Negley, Ott & Associates offers... Privacy Program Development Service for HIPAA Compliance & Operational Process Improvement
At NOA, we take seriously the need for our staff to become experts on issues that affect our clients. That is one reason we have become involved in HIPAA initiatives at both the state and national level. Our consultants have participated on various boards such as the SHARP Steering Committee which is a 16-state national initiative for HIPAA compliance at the regional level. To understand more about SHARP, click here for a short presentation.
Also, please review our speaking engagements regarding HIPAA on our NEWS page or read our publications on HIPAA and privacy on our PUBLICATIONS page.
HIPAA regulations represent a significant challenge to most health care providers, especially those who have already gone through the transition to a computerized patient record (CPR) system.
The use of automated clinical care systems may have advanced the care delivery process, but it has also introduced opportunities for procedural privacy breaches. This is true unless the CPR is implemented with process changes within the organization designed to leverage the automation tools for augmenting sound privacy practices. In response to this as well as federal regulations, Negley, Ott & Associates, Inc. (NOA) has developed a simplified, grass roots methodology to help streamline the process of improving an organization's HIPAA compliance and related operational privacy practices.
Our methodology is simple and direct in order to expedite the process of improving an organization's state of readiness. There are five(5) modules designed to augment each other towards a compliance status. Each of the five may be purchased separately for specific focus area development or they may be purchased in total for a comprehensive approach to privacy related performance improvements.
| I. | |
| II. | |
| III. | |
| IV. | |
| V. | |
I. Operational Assessment and Audit
The operational assessment and audit consists of a physical inspection and observation of actual business and clinical practices within the operational areas of an organization. Many healthcare providers have appropriate written policies and procedures, but may not actually follow them from an operational perspective. Our assessment is conducted as an audit where we document observations which are then categorized into one of the three following areas:
Verbal information management practices
Document management and security practices
Electronic record management practices
The deliverable from this assessment is a report of findings with specific recommendations for improved process and compliance. Our recommendations encompass both HIPAA specific items as well as non-HIPAA related operational improvements for privacy practices. As part of NOA's standard assessment process, digital photographs are made of observations where appropriate in order to include visual indicators within the report of findings.
The leadership assessment consists of two activities designed to gather information regarding the organization's knowledge about HIPAA privacy requirements as well as the existing policies and procedures of the organization. Collection and assessment activities are conducted through the two following ways:
A paper based survey questionnaire is administered to all leadership personnel within the organization. The survey focuses only on HIPAA related privacy requirements and serves as a means to measure how knowledgeable leaders are about the regulations. A secondary benefit of the survey is to serve as a passive learning tool to those surveyed by forcing them to think through the issues being raised.
Group and individual interviews are held with key personnel within the organization who are most involved with information management processes. The interviews parallel the scope of questions covered in the leadership survey in order to ensure a consistent assessment of the organization.
The deliverable from this assessment is a report of findings with recommendations regarding policy and procedure developments required plus training and education needs of leadership within the organization. This is based on quantified scoring derived from the leadership surveys plus documented findings from the interviews with key personnel.
III. Documents and Database Assessment
The documents and database assessment consists of two evaluations. First, the organization's policies and procedures regarding information management and privacy matters are reviewed. This focuses on issues involving access and release of information regarding HIPAA compliance as well as sound business practices. In addition, the existing computer system within the organization is also evaluated with regard to how the databases and applications are used and designed for maximizing effective privacy and security practices.
The deliverable from this assessment is a report of findings with recommendations regarding revision and expansion of policies and procedures to encompass the scope of both HIPAA requirements plus sound business practices involving privacy. In addition, the deliverable includes recommendations regarding modifications in the design and use of the organization's core computer system(s) for improved clinical and business practices.
IV. Privacy Officer Role Assessment and Development
The privacy officer role assessment and development consists of an detailed evaluation regarding the roles or responsibilities of the privacy officer. This evaluation encompasses roles, reporting structure, ability to influence policies and working relationships with key operational areas of the organization.
The deliverable from this assessment is a report of findings with recommendations regarding the need for a privacy officer and their roles and responsibilities. As an additional deliverable, the recommendations include a proposed job description and organizational chart relative to how the privacy officer role can be maximized for compliance with HIPAA and other privacy related practices.
V. Leadership and Organizational Briefings
The leadership and organizational briefings consist of one or more educationally based briefing sessions geared towards both mid-level and senior management within the organization. Briefings incorporate an general overview of HIPAA related privacy topics plus operationally based recommendations for improved compliance and privacy performance.
The deliverable for this module is a privacy program campaign kick-off for the entire organization, starting with leadership. A series of briefings are conducted to the target audiences specified by the customer. Briefings incorporate the following content:
General HIPAA related privacy requirements based on quantified knowledge deficiencies identified in leadership surveys
Video covering privacy related practices
Presentation on findings and recommendations from operational assessment, policy/procedure review, computer system evaluation and privacy officer assessment
NOTE: Additional privacy related services are available on a time and materials basis subsequent to completion of privacy program modules. These services include the following:
Operational audits (ongoing re: privacy practices)
Quarterly leadership briefings based on:
Operational audit findings and trends (Note: trending and performance monitoring services available only if contracted for a 12-month audit cycle)
Identified knowledge deficits from original leadership survey results.
Policy & procedure development (Note: Limited to comprehensive HIM P&P used as a template to organizational document).
Ghost visitor program development for privacy practices audit expansion