All of Ohio’s County Boards of Developmental Disability have received a beautifully bound set of freshly updated HIPAA policies from the County Board Association. These changes are based on the new HIPAA law enacted in 2009. Don’t give into the temptation to simply add these policies to the “HIPAA section” of your policy manual. Why this advice? A little background is in order.
Ohio County Boards of Developmental Disabilities have a long-time culture of maintaining confidentiality of the individuals being served. Confidentiality regulations specific to DD boards are embedded in the Ohio Revised Code and Ohio Administrative Code. Other Federal Regulations include FERPA, the Family Educational Rights and Privacy Act of 1974, apply to records created by the schools operated by boards. In 2003, boards began compliance with the new federal HIPAA Privacy rules, and in 2005 boards implemented the HIPAA Computer Security regulations. Currently, boards are dealing with the changes to HIPAA being rolled out by the feds required by the February 2009 Stimulus Bill.
The result for most boards is a patchwork of overlapping and conflicting policies regarding confidentiality and computer security. Most boards have a separate set of regulations in their policy manual for each set of regulations, sometimes neatly organized in different tabs. There may be two or even 3 different policies on how to respond to a parent’s request to correct a record which have conflicting; the records release form may comply with Ohio regulations but not the HIPAA regulations; or the privacy notice might comply with HIPAA but not FERPA. These defective policies don’t instruct staff the proper thing to do, and worse, increase liability for boards who are routinely violating numerous regulations.
One solution is to bite the bullet and revamp the policy manual. Delete the old “Confidentiality” policy, delete the portions of the school manual that deal with FERPA, and erase the HIPAA policies. In their place, create a new section “Confidentiality and Computer Security” policies which include a single set of policies which simultaneously complies with Ohio regulations, the FERPA regulations, and the HIPAA regulations. Staff will have clear instructions, and liability will be reduced.
Better yet, start with Eagle Consulting Partners’ FREE set of boilerplate policies, “Confidentiality and Computer Security Policies for Ohio DD Boards”, for which 80% of the heavy lifting has been done, delete the obsolete portions of the current policy manual, and customize everything based on the handful of unique practices and requirements of your board.
Contact Gary Pritts at (216) 233-4960 for more info.
