical record;
b.
Procedures for amending records;
VIII. Review all authorizations and explore situations in which
authorizations may now be required.
IX. Develop notices of policies reflecting the above.
X. Review contracts and relationships with "business
partners".
XI. Initial and ongoing training for every worker and
practitioner on these new policies and procedures;
XII. Develop insurance strategies to address the new liability
contained in the "third party beneficiary" clause of the business partner.
