Internal Structural Requirements for HIPAA Compliance

A medical employee was fired in 2017 after she violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) by posting about a patient on Facebook. The 24-year-old medical technician commented on a post about a patient killed in a car accident by saying, “Should have worn her seatbelt…” It is imperative that all members of staff understand HIPAA compliance.

A staff member talked with a resident about procedures for medical testing in a waiting room, thereby disclosing Personal Health Information (PHI) to others in the vicinity. The waiting room’s setup also allowed others to see PHI on employee computer screens. After an Office for Civil Rights (OCR) investigation, staff were required to take regular HIPAA trainings and computer monitors were repositioned.

All skilled nursing facilities must have the necessary internal structures in place in order to be compliant with the patient data privacy demands as outlined in Privacy and Security Rules of the HIPAA Act. It is most often the lack of such structure which results in penalties—or worse—being imposed on facilities, and it is therefore vital that all administrators have a good idea of what is expected of them in this regard.

The first—and most important—of these internal structures is the appointment of a company privacy officer. This individual must be tasked with the responsibility for day-to-day privacy issues and general oversight and implementation of the privacy program. (It should be noted that in many facilities the compliance officer also serves as the privacy officer, as the requirements are similar.)

The privacy officer is responsible for enacting preventative measures, including education and policy, to ensure that all Protected Health Information (PHI) is kept secure and release is limited to the minimum amount necessary to accomplish the purpose of the use or disclosure. The privacy officer is also directly responsible for the efficient investigations of potential PHI breaches and ensuring that any breaches are reported to the necessary authorities.

The failure to have one person responsible for these tasks can lead to a situation where none of these tasks are fulfilled—the classic “I thought it was someone else’s job” scenario. In light of the potentially very serious consequences of noncompliance, no facility can afford this.

A privacy officer will also need to be fully up-to-date with all HIPAA compliance regulations, and a facility should not skimp on any training or resources allocated to the officer in this regard.

Another primary task of the privacy officer is to ensure that all staff are aware of the HIPAA compliance  regulations as well. This includes not just the obvious—that files cannot be shared or “lost” indiscriminately, but also that discussion regarding personal health information must not take place in the presence of persons not entitled to such information—either in public places (elevators, lobbies, cafeterias, off premises, etc.) or on social media sites.

The second vital element of an internal institutional structure is the creation of a privacy committee, whose prime function is to assist the privacy officer with implementation, coordination, and ongoing support of the privacy program. The committee, along with the privacy officer, is also tasked with overall responsibility for oversight of privacy activities, as well as managing investigations and corrective action when issues are raised. The compliance committee may also serve as the privacy committee.)

The privacy committee must meet on an as-needed basis, to review any privacy concerns and alleged breaches. They must assess and modify existing policies and procedures which address current governmental enforcement initiatives and specific risk areas, all with the intention of incorporation

into the privacy program. The privacy committee must also work with management to develop, review, and approve policies and procedures to promote compliance with the privacy program.

Finally, the privacy committee is responsible for recommending and monitoring, in conjunction with relevant departments, the development of internal systems and controls to carry out the facility’s standards, policies, and procedures as part of its daily operations.

Next: Developing policy and procedures.