Deadline Date: 04.14.03*

In your company’s alphabet soup of necessary abbreviations, you should already have reserved a spot for PHI—protected health information. Seven years after the passage of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), this month marks the deadline by which employers and health-care providers must have safeguards in place to protect data on an individual’s physical or mental health, method of payment and personal identifiers such as Social Security numbers.

For at least one health-care services firm, Meridian Health Care Management of Woodland Hills, Calif., compliance with HIPAA’s privacy statute “was a daunting administrative task,” says Director of Corporate Compliance Richard Robinson. For technologically advanced firms, the focus is on electronic data and finding potential leaks. One unexpected locus of potential leaks is the customer-service help desk and what Robinson calls “one of the most overlooked areas—controlling the trash.”

Other items on the HIPAA privacy checklist:

  • Conduct a gap analysis to gauge where you stand with regard to the requirements

  • Look at an information-flow assessment

  • Retrain your employees

  • Notify health-care recipients of changes in privacy policy

  • Install encryption for PHI-laden e-mails

  • Maintain secure document storage

  • Establish secure methods of destruction for sensitive paper trash

  • Establish standards for public-area use of speakerphones, filing cabinets, fax machines, and computer terminals.

    *Applies to companies that pay out more than $5M in annual medical claims or insurance premiums; smaller firms have until April 14, 2004. For more details, see www.baselinemag.com/apr03