Are you ready for HIPAA? Time is now, experts say
Are you ready for HIPAA? Time is now, experts say
Training plans should top the list
What is your access department doing to prepare for the day the Health Insurance Portability and Accountability Act (HIPAA) of 1996 becomes effective? Though that day is a little less than two years away, hospitals are well-advised to take action now, say those in the forefront of HIPAA study and preparation.
"[Access managers] need to get started now," says Edith Albert, RHIA, CCS, director of health information and transcription for Catholic Healthcare West Medical Foundation in Sacramento, CA. "There are a lot of things that need to be done. The most time-consuming [ones] will be setting up training and making sure every employee has the proper amount." Also key, Albert says, is reviewing policies, procedures, and the numerous contracts involved to ensure the language adheres to HIPAA guidelines. "It’s amazing how many contracts an organization has," she adds.
It may be worthwhile, but it’s not cheap. For her region, which includes six MedClinics and two hospital units known as Woodland Healthcare and Clinics and Sacramento Mercy Healthcare, the last budget included an estimate of $12 million for HIPAA preparation, Albert notes.
Catholic Healthcare West recently completed a HIPAA assessment, Albert says, after bringing in consultants from Deloitte and Touche to help prepare the assessment tool. "There were a number of questions taken out of the regulations, like, Does a [privacy] policy exist? Is the language adequate to meet the [HIPAA] privacy rules?’" The organization did the actual assessments by region.
The result, she says, was a large document, color-coded to indicate the organization’s score for the three main parts of HIPAA — electronic data interchange (EDI), privacy, and security. While the EDI and privacy sections have been finalized, Albert notes, there still is some tweaking going on with the privacy regulations and some changes may be made.
The changes to the final privacy rule are expected to lessen the burden on providers, says Julie J. Welch, MBA, RHIA, a Chicago-based consultant with Cap Gemini Ernst & Young, but no one knows what the changes will be. "I assume they will be based on the comment period in March." The federal Department of Health and Human Services, she notes, solicited more comment on the privacy regulations March 1-30.
Four faces of HIPAA
The final rule for the security section, which also includes employer and provider identifiers, was to be published sometime this year, Welch says. HIPAA actually is formally divided into four sections, she adds, which are security and privacy of health information; standardized health information transactions; standardized code sets; and national identifiers for providers, health plans, and employees.
Although there is "some overlap" between the privacy and security provisions, Albert notes, the decision was made at her organization to put the security portion under the responsibility of information systems (IS). "There was a lot to do with electronic systems, in connection with the physical security of the facility." The security assessment included a physical walk-through of the facility, as well as sending out questionnaires to certain managers, she adds.
To assess readiness regarding HIPAA’s privacy section, a document request for all policies and procedures relating to privacy issues was done, Albert says. Addressed were methods of communication, release of patient information, how records are transported, whether patients’ names were visible to other patients, and how computers are set up, she adds.
Also requested was a listing of all contracts, Albert notes. "These have to be reviewed for specific language." For example, she says, the organization’s overflow transcription work is outsourced, so the contract with that vendor has to include language specifying that the information will not be disclosed.
As regard to computers, Albert says, "we have some work to do. We have some computer systems that are being sunset — they just won’t cut it for HIPAA because they don’t have secure passwords." Most of the concerns, she adds, are with the way computer programs are accessed rather than with such issues as firewalls. "Some of the fixes are simple, but [the process] becomes costly with the replacement of computer systems and renovations for the security of the plant."
Privacy for patients
In a couple of facilities with open admissions areas, those spaces are being redesigned so that patients can speak privately with registrars, Albert says. For health information management (HIM) areas, she notes, there are locks on the doors, with name tag or keypad access to ensure only authorized personnel get in.
One of the biggest risk areas to be addressed, Albert says, is the education of people regarding where they put discard paper that has patient information on it. "Chart requests are printed off all day long, with extra copies that we find in the trash," she adds. "It’s a huge retraining effort. How do we ensure their competency?"
It’s a given, Albert says, that the organization’s shredder volume will increase — yet another contract to be looked at for most hospitals. For Catholic Healthcare West, that concern is simplified, she notes. "We have a company that brings its equipment, comes on-site, parks in our lot, and shreds the documents here."
HIPAA and new system coincide
At Touro Infirmary in New Orleans, the upcoming installation of a new computer system coincides fortuitously with HIPAA preparation, says Beth Ingram, CHAM, director of patient business services. "As part of that implementation, we are addressing the IS pieces of it."
As for the other pieces of HIPAA, Ingram says she believes that when all is said and done, there will be some new interpretations that "may lessen the blow" of the original regulations. For example, she notes, "in the original regulations, you have to have a release from the patient to give information to consulting physicians. It looks like some of that will be softened so it’s not so complicated. They don’t want patients to be held up, to be impacted [negatively] by the regulations."
Another example of a requirement that might be softened, Ingram explains, would affect the process of preregistering a patient, getting all of the insurance information in advance, so the patient can go directly to have the procedure. "If you have to wait to get a signature [consenting to the release of information] before being able to call [the insurance company], you couldn’t get that pre-cert. It looks like when we see the final regulations, things might be better, but we can’t say that with certainty."
Meanwhile, Ingram notes, "every vendor we deal with, every contract we write, every new form we develop, we take the HIPAA regulations into consideration. Our vendor arrangements talk about confidentiality and the privacy and protection of transmitted data, and it’s stronger than the old confidentiality language."
Another issue her organization has addressed is the practice of "having the clipboard out and having the patients sign in," she says. "We don’t do that. We have somebody who writes down that information so it’s not in a place where everybody can see."
Additionally, Ingram notes, "our employees have been reschooled that if they walk away from the computer terminal, they turn it off." Initially, she was concerned about whether HIPAA prohibited calling out a person’s name in the waiting area, Ingram says, "but I don’t see that in the final regulations."
Although there had been some question at her hospital about whether HIPAA called for glass-enclosed registration areas to ensure privacy, that concern was alleviated, she adds, by surveyors with the Joint Commission on Accreditation of Healthcare Organizations, which just completed a visit there. "They indicated that they didn’t think we had a privacy issue in the design of those areas, that [glass-enclosed areas] weren’t necessary."
While she has heard reports of hospitals spending from $11 million to $30 million on HIPAA readiness, Ingram notes, "it helped us that we already had a change planned. We are coupling [HIPAA changes] — like firewalls to protect the transmission of data — with the re-engineering and implementation effort associated with the new computer system. We will definitely do and spend what it takes."
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.