Skip to page content

GUIDANCE (Nov. 15, 2006)


The HIPAA Program Office (HPO) mission is to promote a culture of respect for privacy and information security throughout the organization when providing patient care and accessing and disclosing protected health information.  Our continuous effort to protect patient privacy and confidentiality of health information includes ongoing site visits to assess compliance with the HIPAA Privacy Rule.  A site visit, called a Privacy Review, is an educational and consultative program that serves as a vehicle to identify best practices as well as opportunities for improvement.  During the review of a location, the reviewer uses a tool called the HIPAA Privacy Review Form which includes the specific standards that will be reviewed.  The Privacy Review program is designed to be transparent in order to maximize the opportunity to impart knowledge and effect change.  Each review presents an opportunity to give members of the workforce the information and tools that they need to protect patient privacy.

Privacy Review Program Goals

  1. Promote a culture of respect for patient privacy
  2. Monitor and confirm departments' compliance with key privacy principles
  3. Identify and communicate best practices throughout the organization
  4. Identify and remediate opportunities for improvement
  5. Fulfill regulatory obligation and document our good faith effort to comply
  6. Look for guidance and educational opportunities
  7. Create a forum for staff and management to communicate privacy concerns and issues to the HPO

The Privacy Review Program is composed of these milestones for each review:

1.  Entrance conference with the HPO and location management to discuss review scope
1 hour
2.  HPO conducts review with manager's participation
1-2 hours
3.  HPO provides location management with a preliminary report of review observations
1-2 days after Review
4.  Exit conference with the HPO and location management to finalize action plan and due dates
Within 10 days after Review (1-2 hours)
5.  A signed final copy of the report and action plan are sent to location's management team - Manager, Director, Executive Administrator and Vice President
1-5 days after receipt
of report
6.  Remediation of action plan items occurs
Timeframe determined at exit conference
7.  Location management team notifies the HPO of completed action plan items
As location completes action items (by due date)
8.  The HPO notifies location management - Manager, Director, Executive Administrator, Chairperson and Vice President of completed action plan items
1-2 days after all items have been completed

Privacy Review Program FAQs

What kind of things will be reviewed during a privacy review?

During the review of your location, the reviewer will use a tool called the HIPAA Privacy Review Form which includes the specific standards that will be reviewed.  As the form is completed, it will become the final report.

How often will these reviews occur?

The privacy review program schedule will ensure that we are making our way through all the locations of the Medical Center.  The goal of the ongoing program is to cycle through all the locations every 24 months.

Do I wait until I am contacted or can I request that someone come to our location?

At any time, if you would like your department to be reviewed, please contact the HIPAA Program Office at 4-9716.

What do I do if I have suggestions or feedback about the review process?

In our continuous efforts to improve our own processes, we are interested in feedback on the Privacy Review Program.  Each location is given an evaluation form and asked to complete and return the form to the HIPAA Program Office.

Back to Guidances

Quick Links:

Accounting of Disclosures
HIPAA Privacy Review
HIPAA Reference Sheet
Quick Reference Guide
Useful Links

Call 4-9716 for more details.

PDF version