This is especially true for BAs who work with a large quantity of PHI. This can include vendors involved in IT, electronic data interchange, third-party billing, health plans, and pharmacy benefits.
3. Create an informal forum to bring together privacy and security officers with other staff members concerned with patient safety. The proposed rule would revise the privacy rule’s definition of healthcare operations to include a reference to patient safety activities. Patient Safety Organizations, which receive reports of patient safety events or concerns from providers and analyze events, will be considered BAs of covered healthcare providers.
Patrick says patient privacy should be considered a piece of the regulatory pie, along with safety and quality. At many healthcare organizations, privacy and security programs and patient safety programs operate in silos, she says. The proposed rule will make it more important for HIPAA privacy and security officers to reach out to staff members involved in quality and patient safety at their organizations.
A group consisting of representatives of those programs met monthly and provided a forum to discuss common issues at a hospital where Patrick once worked. Members provided updates so everyone knew what was happening in other programs. Organizations that do this may also consider involving representatives from the patient relations department.
This type of forum is a good place to address risk assessments together, Patrick says. The meetings can be confidential with no minutes or record necessary.
“This is a way of breaking down silos. It helps everyone in the long run,” she says. “I would urge every organization to start a forum, even if you start with two or three people. It will pay dividends.”
Correspondent Joanne Finnegan contributed to this report.