HHS SPI (SECURITY AND PRIVACY INITIAL INQUIRY)
The first (multi-section) part of Section B of the Security and Privacy Initial Inquiry (SPI) deals with current written policies and procedures. The requirements for acceptable privacy and security policies and procedures are pretty complex , so we’d like to help you decipher these questions to ensure YOUR policies and procedures (P&P) cover all the bases.
As usual, we must point out that anyone reading any of our blogs/articles (including those relating to the SPI and DUA series) is strongly advised to read the root documents for themselves and/or seek understanding and clarification from appropriate experts in the field.
For any questions answered “No” an Action Plan for Compliance with a Timeline must be documented in the designated area below the question. The timeline for compliance with HIPAA-related requirements for safeguarding Protected Health Information is 30 calendar days from the date the SPI form is signed. Compliance with requirements related to other types of Confidential Information must be confirmed within 90 calendar days from the date the SPI is signed.
For ease in cross-referencing, print out a blank copy of the SPI document and keep it handy as we go through:
B1a. An “Authorized User,” according to the HHS Data Use Agreement (DUA), is a person:
(1) Who is authorized to create, receive, maintain, have access to, process, view, handle, examine, interpret, or analyze Confidential Information (CI);
(2) For whom Contractor warrants and represents has a demonstrable need to create, receive, maintain, use, disclose or have access to the CI; and
(3) Who has agreed in writing to be bound by the disclosure and use limitations pertaining to the CI as required by the DUA.
Please note – these are NOT either/or statements – they must all be fulfilled for a person/persons to be recognized by the State as Authorized (don’t forget to include any non-exempt subcontractors).
It would make a lot of sense for your P&P to begin with a clear definition of an Authorized User and the demonstrable need so that there is consistency across the organization in the application and access allowed to these users.
The P&P should identify the reason that these Authorized Users need to access the Texas HHS Confidential Information and this reason must align with the Authorized Purpose described in the Scope of Work or description of services in the Base Contract with the Texas HHS agency. Another place to find expectations is the Texas Administrative Code, within the Certification Principles for ‘Home and Community-Based Services Program and Community First Choice’.
B1b. Your P&P must clearly require compliance with the law for all members of the Workforce. ’Workforce’ here denotes your employees (including yourself), your volunteers, your trainees, and any other persons whose work you direct. The P&P must require that all of these people comply with the requirements of HIPAA and other confidentiality laws as they relate to your handling of Texas HHS CI.
B1d. P&P must include all of the following 3 bullet points at a minimum. If any of the responses in section B1d are “No” then you must check “No” for all three:
Immediate breach notification to the Texas HHS agency, regulatory authorities, and other required Individuals or Authorities, in accordance with Article 4, Section 4.01 of the DUA. Initial Notice of Breach must come with as much information as possible about the Event/Breach and a company name and contact who will serve as the single point of contact with HHS both on and off business hours. Time frames related to Initial Notice include:
B1e. P&P should require annual training of your entire Workforce on matters related to confidentiality, privacy, and security, stress the importance of promptly reporting any Event or Breach, outline the process that used to require attendance and track completion/correction for employees who fail to complete annual training.
B1f. Individuals served have the right to access their individual record of Texas HHS Confidential Information, and to amend or correct that information when appropriate. P&P should clearly define the provision and potential limitation of that right (In certain circumstances this access right may not be applicable due to clinical of capacity concerns which must be documented. Under current Texas law, physicians may also unilaterally deny a patient access to their records in specifically defined situations.
B1g. P&P must specify that Authorized Users are only authorized if all the preceding info remains true (CI disclosure is limited to users with a demonstrable need to provide a service whose privacy and security training is up-to-date) unless otherwise approved by HHS.
B1h. P&P must clearly define sanctions to be imposed for non-compliance or unauthorized use of CI and specify documentation to be maintained as proof that those sanctions are imposed.
B1i. This is where you promise that your P&P is a working, fluid document. Spell out the process for changing company P&P when a need is identified or when Texas HHS rules change (and how you’ll update your staff training within 60 days).
B1j. P&P should expressly forbid the re-identification of any de-identified documentation (such as Investigation Reports, legally expunged records, etc.) without written authorization from HHS.
B1k. We’re skipping this one for now, since it doesn’t expressly apply to P&P. See below.
B1l. P&P must require cooperation with Texas HHS agencies’ or federal regulatory inspections, audits or investigations related to compliance with the DUA or applicable law. Your contract already requires this, so it’s just a matter of inserting the language into your P&P.
B1m. P&P must define and require appropriate standards and methods to destroy or dispose of Texas HHS Confidential Information. Again, spell it out in the P&P, and include processes for ensuring that it’s carried out (and remedies for when it isn’t). Focused clients can get help with this P&P on how we irretrievably destroy and dispose of client data for you when appropriate.
B1n. P&P must be clear that it also covers any Provider work product (documentation) that may include CI. This includes but is not be limited to CI and work product which may include patient safety work product.
Remember, written P&P don’t have to be on paper — they just have to be written and available to your staff! That means an electronic file (which is easy to update and disseminate) works just as well! Focused Software can help with drafting and editing of your P&P documents, and our new In-Service feature makes it easy to disseminate the information to your staff (and keep track of who acknowledges receipt)!
Keep in mind that true policy and procedure implementation includes in-servicing and ensuring your staff not only recognize but practice company policies and procedures! There’s nothing worse than an auditor asking about a written procedure and your staff saying something like “oh – we don’t do it like that anymore; it’s not practical/takes too long”. Remember: your policies and procedures are living documents and should reflect the way your team works (within required safety and other regulatory standards, of course).
Now, as promised, back to B1k (the only non-P&P question in Part I):
You must obtain the express written permission from Texas HHS before you engage any non-US company’s services that include handling of CI in any way.
FYI it is very unlikely that a US-based IDD service provider would be able to obtain express written permission from HHS to maintain Texas HHS CI outside of the country. There is no lack of companies (like Focused Software!) that are not just ready, willing and able to perform this function, but are also under US federal and state jurisdiction and therefore subject to punitive and other measures if compliance is not maintained. Such laws and legal ramifications may not exist or be as easily applicable offshore.
Stay tuned – remember Focused Software is here for you! Our blog next week will cover the final part of section B. Contact us today – we’ll be happy to provide a free, no-obligation demonstration of the Focused Software Electronic Health Record, with all of it’s value-added features, discuss provider operations and brainstorm with you so you can discover how FS can help you comply with the SPI and DUA requirements. We even offer services for Policies and Procedures and act as contracted Privacy Officers.