JR - Health Care Compliance Association

More documents

Recommendations

Info

Implementing a HIPAA work plan in an academic medical environment By Maria Gonzales, J.D. Editor’s note: Marcia Gonzales, JD, is Compliance Officer & Privacy Officer for Long Hospital in Indianapolis, Indiana. She may be reached at marcgonz@iupui.edu Ms. Gonzales is a member of the HCCA’s Academic/Research Special Interest Group (SIG). To learn more about joining this SIG, please contact Marti Arvin– 412/647-3388–arvinm@msx.upmc.edu Many Privacy Officers and Compliance Officers know by now that there are no one size fits all approaches to developing and implementing compliance program in accordance with the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act (HIPAA). Therefore, the only experience that I am able to share with my colleagues is the approach chosen for the Indiana University School of Medicine, through the Office of Compliance Services. Unlike many physician practices and some smaller hospitals, more complex health care systems such as an academic medical center (AMC), have several covered entities situated among other covered entities. Not only does an AMC have to consider its own needs, but it must also consider the immediate ripple effects that may impact its affiliates when implementing any changes. As with any implementation strategy involving a complex health care system, the structure and the collaboration process are two of the most important SPECIALINTEREST GROUP August 2002 22 SPECIAL variables that will govern the shape of the outcome. Structure To better explain the approach chosen by the School of Medicine, a brief description of the medical center’s structure is necessary. The Indiana University School of Medicine provides training for over 1,200 medical students. In conjunction with 19 practice plans and five hospitals on campus, training is also provided to over 1,000 residents as well. Additionally, the School of Medicine also provides training through its allied health and public health programs. The practice plans have clinic sites throughout the campus including those located within the hospitals and University buildings. Some computer and other technological support is also provided to the practice plans through the University. As a result of this intermingling, employees of the University, hospitals, and practice plans work side by side on a daily basis at all of the various sites. Organizational control often varies from entity to entity. Following an analysis of HIPAA and its potential effects on the School of Medicine and its affiliates, it was decided that the School of Medicine should consider itself as a separate covered entity from the practice plans and the hospitals. However, this decision did not mean that the School of Medicine’s responsibility to work with its affiliates during this HIPAA implementation process ended. While there is a great deal of independence among these health care institutions, a collaborative process was necessary in order to have a practical and effective HIPAA program. Academic/Research Collaboration process The first plan of action was to assemble the stakeholders at the School of Medicine. This did not only include University employees, but it also included members of the practice plans who also, served as faculty members at the School of Medicine. During this kickoff meeting, it was announced that four task forces would be created. These task forces included clinical operations, administrative operations, education, and research. The administrative operations task force focused on privacy and security issues that arise while performing the administrative and non-clinical functions of the health care facilities such as billing, answering requests for medical records, quality assurance activities, and other related claims processes. The clinical operations task force focused on privacy and security issues that arise while providing or arranging for patient care or treatment. This included scheduling, medical records access, transcription, appointment cards and reminders, and communications with other treating providers. This differentiation assisted both the task force members and the Office of Compliance Services in focusing on separating health care operations issues and treatment issues as they relate to privacy and security. The importance of this would later be beneficial in explaining the applicability of the minimum necessary rule during training and in policy development. The education task force jurisdiction involved the medical students, interactions with the residents, and gift development. Members of the practice plans were strongly encouraged to participate in as
many tasks forces as they deemed appropriate. It was in their best interest to participate in this process so that their organizational structures and opinions on how to implement HIPAA at the School of Medicine would be taken into consideration. The main goals were to identify the use and disclosure of protected health information at the University, identify potential areas of risk, and to provide training and guidance to the practice plans. Unlike the hospitals affiliated with the School of Medicine, many practice plans did not have the manpower or resources in which to develop a HIPAA compliance begin with a blank canvas. As a result, flow chart templates for each task force were developed to allow the task force members to react to a base model rather than brainstorming on a blank sheet of paper. These templates were developed from flow charts from other organizations and from the experiences of our staff who have worked in physician practices. In addition to these task force meetings, the Office of Compliance Services also convened meetings with the specific practice plans in order to provide a more detailed inventory of protected health information use, disclosure, and storage. similar to the need to know basis, and safeguards were essentially policies and procedures. This explanation was necessary in order to allow those who had not participated in the initial HIPAA process to understand the goals of the privacy and security regulations enough to assist the administrators in the assessment process. Simplifying this process will hopefully allow each work force member to assess the privacy and security risks present in their own areas. Training The next area of concern involved training. Pursuant to Section 164.530(b)(1), program alone. Therefore, guidance from the School of Medicine was necessary. Additionally, to mimic the structure developed for the Compliance Program at the School of Medicine, each practice plan would be required to have a HIPAA compliance program that would need to be consistent with the yet to be finalized requirements of the School of Medicine’s HIPAA Compliance Program. The main charge for these task forces Assessments Identifying the use, disclosure, and storage of protected health information was only half the battle. The other half involved determining whether sufficient safeguards were in place. If these safeguards were not in place, what guidance would the School of Medicine need to provide to the practice plans to allow them to assess their current risks and to prioritize the privacy and security issues that needed to be addressed? covered entities must train all members of its work force as necessary and appropriate. However, in an academic medical setting, it is extremely difficult to keep track of who has met this training requirement. Many work force members wear several hats and go in and out of the several covered entities on campus on a daily basis. So, who has a responsibility of providing this training? Therefore, the various affiliates of the School of Medicine decided that a reciprocal training program had to be was to develop a flow chart of how protected health information was used, disclosed, and stored within their practices. Based on these findings, a checklist was developed to assist with the assessment of the uses, disclosures, and storage of protected health information. The purpose of the flow charts was not to identify every detailed use, disclosure, and storage of protected health information, but the main concern was to identify the more common processes that were likely to occur among the various practice plans. In an effort to make their time more valuable and efficient, it was imperative that the task forces did not Clearly, the administrator of each practice plan alone could not accomplish this process. One of the main themes that the Office of Compliance Services wanted to get across during its initial training for HIPAA awareness was that the confidentiality of patient information, now known as protected health information, was not a new phenomenon. Therefore, part of the training would entail reintroducing a familiar topic in the health care industry under different names. Protected health information was simply confidential patient information, minimum necessary was developed. Open training schedules were advertised and any member of the work force from any of the covered entities at the medical center were permitted to attend any training session. Uniform attendance sheets were developed so that the information could be consistently tracked. Perhaps one of the greatest hurdles to overcome in the HIPAA implementation process was the development of policies and procedures that are consistent among the various covered entities at the medical center. Initially, develop- Continued on page 24 23 August 2002
Page 1 and 2: Volume Four/Number Eight August 200
Page 3 and 4: DON’T MISS OUT! ON THE CALENDAR U
Page 5 and 6: FOCUS ON ETHICS & COMPLIANCE Compli
Page 7 and 8: system. Other advantages include ea
Page 9 and 10: uation as unique. The divide and co
Page 11 and 12: By Norman Radies Editor’s note: N
Page 13 and 14: feature article Editor’s note: Th
Page 15 and 16: there are so many issues that have
Page 17 and 18: 3. Have a witness! Do interviews wi
Page 19 and 20: leagues. Physicians can hear the me
Page 21: Alyse Hutchinson, Associate Complia
Page 25: Editor and Publisher: Margaret R. D

JR - Health Care Compliance Association

Create successful ePaper yourself

Delete template?

Save as template?