Articles page     HIPAA page    

Policies, Procedures and Job Descriptions Need to Reflect Size of Organization

The Health Insurance Portability and Accountability Act requires that covered entities make a reasonable effort to "limit the use or disclosure of and requests for protected health information." The tricky part is how loosely or how restrictively do we do that. We suggest that as you approach this task that you err on the side of being too loose rather than too restrictive. The main goal of HIPAA appears to be that covered entities should make a reasonable effort, not a superhuman and unrealistic effort. Guidance issued last July by the Department of Health and Human Services (DHHS) stressed that compliance with the privacy rule will be measured by a reasonableness standard. In fact, DHSS emphasized that the minimum necessary requirements did not apply to uses and disclosures of protected health information for treatment purposes as well as for a number of other situations.

We recommend that as you attempt to conform to the privacy rule, that you keep in mind the following:

  • Try to reflect your unique needs as a health care provider in your privacy policies and procedures. In other words, don’t write policies and procedures that would be appropriate for a hospital if you are a small outpatient rehab clinic. Such an approach will only fail because you don’t have the personnel and the systems necessary to support those policies and procedures that are warranted by a large institution like a hospital. Such an approach is too restrictive. Such an approach is also unnecessary.
  • When rewriting your job descriptions to reflect access to protected health information, focus on the idea of role-based access, use and disclosure. This is as opposed to keeping in mind specific persons when rewriting your job descriptions. As we all know too well, in smaller covered entities, one person often wears three different hats (roles), while backing up two other people. It is critical that the role determines access to protected health information, not the person.

For more information, please Call or E-mail



Articles page     HIPAA page     top of this article