HIM departments made great strides in 2012 toward stronger patient privacy and information security on behalf of their organizations; however, now is not the time to rest on our laurels. Like much in healthcare, change is HIM's constant. And 2013 is guaranteed to bring a lot of it.
Change propels you to constantly reassess processes, policies, and procedures. This continuous improvement focus is a hallmark of all top-performing organizations. HIM professionals who keep a vigilant eye toward the future are much better prepared when that future actually arrives.
This month's column prepares HIM professionals for what lies ahead while also ensuring today's processes, policies, and procedures are compliant and continuously improved.
Revised Rules Expand Our View
In 2013, HIM professionals should expect to see release of final rules for designated record set (DRS) definitions, accounting of disclosures, and access logs. Given the extent of proposed changes, HIM professionals must be prepared up front.
Expanding HIM's current sphere of influence over privacy and security compliance is the best place to start. Take an enterprise-wide view of privacy and security throughout the coming months and year.
Furthermore, HIM's role in data governance, data definitions, and data mapping are all areas for stronger HIM leadership. This column will continually inform HIM professionals regarding new roles and responsibilities as proposed rules are finalized and released. And once released, it will help your organization comply.
Meeting the Letter of the Law
Compliance with HIPAA regulations is a long-standing responsibility embraced by all HIM professionals. Expansion of this responsibility throughout the organization is critical.
Now is the time to assess and evaluate enterprise-wide compliance; ensure all HIPAA policies and procedures meet the "letter of the law." One area for continual improvement is breach reporting.
Information breaches received much attention in 2012. Massive breaches are posted regularly on the CMS "wall of shame." And while massive breaches are most commonly due to lapses in security controls, many minor breaches lie within HIM's realm of control. Here are a few important reminders:
• Breaches will occur. Be prepared.
• Maintain focus on data integrity, ensuring records are clean and accurate.
• Err in the direction of over-reporting to reduce risk of fines and penalty.
• Annually review and update breach incident response plans.
Business Associates and HIM
Now is an ideal time to tighten up BA agreements, especially in HIM where massive amounts of PHI exchange hands. Here are few points to consider and include in 2013 BA agreements:
• BAs will experience breaches and issues. These must also be reported.
• BAs must report a suspect breach in a timely manner.
• Incident response plans must include expectations and timelines for BAs to report and finalize a breach.
• Audit BAs to mitigate risk and ensure good intent with regard to breach disclosure reporting.
While basic federal guidelines for breach reporting are 60 days, many states and hospitals have established stricter guidelines; therefore, HIM professionals should ensure that BAs are reporting, meeting timetables, and complying with all CE policies and procedures. Your BAs must accommodate your specific needs and requirements.
Looking Back - Working Ahead
HIM departments did well in 2012 with regard to HIPAA privacy and security. The profession advanced and earned enterprise-wide respect; however, there is still much work to be done.
We look forward to helping all HIM professionals carefully navigate new HIPAA landmines and finalized rules in the coming months.
Rita Bowen is senior vice president of HIM and privacy officer at HealthPort. She can be reached at firstname.lastname@example.org.