Clinical systems contain a tool set that can create or alter system functionality to better support a health care organization’s operational processes, such as HIPAA privacy compliance. The key to an organization’s success in using this approach is to ensure that its clinical systems tool set is robust and can provide the latitude and flexibility needed for adapting to new workflow designs.

This article identifies potential operational challenges posed by HIPAA privacy requirements and presents solutions that can be constructed through automation toolsets of a computerized patient record (CPR), and through creative workflow design.

Consent and authorization
How do you capture information during the first patient encounter that will meet the ongoing operational needs of all departments for HIPAA compliance?

The answer can be extracted from the HIPAA language. Covered entities must obtain consents and authorizations in order to authorize the receipt, use and release of patient identifiable information. While obtaining consents and authorizations is not new, the unilateral (national) requirement to obtain authorization before receiving or acting on it includes the re-disclosure of the information under HIPAA.

This challenge requires providers (covered entities) to develop a process for addressing consents and authorizations when the patient enters the organization. It's easy to develop a paper process to comply with this requirement, but in order to actually improve operational efficiencies and not create another bureaucratic process, providers must look to automating application changes and workflow process redesign.

Here's an example of a potential solution. If a CPR or financial system tool set allows for documentation of all the necessary consents and authorizations, it can be stored online as part of the patient’s medical record. If this is done, then the status of each required form can be accessed for review on an as needed basis. This will improve confirmations for forms and enable better cycle time for decisions based on properly obtaining authorizations and consents.

Benefits should be realized in the following operational areas:

• Consents for treatment/payment/health care operations (TPO) can be documented by registrars at the first encounter and displayed for business office and medical records personnel who need to confirm completion of forms before releasing information for TPO purposes. Furthermore, if a patient specifically requests that his/her information not be shared with other recipients, the request can also be documented in the CPR and made available online to medical records or business office staff without the need for someone to manually pull the paper chart out of storage. This greatly improves operational efficiency.
• Procedure-specific authorizations can be documented in the CPR by nurses and clinicians during the patient intake assessment. This information can then be accessed online by physicians for confirmation before performing any medical procedures. Online access improves cycle time by eliminating delays associated with confirming receipt of authorizations. Also, designing CPR-based workflow as a standard part of the patient assessment eliminates errors of omission.
• Missing consents and authorizations will always be a challenge in health care because there are many ways patients can be admitted or treated without first obtaining signatures on consents (e.g., emergencies and childbirth). When this happens, it is important for the organization to have a process for identifying patients with missing signatures. If the forms are documented online, then those without signatures can be identified. Using automated tool sets can identify missing patient documents and thereby improve HIPAA compliance and operational efficiency.

Role-based access to information

How can a CPR be leveraged to ensure that access to patient information is limited to a defined set of data based on the role of the employee?

Under HIPAA, covered entities must ensure that access to patient information is limited to "minimally necessary" information rather than providing full access to everything without regard to what is needed for someone to perform their job. This speaks to the role-based design of information access. With an electronic medical record, it is easy to store and retrieve information; however, if role-based access is not included, an organization increases its chances of a privacy breach. That's why it is important to conduct an operational workflow analysis to confirm the activities associated with specific personnel so that they can be assigned appropriate information to access on the CPR.

Once workflow is documented and operational enhancements are made through process redesign, the CPR’s tool set can then be leveraged. By creating a hierarchical design for "re-disclosure" from least sensitive to most sensitive, the tool set can assign security levels for each definition of information. The security levels can then be assigned to all employee types in order to ensure that each has an appropriate and minimally necessary access limit for his/her role. Using employee types to define security levels, rather than having it customized to the individual employee, is much more manageable and operationally efficient for both system deployment and ongoing system management.

Protocol-based release of information
How can an organization ensure that re-disclosure or release of information conforms to a pre-approved protocol and is also at a role-based access level?

Under HIPAA, organizations are required to exercise reasonable and appropriate measures for managing access to and release of information. While this can be done with most CPR systems, the process can be strengthened if conducted with a workflow analysis and protocol-based procedure. This determines what can be released and by whom. The CPR should be leveraged to manage release of information requests by pushing requests to the appropriate resources automatically. The result will be strong HIPAA compliance and operational efficiencies.

For example, if you build a system with defined security levels and role-based assignments, then you can also use online work queues to forward information release requests to those with appropriate security levels. For example, a request for a copy of a discharge summary may be considered routine or a mid-level sensitivity release may be handled by the regular record release personnel in the HIM department. By documenting the request online, it can be labeled with the type of request for information. It can also be placed in the online work queues for the HIM staff based on pre-approved protocols. However, if a more sensitive request is received via court order (e.g., for psychotherapy notes, which are typically assigned the highest levels of sensitivity for re-disclosure), that request must be documented. The CPR could recognize it as a non-routine request and subsequently route it to a medical records supervisor. The result would require a higher level of scrutiny and decision-making in responding to the request.

Another consideration comes into play when printing records from a CPR. If role-based access is tied to security levels and correlates to a specific printing function, reprinting a medical record can be limited to a protocol defined by a person's role. This ensures that if a request for information is erroneously channeled to an inappropriate resource, then the risk of having that information re-disclosed outside of the approved protocol is minimized.

Mr. Walker is partner and COO of Negley, Ott & Associates, Inc. of Savannah, Ga. Previously, he was vice president and CIO at Forrest General Hospital in Hattiesburg, Miss. Prior to that he was the CIO at The Emory Clinic in Atlanta.

Ms. Woods is clinical systems consultant at Negley, Ott & Associates, Inc. of Savannah, Ga.

Under HIPAA, covered entities must inform patients about the organization’s information management practices, how they use and disclose patient information, and how they obtain signatures on consents or authorizations. While this can be done manually, the use of a computerized patient record’s (CPR) automation tool set can accurately and efficiently improve the process. For example, printing an acknowledgement statement requires consents and/or authorizations at the end of the registration process to ensure production of the required forms by the registration staff.

Furthermore, if the patient account (outpatient, inpatient, psychiatric, lab specimen, etc.) has any bearing on which forms should be signed, then those specific forms (reports) can be generated based upon the type of account created during the registration process. Due to the frequent turnover of registration personnel, it is difficult to ensure all staff has an accurate understanding of the different types of forms that need signatures. This process can be automated to minimize errors. The same concept can also be applied in responding to requests for information re-disclosures within the medical records department. If the information being requested is associated with an authorization or consent, then staff can easily determine if the appropriate forms are already in the record.

Amendments to patient records
How can an organization ensure a proper response to patient requests for record amendments within a timely manner?

Under HIPAA, health care providers must process requests and respond within a specific time frame when patients want to update their records. While providers do not have to comply with the amendment request, they must manage the process in a timely manner. Some providers refuse record amendments for legitimate reasons but must still go through the process of responding and documenting the response. They must also explain the reason for not making the record amendment. Using the automation tool set in a CPR, the provider can document all requests online and route each to a supervisor for review in the work queue. The supervisor will determine whether or not to update the chart since this is frequently considered a non-routine request. By entering the request online with the date and time it was received, the provider can generate reports to management personnel.

Accounting for disclosures
How can an organization use the CPR to automate the reporting of disclosures and comply with HIPAA’s accounting of information release?

Providers must provide an accounting of disclosures for treatment, payment or health care operations. This means that requests for information of a patient’s record must be in a format that allows for subsequent reporting. By using the CPR’s tool set, organizations can document all requests and disclosures online by type of disclosure. A demand report can show such releases for a patient's accounting.

An automated accounting approach is more accurate and efficient because it does not require records to be pulled from storage. All information access is accomplished via the nearest keyboard.

Restrictions on disclosures
How can an organization use the CPR to help manage restrictions on release of information to specific individuals or entities?

Providers must also respond to requests from patients to restrict disclosure of information to specific individuals or entities. While they do not have to comply with the restriction, if they say they will comply, then they are legally bound to do so. By using the CPR tool set to document these restrictions, registration and medical records clerks can create a record of requests for restrictions.

These requests can automatically be sent to a supervisor in the medical records department who can determine whether the restrictions are appropriate. If a patient later removes a restriction, the same documentation process and online queue can be used for managing the operational aspects. This process enables the organization to retain an audit trail of restrictions. Once the restriction is documented, it can be referenced from any PC or access device without the need to pull a paper chart.

Mr. Walker is partner and COO of Negley, Ott & Associates, Inc. of Savannah, Ga. Previously, he was vice president and CIO at Forrest General Hospital in Hattiesburg, Miss. Prior to that he was the CIO at The Emory Clinic in Atlanta.

Ms. Woods is clinical systems consultant at Negley, Ott & Associates.

Under HIPAA, an organizational privacy officer is the cornerstone to compliance. In order for the privacy officer to be effective in a CPR environment, he or she must be able to identify actual or potential breaches of patient information. This can be achieved if the CPR provides three basic capabilities:

Chart access audit -- Auditing access to a patient’s record should be fundamental to a CPR system. You should be able to run a demand report of all who have accessed the patient’s record. Furthermore, if this audit report is refined for a specific employee or patient, then it greatly improves the privacy officer's effectiveness.

Staff assignments -- CPR systems typically have functions that allow staff to be assigned to a specific patient. When a provider uses this function, he or she greatly improves the reporting accuracy of chart access audits. Assigning staff to a specific patient can help generate audit reports for circumstances where the access was by staff not assigned to the patient’s care. This refined reporting results in a more focused audit and improves the operational effectiveness and efficiency of the privacy officer.

Terminal address access -- The previous two references are helpful to the privacy officer in identifying unauthorized access to charts. However, if the CPR does not have this capability or if the organization does not use its function, then another level of unauthorized access can occur. Each computer used to access a network has a logical address. These addresses can be associated with certain locations such as a nursing unit or a department. The address within a location can be used in conjunction with the chart access audit to identify when a device was used to access a patient’s record and was in a suspicious location (i.e., a location not in the patient care area). For example, if a computer in the maintenance department is used to access a patient’s record, then it would be considered suspicious and the privacy officer should investigate.

Reprinting records
How can an organization identify when a chart has been reprinted in order to determine if the reprint was for an authorized purpose?

Most CPR systems allow for audit reporting, but this is only partially helpful in managing the release or re-disclosure process. If a CPR can print all or part of the record, then an organization should decide where that function can be used and by which personnel. Most clinicians using a CPR will want to print a chart on occasion, so it is necessary to develop a way to audit who has printed from a patient’s chart. As indicated in the previous section, the CPR can be refined by using a demand reporting function to recreate the chart or parts of it in hard-copy format. The reporting function can be built with defined databases to designate which users or roles can use the function. It can also limit what can be printed based on the security levels assigned to the user.

By using data element dependency logic within the reprint function, notices to the privacy officer can be sent directly for each reprinted record. This enables the privacy officer to know as soon as a record is printed. If the reprint function is designed to prompt the user to document the reason for the printing, then this will enhance the privacy officer's ability to discern routine (appropriate) reprints from those who are unauthorized.

Dealing with business associates
How can an organization use the CPR to manage the information release process when dealing with business associates?

Under HIPAA, providers must secure signed agreements with business associates that govern the use and disposition of information they share with their business associates. Because many business associates are typically added and deleted every day in a health care setting, it's difficult for admissions staff, business office staff or medical records staff to keep up with whether they are authorized to re-disclose information to a business associate. By using the CPR tool set, organizations can simplify the process. If the list of approved business associates is maintained in a user-defined database, it can be linked into the record-reprinting function. By doing this, the approved list of recipients can be displayed each time a provider responds to a request for information. That way, no matter how often the list changes, the clerical staff processing the request need only pull up the list to know if the recipient is authorized. This eliminates having to type listings and send them through interoffice mail and prevents the headaches of wondering whether the staff has the most recent listing.

Improving compliance
Is it really better to use a CPR tool set and workflow re-design approach to improve means of compliance with HIPAA?

While many health care organizations have already started deploying a CPR, many still rely on the paper record. HIPAA is coming, but it does not require a CPR. However, it does stipulate that providers begin to migrate toward more electronic platforms in order to support EDI, which is the foundation of anticipated cost savings and one of the primary reasons for HIPAA.

If an organization has embarked on the CPR journey or plans to do so soon, IT executives and administrators should evaluate how the CPR can be leveraged to not only improve operational efficiencies, but also to demonstrate greater compliance with the regulations. Otherwise, the organization is likely to maintain two separate and duplicate operating environments and end up being less efficient operationally once a CPR system is deployed.

Mr. Walker is partner and COO of Negley, Ott & Associates, Inc. of Savannah, Ga. Previously, he was vice president and CIO at Forrest General Hospital in Hattiesburg, Miss. Prior to that he was the CIO at The Emory Clinic in Atlanta.

Ms. Woods is clinical systems consultant at Negley, Ott & Associates, Inc. of Savannah, Ga.