JR - Health Care Compliance Association
JR - Health Care Compliance Association
JR - Health Care Compliance Association
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
LEVERAGING HIPAA...continued from page 7<br />
August 2002<br />
8<br />
The owner of the classification project<br />
should understand the determining factors<br />
and apply them to the business<br />
process of the organization to develop<br />
the appropriate classifications. The end<br />
result should be information classified<br />
into five or six simple categories (in<br />
addition to subcategories) that allow<br />
users to quickly understand the type of<br />
information with which they are working.<br />
Identifying the classifications<br />
For example, there are five classifications<br />
that would serve most health care<br />
organizations well. These classifications<br />
are:<br />
■ Research:( Access granted only on<br />
an individual basis and not rolebased)<br />
This classification targets activities<br />
by researchers conducted within an<br />
organization. These include open as<br />
well as blinded studies. Access is<br />
provided after a matching of individuals<br />
to specific information and is<br />
never role-based. An example of the<br />
difference in treatment of this<br />
classification is that in some cases<br />
Independent Review Board members<br />
could have full access to certain<br />
information, while physicians,<br />
therapists, program administrators<br />
on certain studies would be more<br />
restricted.<br />
■ PHI Restricted: This classification is<br />
for sensitive information that must<br />
be carefully controlled. An example<br />
is psychotherapy notes (HIPAA). In<br />
order to determine additional data<br />
that fit into this category, it will be<br />
necessary to consider the extent to<br />
which more stringent state laws<br />
relating to specific categories of<br />
health information, such as HIV test<br />
results, mental health records, and<br />
genetic information are not preempted<br />
by HIPAA.<br />
■ PHI: This is the classification for<br />
most other patient-related information<br />
that does not fall within the<br />
“PHI Restricted” category. Examples<br />
might include regular physician visits,<br />
inpatient stays, personal history,<br />
etc. If the organization has developed<br />
methods for de-identifying<br />
PHI, processes must be developed to<br />
permit broader access to the PHI<br />
after, and only after, de-identification<br />
has been completed.<br />
■ Internal Use: All organizations have<br />
information to which they must<br />
restrict access but is not PHI. This<br />
information may consist of financial<br />
information, real-estate market feasibility<br />
studies for clinic expansions or<br />
decision analysis documents. A subclassification<br />
of “Internal Use” could<br />
include an “Audit” or “Confidential<br />
Financial” category that is further<br />
restricted to employees in certain<br />
departments. Other information<br />
may constitute trade secrets of the<br />
organization under state law, such as<br />
proprietary protocols, business<br />
methods, and customer lists. In<br />
order to afford this information with<br />
legal protection as trade secrets, it is<br />
generally advisable to label the data<br />
as confidential and treat it as such.<br />
■ Public: Some mistakenly believe<br />
that if the information does not fall<br />
into one of the above classifications,<br />
there are no restrictions. This is a<br />
dangerous assumption. First, often<br />
newly produced information has not<br />
yet been classified and identified.<br />
Therefore, the best practice is to<br />
identify all information, even that<br />
which is to be released to the public.<br />
Similarly, each organization should<br />
incorporate a policy in which<br />
unidentified information automatically<br />
defaults (at a minimum) to<br />
“Internal Use” classification until<br />
otherwise classified.<br />
The above categories are proposed as<br />
general guidelines without regard to<br />
organizational particularities. Once the<br />
classification development work is<br />
completed however, the owners of the<br />
specific information (i.e. business office<br />
or health information management)<br />
should begin to group their departmental<br />
information into the appropriate<br />
classifications that have been identified.<br />
Business unit participation<br />
At first glance this may appear overwhelming.<br />
The process is quite manageable<br />
however, given the appropriate<br />
set of tools employed in a reasonable<br />
order. One of the first steps should be<br />
to include the business unit managers<br />
and supervisors in the process.<br />
Although one department will be<br />
responsible for safeguarding and controlling<br />
the access to information ultimately,<br />
business unit participation in<br />
classifying the data is essential.<br />
A key aspect to the effective implementation<br />
of the classification process is<br />
facilitating the meetings with the business<br />
units. Since there are few business<br />
unit leaders with this type of experience,<br />
the classification process owner<br />
will need to take the lead. Individual<br />
meetings with the various business<br />
group managers and supervisors keep<br />
the meeting productive. It is ill advised<br />
to have too many groups present at<br />
once. Each department perceives its sit-