|
|
Issue Date: |
Vol.
7 Issue 1 Page 8
HIPAA Privacy Requirements
This article
presents an operational approach to leveraging clinical system automation and
workflow design.
Health care
organizations are facing the arduous task of redesigning the operational
processes associated with patient care delivery in order to increase compliance
with the privacy regulations of HIPAA. While HIPAA requirements may appear
daunting, practical operational solutions can be achieved by combining a robust
clinical system's application toolset with a creative workflow design. Given
the right tools and workflow design process, health care organizations can
address HIPAA requirements at each juncture in the patient encounter cycle,
ranging from pre-registration to the actual bedside encounter.
Every clinical
system contains a fundamental toolset that can be used to create or alter system
functionality to better support a health care organization's operational
processes, such as HIPAA privacy requirement compliance. The
key to an organization's success when employing this approach for HIPAA is to
ensure that its clinical system's toolset is truly robust enough to
provide the latitude and flexibility necessary for adapting to new workflow
designs.
In the following
sections, this article will identify potential operational challenges posed by HIPAA's privacy requirements and possible solutions that
could be constructed through the automation toolsets of a computerized patient
record (CPR) plus creative workflow design.
Consents and
authorizations
How can you
capture information at the first patient encounter that will meet the ongoing
operational needs of all departments for HIPAA compliance?
Under the
revised HIPAA final regulations, covered health care entities are no longer
required to obtain consents. However, many organizations still intend to obtain
patient consents in order to permit the receipt, use and release of patient
identifiable information in accordance with state laws for treatment, payment
and health care operations (TPO).
Furthermore, the
HIPAA privacy rule requires covered entities to obtain an authorization for
uses and disclosures for purposes other than TPO. It is possible for providers
to develop a process of addressing the consents and authorizations upon patient
entry into the organization. It is easy enough to develop a paper process in
theory to comply with state requirements or organizational policy, but in order
to actually improve the operational efficiencies and not create a bureaucratic process, providers must look to automation application
changes and workflow process redesign.
If the CPR
toolset allows for the documentation of whether the registration area obtained
all the necessary consents and authorizations, the documentation can be stored
online as part of the patient's electronic medical record. The status of each
required form could be accessed for review at key junctions of the care
delivery process on an as-needed basis. This will significantly improve the
timeliness of confirming status for required forms and enable better cycle time
associated with decisions contingent upon properly obtaining authorizations and
consents.
Consents for TPO
can be documented by registrars at the first encounter and displayed later for
business office and medical records personnel who need to confirm completion of
forms prior to releasing information for TPO purposes.
Procedure-specific
releases (i.e., informed consent forms) can be documented in the CPR by nursing
staff during the patient intake assessment process and then accessed online by
physicians when needed for confirmation prior to performing invasive procedures.
Missing consents
and authorizations will always be a challenge in health care because there are
many ways of admitting or treating patients without obtaining consent
signatures up front. If the forms are documented online, then the lack of
signatures can be identified via automation in the form of reports and online
work queue notifications. Through the use of automation toolsets, missing
patient documents can be identified easily, thus improving compliance with
HIPAA, state laws or organizational policy in an efficient manner.
Role-based
access to information
How can a CPR
be leveraged to ensure that access to patient information is limited to a
defined scope of data based on the role of the employee?
Under HIPAA,
covered entities are required to ensure that the scope of access to patient
information within the organization is limited to the
"minimum-necessary" level rather than providing full access to all
patient information without regard to what is needed by the employee or
contractor to perform his or her job. With an electronic medical record, it is
easy to store and retrieve information. However, if a CPR is not installed with
role-based access in mind, an organization can increase its risks of breach. It
is important to conduct operational workflow analysis to confirm the activities
associated with specific personnel so that they can be assigned an appropriate
scope of information for access through the CPR.
Once a workflow
has been documented, the CPR's toolset can then be leveraged. By creating a
hierarchical design that prioritizes the scope of information from least to
most sensitive with regard to re-disclosure, the toolset can then be used to
assign security levels to each scope definition of information. Approved
security levels can be assigned to each employee type to ensure that the
employee has appropriate and minimally necessary access limitation for his or
her role.
Protocol-based
release of information
How can an
organization ensure that re-disclosure or release of information conforms to a
pre-approved protocol and is also determined by a role-based access level?
Under HIPAA,
organizations are required to exercise reasonable and appropriate measures for
managing the access to and release of information.
While this can be done technically with most CPR systems, it can be greatly
strengthened if done in conjunction with a workflow analysis design using
protocol-based procedures for determining what can be released and by whom. If
the CPR is leveraged to manage requests for release of information by routing
the requests to the appropriate resources within the organization in an
automated fashion, the process can result in both strong HIPAA compliance as
well as significant operational efficiencies. This can be accomplished using
online work queues in a CPR; if structured as a basic part of the organic
functionality, the work queues may significantly increase operational
efficiencies.
Another
consideration involving protocol access and release of information comes into
play with the actual printing of records from a CPR. If the role-based scope of
access is tied to security levels and the scope is correlated to a specific
printing function the reprinting of a medical record can also be limited to a
protocol-defined scope of information based on the personnel role involved.
This can further ensure that if a request for information is erroneously
channeled to the wrong resource without the appropriate security levels, then
the risk of having that information re-disclosed outside of the approved
protocol is minimized.
Patient
information policies and procedures
How can
covered entities (health care providers) automate the process of obtaining
patient signatures for acknowledging the information management practices of
the organization?
Under HIPAA
final regulations, a health care provider must obtain an acknowledgement from
the patient that he or she has received the entity's Notice of Privacy
Practices no later than the date of the first service delivery after April 14,
2003 (except in emergency cases). While this acknowledgment may be documented
manually, the use of a CPR's automation toolset can greatly improve the
accuracy and operational efficiencies of the process. For example, the printing
of acknowledgement statements as well as the required consents and/or
authorizations as an automatic report at the end of a registration process
ensures production of all the required forms as a reminder to the registration
staff.
This process can
also trigger the correct forms to print based on various criteria such as
patient type. Due to the frequent turnover of registration personnel in a
health care setting, it is difficult to ensure that all staff have an accurate understanding of the different types of
forms that require signatures. This process can be automated to minimize the
risk of error.
Amendments to
patient records
How can an
organization ensure that it responds to patient requests for record amendments
in a timely manner compliant with HIPAA-specified time periods?
Under HIPAA, a
health care provider is required to process a request and respond within a
specific time period when patients want to update their records. While the
provider does not have to comply with the amendment request, it must manage the
process in a timely manner.
By using the
automation toolset of a CPR, the provider can document all requests of this
type online and have them routed to an online work queue for a
supervisory-level resource to review. By entering the request online (with date
and time received), the provider can produce automatic reporting to management
personnel of all requests for which a timely response has not been received.
Accounting of
disclosures
How can an
organization use the CPR to automate the reporting of disclosures and comply with
HIPAA's requirement to provide an accounting of
information release?
Under HIPAA,
providers are required to provide an accounting of disclosures for purposes
other than TPO and other limited disclosures. Requests for information
involving a patient's record must be recorded in a way that allows subsequent
reporting in response to a patient's request for an accounting. By using the
CPR's toolset, organizations can procedurally document all requests and
disclosures online by type of disclosure. When this is done, a demand report
can be produced to reflect such releases whenever a patient requests an
accounting. An automated approach is much more accurate and efficient since it
does not require pulling the record from the storage area upon receipt of requests
for information or accountancy. Requests are handled via the nearest keyboard.
Restrictions
to disclosures
How can an
organization use the CPR to help manage restrictions on releasing information
to specific individuals or entities?
Under HIPAA, providers
are required to respond to requests from patients to restrict disclosure of
information to specific individuals or entities. While providers do not have to
comply with the restriction, if they say they will comply, then they are
legally bound to do so. By using the CPR toolset to document these restrictions
in a specific section of the online chart, registration and medical records
clerks can easily create a record of requests for restrictions. These requests
can be automatically sent via online work queue to a supervisory resource
within the medical records department who can determine whether to agree to the
restriction. That decision must be communicated back to the patient;
communication can be accomplished via automatic report generated in response to
the supervisor documenting the decision.
If a restriction
is agreed to and subsequently removed by the patient, the same process of
documentation and online work queue can be utilized by the organization to
manage the operational aspects of this requirement. The organization retains an
audit trail record of restrictions with dates of activation and suspension a
necessity when a restriction is lifted and the patient subsequently questions
why information was released to the previously restricted recipient. Further,
once the restriction is documented online, it can be referenced from any PC or
access device without pulling a paper chart from storage. This procedure
represents a more efficient operational process and promotes greater HIPAA
compliance.
Privacy
officer role\
How can a CPR
be used to augment the role of a privacy officer?
Under HIPAA, the
privacy officer is a cornerstone of compliance. In order for a privacy officer
to be effective in a CPR environment, however, the CPR must be leveraged in
ways that help identify actual or potential breaches of patient information. This can be achieved if the CPR provides for
three basic capabilities:
Chart access
audit.
Auditing access to a patient's record should be fundamental to most CPR
systems. A CPR system usually has the ability to run a demand report of all
attempts to access a patient's record.
Staff assignments. CPR systems typically allow for staff to be
assigned to or associated with the care of a specific patient. When a provider
uses this function, it greatly improves the reporting accuracy on chart access
audits. Assigning staff to a specific patient's care can generate the chart
access audit reports for circumstances in which personnel not assigned to the
patient's care accessed information.
Reprinting of records. How can an organization identify when a
chart is reprinted in order to determine if the reprint was for an authorized
purpose? Although most CPR systems allow for an audit reporting capability,
this is only partially helpful in managing the release or re-disclosure
process. If a CPR has the ability to print all or parts of the record, then an
organization should selectively decide where that function can be used and by
which personnel. Since most clinical personnel using a CPR will want to print
chart sections on occasion, it is necessary to develop a means to audit who has
printed from a patient's chart in order to determine if that printing was
appropriate. This can be easily achieved by programming the CPR to log all
printing functions by staff who are not assigned to
the care of patients. The log can then be used to report and monitor the
printing of charts.
Business
associates
How can an
organization use the CPR to manage the information release process to business
associates?
Under HIPAA,
providers are required to secure signed agreements with business associates
that govern the use and disclosure practices of information they share with
their business associates. Since there are usually many business associates added and deleted every day in a health care
setting, it is difficult for the clerical staff to keep up with whether they
are authorized to re-disclose information to a specific business associate.
By using the CPR
toolset, organizations can help simplify this process. If the list of approved
business associates is maintained in a user-defined database online, it can be
linked to functions so that medical records personnel or other departmental
areas can reprint records. Utilizing this process, a provider can display the
approved list of recipient organizations each time it responds to a request for
information.
Long-term
benefits
Is it really
better to use a CPR toolset and workflow redesign approach for improving means
of compliance with HIPAA?
While many health
care organizations have already begun the journey toward deploying a CPR, many
organizations still have the paper record process in place. HIPAA is coming and
it does not require a CPR. However, it does stimulate providers to migrate
toward more electronic platforms in order to support electronic data
interchange the foundation of anticipated cost savings and one of the primary
reasons for HIPAA.
If an
organization has embarked on the CPR journey or plans to do so in the near
future, it should strongly evaluate how that CPR can be leveraged to not only
improve operational efficiencies, but also to demonstrate greater compliance
with the newly finalized HIPAA regulations. Otherwise, the organization is
likely to maintain two separate and duplicative operational processes and end
up becoming less efficient operationally upon deployment of the CPR.
Mr. Walker is a partner and COO with Negly,
Ott & Associates, Inc., Savannah,
The following
people contributed to this article:
Pelvia
Woods, RN, clinical systems consultant at Negley, Ott & Associates.
Dinetia M. Newman, Esquire, partner at Phelps Dunbar
LLP in Tupelo, Miss.
Kimberly L. Loden, Esquire, associate at Phelps
Dunbar.
http://www.advanceforhie.com/common/editorialsearch/viewer.aspx?FN=03jan1_hxp81.html&AD=1/1/2003