Conducting A Privacy Gap Analysis

by: Jackie Huchenski

The HIPAA Privacy Rule will require most health care organizations to revamp the way they handle medical records and health information. Exactly how much change your individual organization will need to undergo to become compliant with the Rule depends on your organization's current practices concerning the confidentiality and security of medical records and other "protected health information or "PHI". One step in determining what will be involved in the process of becoming compliant with the Rule is to have legal counsel for your organization conduct a "gap analysis" to assess the gap between what will be required by the Rule and your organization's current practices. The basic components of such a gap analysis are outlined below. This is not intended to be a comprehensive list of steps your organization needs to take; your legal counsel should decide the final steps to take in any gap analysis specific to your organization.

Most providers, health plans, and clearinghouses are all considered "covered entities" under the Privacy Rule. Covered entities will have to ensure compliance with the Privacy Rule by April 14, 2003. Effective compliance will require significant resources and planning for compliance should begin now. If changes to the Rule are made before the gap analysis is completed, such changes can be taken into account.

Most entities will have to comply with the following requirements under the Privacy Rule:

• Obtain specific patient consent, authorization or other permissions to use and/or disclose PHI;
  
  
• Enter into business associate contracts (including 10 essential provisions), understanding that you may be liable for its business associates' violations;
  
  
• Provide notices to patients regarding their individual rights, such as access to their PHI, an accounting of where their PHI has gone, the right to request an amendment/correction of their PHI, the right to request further restrictions on uses/disclosures of their PHI, and the right to make a complaint. The notices have to be distributed and/or posted at varying times, depending on whether the covered entity is a healthcare provider who is treating the individual directly, or a health plan;
  
  
• Revise/create policies and procedures regarding information practices in accordance with the Rule;
  
  
• Develop a compliance program, including appointment of a privacy official, safeguards, implementing a complaint process, sanctioning violators, training, and implementing mitigation procedures;
  
  
• Refrain from retaliation against or intimidation of an individual for either filing a complaint with the covered entity or with the Secretary, or for cooperating with an investigation by the Secretary; and
  
  
• Not require individuals to waive their rights.
  
  

Analyzing Your Organization's Current Status

In assessing your organization's current status to determine the steps that will need to be taken in the process of becoming compliant with the Privacy Rule, your counsel can begin with the following preliminary checklist as a guide:

• Policies and Procedures Regarding Privacy/Confidentiality of Health Information: Identify current policies and operating procedures addressing privacy or confidentiality of health information of patients and employees, including medical record creation, maintenance, storage, moving, retrieval, release and destruction, and web site privacy policies and practices.
  
  
• Tracking the Flow of Health Information: Interview executives and staff regarding the organization's practices relevant to tracking the flow of health information both internally and externally (disclosure and access) (e.g., medical management, billing, patient accounts).
  
  
• Patient Consent: Review a representative sampling of policies, procedures and any tracking mechanisms the organization has governing patient consent as well as review a sampling of the consent forms used.
  
  
• Individual Rights: Determine the extent to which the organization has policies, procedures, practices and tracking mechanisms governing release of information and patient notification of rights with respect to health information, and review a representative sampling of such policies, procedures and tracking mechanisms.
  
  
• Contracts with Third Parties: Determine the number and types of vendor contracts, provider or managed care contracts, and any other contracts the organization has with persons or entities handling health information or handling confidential financial, business or legal information. Review a sample of the contracts.
  
  
• Other Potential Business Associates: Review and discuss other entities to which the organization discloses health information, but with which it does not currently have contracts, to determine the necessity of entering into business associate contracts with such entities.
  
  
• Research (if relevant): For each of the research programs/departments, review IRB policies, procedures and practices related to use and disclosure of health information, and review current informed consent forms used in such research.
  
  
• Human Resources: Review plan documents relating to the organization's group health plan for its employees, and any contracts with outside entities, such as TPAs. Also review methods of separating employee health information from other employee information, and interview relevant staff members regarding access to such health information and other employee information.
  
  

Assessing the Gap

A comparison of the requirements under the Privacy Rule with the results of the analysis of your organization's current status will identify the changes that your organization will need to take to be compliant with the Rule. Your organization's risk if it does not comply can also be assessed with more specificity once you've identified areas of vulnerability. Planning and budgeting for necessary tasks will be much easier.

The results of your gap analysis may demonstrate that your organization already has certain practices in place that lay the foundation for compliance under the Privacy Rule, due perhaps to state law requirements, HCFA requirements, or custom in the industry. In such cases, the compliance task may be to amend a policy and/or form already in place. An example of this is the consent requirement. Most providers of health care currently obtain some form of patient consent before treatment. Such consent forms may need to be amended, but the basic process for obtaining consent is already in place. Health plans will not need to obtain consent for payment or health care operations, so some plans may choose to stop asking for consent when a member enrolls with the plan (keep in mind that plans with medical staff will have to follow the rule requiring consent before treatment however). For uses other than treatment, payment or health care operations, providers and health plans will both need to modify current practices, as the Rule has very specific requirements for obtaining patient authorization.

Of course many of the requirements of the Privacy Rule will be brand new to your organization. The specific requirements regarding business associate agreements is a good example. The Rule lists ten specific provisions that will have to be in your organization's agreements with business associates, plus a couple of optional ones as well. Your organization will have to ensure such agreements are entered into before the compliance deadline. The gap analysis will help identify the entities with which your organization will need to have such agreements and which entities have existing agreements in place that may be amended and which entities will need to enter into a new agreement.

State Laws Affecting Your Organization

Keep in mind that not all state law is preempted by the Privacy Rule. State laws that are more "stringent" than the Privacy Rule, which basically means laws that require more protection of the privacy of information than the Privacy Rule does, will still govern and therefore an analysis of such laws will need to be part of the legal risk assessment performed for your organization. For example, many states have laws applying a higher standard of confidentiality to particularly sensitive information, such as that relating to HIV/AIDS, psychotherapy notes, drug and alcohol information and genetic information. Comparing state laws requirements with the Privacy Rule requirements and current practices and policies of your organization will identify gaps in current compliance requirements as well as future requirements necessitated by the Privacy Rule.

Accreditation Standards, Ethical Obligations

Finally, if your organization's legal gap analysis includes assessing current compliance requirements, it would not be complete without comparing the requirements affecting your organization's handling of health information under accreditation standards such as JCAHO or NCQA, as well as professional ethical obligations such as the AMA's Code of Medical Ethics.

This article is reprinted with permission from the Volume 1, Number 5 o June 2001 edition of Report on Patient Privacy, Atlantic Information Services, Inc.
www.AISHealth.com