HIPAA, The Sequel

It's April 2003, the month that those of us in the health care industry — some of us, anyway — have been counting down to for more two years. The definitive April 14, 2003, deadline has arrived for home care providers, insurance companies and other health care providers to be in compliance with the new federal Health Insurance Portability and Accountability Act privacy rules.

By now your organization should have developed and implemented HIPAA privacy-specific policies and procedures that describe how you maintain the confidentiality of protected health information, or PHI. Additionally, you should have trained your employees on those policies and procedures. Finally, you should have begun providing your organization's Notice of Privacy Practices to new patients. For those of you who have completed these tasks: Congratulations!

For good measure, here are some final tips to assist you in continuing your compliance efforts as they relate to the HIPAA Privacy Rule:

• Keep track of changes to state laws and regulations that impact PHI and how providers handle and maintain the confidentiality of PHI. Many states are changing their requirements in light of the federal Privacy Rule. Remember: HIPAA requires that you comply with both state and federal privacy laws.

• Conduct a Privacy Rule effectiveness review to ensure that your organization has taken all necessary and appropriate steps to be in compliance with the federal HIPAA privacy regulations. Perform effectiveness reviews and audits on a regular basis — annually, at a minimum. This process will help you understand how well your employees comply with the new privacy regulations and point out areas that may require additional training.

• Re-train all employees on your privacy policies annually. Train new employees shortly after they are hired. Finally, make employee compliance with privacy polices and procedures part of every employee's evaluation process.

Next Stop: Security

But, your work is not complete. Home care providers have a second set of federal HIPAA regulations to look forward to and comply with — the new Security Rules. The U.S. Department of Health and Human Services published the final HIPAA Security Rule on Feb. 20, with a compliance deadline of April 21, 2005. This means you have two years to incorporate into your privacy policies and procedures, and other privacy-related compliance activities, measures to comply with security regulations. Security compliance activities are inextricably linked with privacy compliance activities.