JR - Health Care Compliance Association
JR - Health Care Compliance Association
JR - Health Care Compliance Association
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Implementing<br />
a HIPAA<br />
work plan in<br />
an academic medical environment<br />
By Maria Gonzales, J.D.<br />
Editor’s note: Marcia Gonzales, JD, is <strong>Compliance</strong><br />
Officer & Privacy Officer for Long<br />
Hospital in Indianapolis, Indiana. She may<br />
be reached at marcgonz@iupui.edu<br />
Ms. Gonzales is a member of the HCCA’s<br />
Academic/Research Special Interest Group<br />
(SIG). To learn more about joining this<br />
SIG, please contact Marti Arvin–<br />
412/647-3388–arvinm@msx.upmc.edu<br />
Many Privacy Officers and <strong>Compliance</strong><br />
Officers know by now that there are no<br />
one size fits all approaches to developing<br />
and implementing compliance program<br />
in accordance with the Administrative<br />
Simplification provisions of the<br />
<strong>Health</strong> Insurance Portability and<br />
Accountability Act (HIPAA). Therefore,<br />
the only experience that I am able to<br />
share with my colleagues is the<br />
approach chosen for the Indiana<br />
University School of Medicine, through<br />
the Office of <strong>Compliance</strong> Services.<br />
Unlike many physician practices and<br />
some smaller hospitals, more complex<br />
health care systems such as an academic<br />
medical center (AMC), have several<br />
covered entities situated among other<br />
covered entities. Not only does an<br />
AMC have to consider its own needs,<br />
but it must also consider the immediate<br />
ripple effects that may impact its affiliates<br />
when implementing any changes.<br />
As with any implementation strategy<br />
involving a complex health care system,<br />
the structure and the collaboration<br />
process are two of the most important<br />
SPECIALINTEREST<br />
GROUP<br />
August 2002<br />
22<br />
SPECIAL<br />
variables that will govern the shape of<br />
the outcome.<br />
Structure<br />
To better explain the approach chosen<br />
by the School of Medicine, a brief<br />
description of the medical center’s structure<br />
is necessary. The Indiana University<br />
School of Medicine provides training<br />
for over 1,200 medical students. In conjunction<br />
with 19 practice plans and five<br />
hospitals on campus, training is also<br />
provided to over 1,000 residents as well.<br />
Additionally, the School of Medicine<br />
also provides training through its allied<br />
health and public health programs.<br />
The practice plans have clinic sites<br />
throughout the campus including those<br />
located within the hospitals and<br />
University buildings. Some computer<br />
and other technological support is also<br />
provided to the practice plans through<br />
the University. As a result of this intermingling,<br />
employees of the University,<br />
hospitals, and practice plans work side<br />
by side on a daily basis at all of the various<br />
sites. Organizational control often<br />
varies from entity to entity. Following<br />
an analysis of HIPAA and its potential<br />
effects on the School of Medicine and<br />
its affiliates, it was decided that the<br />
School of Medicine should consider<br />
itself as a separate covered entity from<br />
the practice plans and the hospitals.<br />
However, this decision did not mean<br />
that the School of Medicine’s responsibility<br />
to work with its affiliates during<br />
this HIPAA implementation process<br />
ended. While there is a great deal of<br />
independence among these health care<br />
institutions, a collaborative process was<br />
necessary in order to have a practical<br />
and effective HIPAA program.<br />
Academic/Research<br />
Collaboration process<br />
The first plan of action was to assemble<br />
the stakeholders at the School of<br />
Medicine. This did not only include<br />
University employees, but it also included<br />
members of the practice plans who<br />
also, served as faculty members at the<br />
School of Medicine. During this kickoff<br />
meeting, it was announced that four<br />
task forces would be created. These task<br />
forces included clinical operations,<br />
administrative operations, education,<br />
and research. The administrative operations<br />
task force focused on privacy and<br />
security issues that arise while performing<br />
the administrative and non-clinical<br />
functions of the health care facilities<br />
such as billing, answering requests for<br />
medical records, quality assurance activities,<br />
and other related claims processes.<br />
The clinical operations task force<br />
focused on privacy and security issues<br />
that arise while providing or arranging<br />
for patient care or treatment. This<br />
included scheduling, medical records<br />
access, transcription, appointment cards<br />
and reminders, and communications<br />
with other treating providers. This differentiation<br />
assisted both the task force<br />
members and the Office of <strong>Compliance</strong><br />
Services in focusing on separating health<br />
care operations issues and treatment<br />
issues as they relate to privacy and security.<br />
The importance of this would later<br />
be beneficial in explaining the applicability<br />
of the minimum necessary rule<br />
during training and in policy development.<br />
The education task force jurisdiction<br />
involved the medical students,<br />
interactions with the residents, and gift<br />
development.<br />
Members of the practice plans were<br />
strongly encouraged to participate in as