It's a new year, time to take a fresh look at your organization's privacy program by Marti Arvin

 

The HIPAA Privacy Rule will soon celebrate the 23rd anniversary of its original compliance date: April 14, 2003. Since the original rule was promulgated, there have been several changes. Even without changes, it is good practice to do a routine review of your organization’s policies and procedures and evaluate the practices team members are engaging in to make sure practice matches policy. The Privacy Rule requires organizations to: 

  • Have policies and procedures regarding its uses and disclosures of protected health information (PHI)
  • Make necessary updates and changes to policies and procedures as changes to the law occur;
  • Document the policies and procedures in writing; and 
  • Provide training and education on the organization’s privacy policies and procedures.


Organizations need to consider not only changes to the law but also changes to the organization that might have occurred. If the organization has expanded to add new service lines, what, if any, implications are there for the uses and disclosures of PHI? Changes to the technology used by the organization might also have impacted the uses and disclosures of PHI. The electronic medical record (EMR) system used by the organization might have changed or added new features, with implications on how PHI is shared. The organization might have expanded its instance of the EMR to be used by third parties. This might have implications for how the PHI in the system can be accessed and by whom. 

The scope of practice might have changed for some users, which would permit broader access to PHI. However, if the policy regarding access has not changed, it is possible that the user has broader access than what the organization’s outdated policy might permit. A misalignment like this is something an organization can explain away, but it is always better to do a frequent review of policies and procedures to help ensure such an explanation is not necessary. 

Users may also change their practices over time, and before anyone realizes it, the practice is no longer in line with policy. This could lead to noncompliance, or it might simply be a different way to do something, which would warrant a policy change so that the two match again. If it has been a bit since your organization reviewed its policies and procedures and compared them against practice, it is time to do so. 

 

View all articles     Read the next article
 

Copyright © 2025 Health Care Compliance Association (HCCA). All rights reserved. All information provided through this site, including without limitation all information such as the "look and feel" of the site, data files, graphics, text, photographs, drawings, logos, images, sounds, music, video or audio files on this site, is owned and/or licensed by HCCA or its suppliers and is subject to United States and international copyright, trademark and other intellectual property laws. Any third party logos and/or content provided herein is owned by such third parties and is used by permission herein. Your use of this site to is subject to our Terms of Use and Privacy Statement.