For most covered entities, HIPAA Privacy Rules' April 14, 2003, enforcement deadline has come and gone with great relief that all measures are in place. Unfortunately many covered entities have a natural tendency to let their guards down when a critical deadline passes. HIPAA Privacy Rules, like most laws, require compliance twenty-four/seven, says Leonard J. Dietzen, an attorney who specializes in HIPAA consulting. Rather than moving on to the next urgent project, Dietzen suggests that now is the perfect time to self audit your organization to see if the time and effort spent on training your workforce has been effective. Far too often middle level management are busy filling their work day with their own numerous job responsibilities. Moreover, in a large multiple-site location there is usually only one Privacy Officer who physically cannot visit each building location to see whether the organization is safeguarding PHI as contemplated by the rules.

Self auditing can help give a covered entity a snapshot of how far it has come toward compliance. In some cases, the self audit can reveal how far the entity needs to progress to close the gap towards compliance. If your organization is large and is located in many locations, try a location-by-location HIPAA fire drill. The Privacy Officer can coordinate these unannounced visits to help insure a realistic view of your entity's compliance. The following should be checked at each location:

  • Review the Notice of Privacy Practices (NPP) procedures utilized by the employees.
  • Insure the NNP is consistent with the headquarters NNP and contains any updates if applicable.
  • Review training files of each member of the workforce. Are there any new employees in critical jobs waiting to be trained? Physical documentation that all members of the workforce have been trained is needed.
  • Review how employees use patients' or customers' Authorizations to disclose PHI to third parties. Are the Authorizations technically correct under the Privacy Rules?
  • Review each location's complaint intake process. Is the intake process too complicated? How long does it take to resolve a complaint and notify complainant? Is there a written record of how each complaint was resolved?
  • Examine the nature of complaints and look for a trend. If a trend exists, a need for targeted retraining is evident.
  • Review employee sanctions. Consistency is the key to avoid employment lawsuits. Again look for trends. Trends indicate a need for targeted retraining.
  • Update inventory of all Business Associates (BA) contracts. Insure that each location is securing legal counsel's advice before signing BA contracts.
  • Update all fax and telephone numbers to healthcare providers, health insurance companies, third party administrators, Business Associates and patients.
  • Inspect your computer work stations for compliance with password policies and correct handling of paper PHI.

With the recent published Federal regulations regarding Civil Monetary Penalties, many experts are correct when they advise that covered entities need to begin to review their compliance with the both the Privacy and Security Rules so that they can prevent costly fines and administrative proceedings associated with them. Self auditing your workforce can give you a clear snapshot of how successful your management team has been in implementing Privacy and Security rules policies. If problems are discovered during the audit, everyone is a winner. Targeted retraining can prevent future real-life violations and help get your organization educated and back on track. The time to act is now.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.