June 27, 2018
By: George R. Gooch, JD, LLM, CHPC, CIPP/US
While compliance with state and federal health privacy and security law is a good start, it is now increasingly common for healthcare organizations to develop a robust privacy management program. In developing these programs, healthcare organizations go above and beyond simple compliance by taking a holistic approach to safeguarding protected health information (PHI). With minor variation, development of a privacy management program breaks into four categories: evaluate, coordinate, communicate, and enhance.
Evaluate. Before updating or drafting a new set of policies and procedures, consider the organization’s information goals, culture, and regulatory environment. What set of federal, state, and local laws regulate the use and disclosure of the organization’s health information? Is compliance with HIPAA good enough (hint: probably not)? Does the organization adhere to additional self-regulatory guidelines (e.g., HITRUST, NIST, etc.)? All of these considerations factor into an accurate understanding of the organization’s actual information-handling practices, which must be properly evaluated before addressing next steps in the development of the program.
Coordinate. Now armed with an accurate evaluation of the organization’s goals, culture, and regulatory environment, you can help determine how best to achieve those goals by identifying where, when and how PHI flows into and out of the organization. A successful privacy management program requires proper coordination between the compliance department who writes the policies and other operational departments (e.g., the billing department) who conduct business pursuant to those policies. Successful compliance with an organization’s policies and procedures is the responsibility of all employees – not just one department.
Communicate. In addition to evaluating and coordinating policies and procedures, the organization must properly communicate these efforts to both internal and external stakeholders. Policies and procedures do no good if employees don’t follow them (or in some cases – don’t know about them). Therefore, organizations must ensure proper employee training on policies and procedures and should communicate consequences for noncompliance. In Texas, this training is required within 90 days of hire.
Organizations should also communicate adherence to these policies and procedures to external stakeholders (e.g., patients, business associates, etc.) in the form of a privacy notice. This notice should (1) actually reflect the organization’s internal policies and procedures, (2) be written in a manner that is easy for stakeholders to understand, and (3) be located in a place that is easily accessible (e.g., the homepage or other landing page of the organization’s website).
Enhance. Laws, regulations, and best practices for handling of health information constantly evolve at the local, state, and federal level. Once an organization establishes a privacy management program, a process should be implemented to review, update, and enhance the program on a regular basis.
Making headway in these four categories is critical in developing a strong privacy management program in the healthcare environment. To aid entities in understanding health information technology laws, regulations and best practices, the Texas Health Services Authority (THSA) offers health information technology compliance services.
The THSA team includes privacy and security professionals experienced in the practice of health law and healthcare regulatory compliance with certification in healthcare privacy compliance.
We assist healthcare providers and other health stakeholders with questions regarding compliance with all relevant privacy and security regulations, including state and federal provisions. This includes advising entities on their policies and procedures, reviewing business associate agreements and other contracts to ensure compliance with relevant provisions, and other such projects.
For help getting started on developing your organization’s privacy management program, contact us at firstname.lastname@example.org
 Section 181.101(b), Texas Health & Safety Code