By Rita Bowen, MA, RHIA, CHPS, CHPC, SSGB
The recent defunding of the Chief Privacy Officer (CPO) position by the Office of the National Coordinator for Health IT (ONC) makes practical sense for the healthcare industry and the national budget. The position has been vacant for the past year, and during this time Deven McGraw has successfully served as acting CPO and deputy director for health information privacy at the Office for Civil Rights (OCR). McGraw has proven effective in filling both roles and will remain with OCR.
However, with the change come four important privacy strategies for health information management (HIM) leaders to consider employing at the state, local, and organizational level.
Maintain Privacy Audits and Environmental Scanning
Funding cuts are a likely indicator of fewer privacy audits at the national level—or elimination of national privacy audits altogether. The concern here is that whatever doesn’t get regulatory attention doesn’t get done.
As HIM professionals, we know that privacy audits must continue despite changes at the federal level. To ensure a continued focus on privacy monitoring, the following steps are recommended:
- Maintain internal privacy audit activities
- Review any patterns in privacy issues and address through corrective action
- Use environmental scanning to assess resolution agreement results
- Review published privacy complaints to determine how to handle similar situations
- Compare your state of readiness to known complaints
Focus on State Privacy Rules
Going forward, state-level privacy rules may play a bigger role for healthcare providers. Most states have privacy and security rules that vary from national HIPAA guidance. In many cases, state rules are even more stringent than federal law.
HIM professionals should work with their compliance and training counterparts to provide staff education, ensuring staff members are aware of and educated about state privacy rules, available on state hospital association websites or through legal counsel.
Include Privacy in the Pursuit of Interoperability
Health information technology (health IT) departments should consider all state and federal privacy rules when participating in interoperability projects. Sharing information with technology vendors, with other provider organizations, and across state information exchanges must not preclude privacy compliance. By getting involved and maintaining close ties with health IT, HIM professionals can lead efforts to ensure privacy during interoperability initiatives.
Look for Opportunities to Communicate
Finally, the absence of a CPO may hinder OCR’s ability to maintain outreach and communication efforts at association events and healthcare industry conferences. Rather than relying on frequent national industry updates, each provider must take stronger ownership of privacy regulation review and interpretation at the organizational level. Here are three best practices from the MRO privacy playbook:
- Ensure your organization’s internal CPO constantly monitors state and federal privacy guidelines for any updates or changes
- Establish a data protection committee to review, interpret, and disseminate privacy update information to staff and key stakeholders
- Include privacy monitoring under the umbrella of compliance
Ensuring Privacy Compliance Remains a Top Priority
OCR’s focus is squarely on interoperability and the importance of safely exchanging patient information across the healthcare ecosystem. As it should be. But privacy standards can’t be overlooked. During this time, HIM leaders play a pivotal role in ensuring privacy compliance remains a top priority as their organizations work to achieve interoperability.
Rita Bowen is vice president, privacy compliance and HIM policy, MRO Corp. In her role, Bowen oversees the company’s compliance with HIPAA and ensures new and existing client HIM policies and procedures are to code. She has more than 40 years of experience in health information management.