Embed Size (px)
Citation preview
Overcoming Overcoming Organizational Resistance Organizational Resistance to HIPAA Complianceto HIPAA Compliance
Anna SlomovicAnna SlomovicVice President for Public PolicyVice President for Public Policy
FHC Health SystemsFHC Health Systems
February 2002
2
Organizational “physics”Organizational “physics”
An organization at rest tends to stay An organization at rest tends to stay at rest and an organization in motion at rest and an organization in motion tends to stay in motion with the tends to stay in motion with the same speed and in the same same speed and in the same direction direction unless acted upon by an unless acted upon by an unbalanced forceunbalanced force
With apologies to Sir Isaac NewtonWith apologies to Sir Isaac Newton
3
““We don’t have to worry about We don’t have to worry about HIPAA”HIPAA”
““We already worry about patient privacy”We already worry about patient privacy” The One Minute AssessmentThe One Minute Assessment
“ “We don’t deal with medical We don’t deal with medical records”records”
Explain the definition of PHIExplain the definition of PHI ““I am not a clinician”I am not a clinician” Define everyone’s responsibilitiesDefine everyone’s responsibilities
““We give data to customers We give data to customers because it’s their data”because it’s their data” Discuss data control provisionsDiscuss data control provisions
4
OutlineOutline
FHC Health Systems and ValueOptionsFHC Health Systems and ValueOptions
Approach to HIPAA implementationApproach to HIPAA implementation
From implementation to complianceFrom implementation to compliance
5
FHC Health SystemsFHC Health Systems
ValueOptions: managed behavioral health, including mental health, substance abuse and workplace services
CS&O: Internet-based outcomes management, service tracking and survey tools
ABS: behavioral health services, including acute psychiatric care, residential, therapeutic group homes, therapeutic foster care, alternative and special education. ABSolute IS: practice management software for behavioral health
StayStat: personal medical information manager
FirstLab: TPA for drug and alcohol testing programs, Clozapine Support Services, general lab services
6
ValueOptionsValueOptions
Covered Lives: 23 million
Customers: 1,000+
Contracted Providers: 40,000+
Contracted Facilities: 2000+
Locations: 20
Subsidiaries: 25
Employees: ~4100
Licenses: ~ 75
7
““Layered” HIPAA-related issuesLayered” HIPAA-related issues
Several types of “covered entities” and Several types of “covered entities” and business associatesbusiness associates
Multiple covered functions within one Multiple covered functions within one entityentity
Required variations based on market Required variations based on market segment and customer requirementssegment and customer requirements
State law pre-emptionState law pre-emption
Mental health and substance abuse often Mental health and substance abuse often have greater protection than other health have greater protection than other health
informationinformation
8
OutlineOutline
FHC Health Systems and ValueOptionsFHC Health Systems and ValueOptions
Approach to HIPAA implementationApproach to HIPAA implementation
From implementation to complianceFrom implementation to compliance
9
What Type Of “Covered Entity” What Type Of “Covered Entity” Is ValueOptions?Is ValueOptions? ProviderProvider
EAP “staff model”EAP “staff model” Walk-in clinicsWalk-in clinics
Health PlanHealth Plan HMOHMO
Business AssociateBusiness Associate UM/TPAUM/TPA Case managerCase manager
Not coveredNot covered HousingHousing Foster placementFoster placement
Affiliated Covered
Entity, Health Plan
Relationship varies in each
contract
10
Operational Implications of Operational Implications of HIPAA Privacy Final RuleHIPAA Privacy Final Rule Agreement on common elements for all Agreement on common elements for all
operationsoperations NoticesNotices Policies, procedures and formsPolicies, procedures and forms Business Associate and confidentiality agreementsBusiness Associate and confidentiality agreements Product and service offeringsProduct and service offerings
Operating within a multitude of state and Operating within a multitude of state and federal lawsfederal laws Service centers serving multiple statesService centers serving multiple states Customers with members in multiple statesCustomers with members in multiple states Evolving judicial and regulatory environment and Evolving judicial and regulatory environment and
public interest in privacy issuespublic interest in privacy issues
11
Specific Operational IssuesSpecific Operational Issues Data communicated to clientsData communicated to clients
Reporting what and to whomReporting what and to whom Under what conditions (e.g., employer certifications)Under what conditions (e.g., employer certifications)
Member access to own informationMember access to own information Data set that can be inspectedData set that can be inspected Process for processing inspection requestsProcess for processing inspection requests Process for allowing member to request amendment to own Process for allowing member to request amendment to own
record or to insert note of disagreement with refusalrecord or to insert note of disagreement with refusal Audit (6 years)Audit (6 years)
Tracking that valid authorization has been receivedTracking that valid authorization has been received Tracking who accessed record and for what purposeTracking who accessed record and for what purpose
““Minimum necessary” disclosureMinimum necessary” disclosure Defining “role-based” accessDefining “role-based” access Defining and reviewing releases based on type of requestDefining and reviewing releases based on type of request
12
Designing An Implementation Designing An Implementation ProgramProgram
Centralized
Decentralized
Guidance from the centerDetails from the field
Maximum peer-to-peer interaction
13
Chosen Approach: A Privacy Chosen Approach: A Privacy ProgramProgram
Service centersCorporate departments
Privacy Coordinators
Network (PCN)
Central project plan, Central project plan, updated twice a updated twice a monthmonth
Dedicated project Dedicated project managermanager
Group meets by Group meets by phone twice a monthphone twice a month Working sessionsWorking sessions Overall updatesOverall updates
Project detail added Project detail added by PCN for own by PCN for own function or SCfunction or SC
14
Break Large Effort Into SegmentsBreak Large Effort Into Segments
Relationships with other entities• Business associate provisions• Routine disclosures• Responding to RFIs
Relationships with members
• Notice of practices• Consent, authorization,
opportunity to object• Access, accounting,
amendment• Alternative
communication• Restriction on further
disclosures• Personal
representatives• Problem resolution
Internal operations• Confidentiality
policies• Disclosure by
computer, phone, fax • Use of information
off-site • Role-based access• Security
enhancements• Review of uses • Verification of identity• De-identification of
data• Staff training • Mitigation of
breaches• Revision of ERISA
docs and HR operations
Relationships with providers• Consent and authorization• Secure data exchange
Relationships with customers• Releases by customer type• Applicability of state laws• Contractual arrangements
Definitions and policies: “Designated Record Set”, “Treatment,
Payment, Healthcare
Operations”
15
Corporate Center’s RoleCorporate Center’s Rolein HIPAA Implementationin HIPAA Implementation Remediate information systems for Transactions Remediate information systems for Transactions
and Code Setsand Code Sets Deploy systems capabilities to meet privacy and Deploy systems capabilities to meet privacy and
security requirementssecurity requirements Guide and coordinate the PCNGuide and coordinate the PCN Update project plan and report to executive Update project plan and report to executive
sponsorssponsors Develop templates for tools and training materialsDevelop templates for tools and training materials Develop policies, procedures and forms when Develop policies, procedures and forms when
centralization makes sensecentralization makes sense Coordinate state law preemption analysisCoordinate state law preemption analysis Coordinate HIPAA initiatives with other corporate Coordinate HIPAA initiatives with other corporate
initiativesinitiatives
16
Field Office Roles Field Office Roles in HIPAA Implementationin HIPAA Implementation
Understand the regulationsUnderstand the regulations Track HIPAA developments in the state and Track HIPAA developments in the state and
share with PCN and Corporateshare with PCN and Corporate Work on implementation with the PCNWork on implementation with the PCN
Modify tools and forms as necessaryModify tools and forms as necessary Collect information about operationsCollect information about operations Implement policies and procedures developed by PCNImplement policies and procedures developed by PCN
Work with Corporate IT on Transactions and Work with Corporate IT on Transactions and Code Sets remediation, privacy and securityCode Sets remediation, privacy and security
Educate service center workforce and other Educate service center workforce and other stakeholdersstakeholders
17
Peer-to-Peer InteractionsPeer-to-Peer Interactions
Market segment work groups Market segment work groups (employers, health plans, public sector)(employers, health plans, public sector) Discuss issues and examplesDiscuss issues and examples Design Designated Record SetsDesign Designated Record Sets Review draft policies and proceduresReview draft policies and procedures Create uniform processes and work flowsCreate uniform processes and work flows
Share what works across work groupsShare what works across work groups ““HIPAA tickets”HIPAA tickets” Training experience and materialsTraining experience and materials
18
The Balancing ActThe Balancing Act
Advantages:
•Drives understanding through the organization
•Uses local knowledge
•Integrates with corporate initiatives
Challenges:
•Time-intensive•Difficult to balance with other job responsibilities for PCN
•Logistically complex
19
OutlineOutline
FHC Health Systems and ValueOptionsFHC Health Systems and ValueOptions
Approach to HIPAA implementationApproach to HIPAA implementation
From implementation to complianceFrom implementation to compliance
20
Does Your Organization Need A Does Your Organization Need A Privacy Function?Privacy Function?
Privacy OfficerPrivacy Officer Compliance OfficerCompliance Officer Track privacy laws, Track privacy laws,
regulations and court regulations and court cases in multiple cases in multiple industriesindustries
Track healthcare laws, Track healthcare laws, regulations and court casesregulations and court cases
Balance business and Balance business and privacy concernsprivacy concerns
Balance business and all Balance business and all compliance considerationscompliance considerations
Participate in new Participate in new product developmentproduct development
Participate in new product Participate in new product developmentdevelopment
Work on breaches of Work on breaches of privacyprivacy
Work on compliance Work on compliance problems, including problems, including breaches of privacybreaches of privacy
Privacy is highly visible among regulators and plaintiff’s lawyers!
21
Fold Privacy Into General Fold Privacy Into General ComplianceCompliance
Incorporate HIPAA requirements into Incorporate HIPAA requirements into existing P&Psexisting P&Ps
Use the same coordination and approval Use the same coordination and approval mechanisms when appropriatemechanisms when appropriate
Use the same training and Use the same training and implementation processes when implementation processes when appropriateappropriate
HIPAA is an opportunity to examine and improve existing compliance structures
22
Create Many ExpertsCreate Many Experts Local privacy and compliance committeesLocal privacy and compliance committees Databases of answersDatabases of answers
ProposalsProposals QuestionnairesQuestionnaires Contract clauses and formsContract clauses and forms
Easy access to centralized resourcesEasy access to centralized resources HIPAA implementation teamHIPAA implementation team Intranet-based informationIntranet-based information External resourcesExternal resources
It’s much easier to provide evidence of compliance if everyone knows how to spell
HIPAA!
23
““An Unbalanced Force”An Unbalanced Force”
Be patient and persistent
Make noise
Help with the work
Become an expert
