Testimony by Betsy Keener for the NCVHS Subcommittee on Privacy and Confidentiality

Good morning. My name is Betsy Keener and I am the Privacy Officer for Harvard Vanguard Medical Associates. Harvard Vanguard Medical Associates is a large, multi-specialty group practice located in 15 sites throughout the greater Boston area. As the Privacy Officer, I am in charge of developing and implementing our privacy policies, and so I function as the project manager for the privacy aspect of HIPAA.

In my comments today, I will discuss our experience to date implementing the HIPAA regulations, including best practices, available resources, coalition building, our approach to training, and, of course, some of the difficulties we have faced.

In spite of my experience managing other large, complex projects, implementing the privacy rule often makes my head spin. Although implementing the Privacy Regulations has been both interesting and thought-provoking, it has also been a frustrating experience as my small group of staff and I try to understand the regulations, interpret them, determine what is “reasonable” and “scalable” -- all while wondering what aspect of the rules will change and what will remain.

I started by reading the federal regulations and attending a couple of seminars on the HIPAA regulations. I worked with other staff to form a project team, provided an overview of the regulations to senior management, and developed a preliminary budget. As with most other healthcare providers, our budget was limited and using outside consultants was not a viable option. We did purchase a HIPAA compliance program that provided us with some helpful workplans and assessment guides to help us get started. It also gave us a level of confidence that we weren’t missing some aspect of the privacy regulations.

Understanding these privacy regulations has been a slow process. Every time I review a specific part of the privacy rule –for example, the accounting of disclosures requirement – I learn more. For me, however, just reading the privacy rule was not enough. I had too many questions about what “reasonable” meant and wondered how other institutions were interpreting the rule. It became critical for me to talk with others who were also working on privacy implementation.

I joined the NE HIPAA workgroup over a year ago. This is an regional group of payors, providers and vendors who meet monthly to discuss different aspects of HIPAA and collaborate on compliance. In addition to speakers, and a general session, each meeting usually includes subgroup meetings. I attend the privacy and security subgroup, and have learned a lot about how other organizations are approaching both the privacy and anticipated security regulations. I also joined the MA Health Data Consortium, and have found its Privacy Officer’s Forum to be particularly helpful. The bi-monthly meetings often involve content experts who share information about, or approaches, to certain aspects of the privacy rule.

Several months ago, while chatting with representatives from Partners HealthCare and Boston Medical Center, it occurred to us that we really needed to have a meeting with privacy staff who worked only for provider organizations. This way, we wouldnt be distracted by solutions developed by the payors, and we could more comfortably share with each other the policies we developed without fear that our work would be packaged and sold by a consultant. The NE HIPAA Provider meeting met for the first time in May, and we have met monthly since then. Through the Privacy Officers’ Forum, we are affiliated with the MA Health Data Consortium, who generously donates space for our meetings. Any provider from the NE area is welcome to join our meetings. These provider meetings have been important in helping me shape Harvard Vanguards response to the privacy rules.

Prior to the first meeting, we drew up a list of topics to discuss. Our aim in the meetings has been to address how we are each planning to operationalize certain topics in hopes of arriving at community standards. Of course, before we start discussing how we plan to implement each aspect of the privacy rule, we have robust discussions on what the section of the rule means. The majority of the time, our thinking is similar. However, there have been times when we have disagreed on what the regulations mean. For example, at the last meeting we did not reach consensus on the Accounting of Disclosure requirement: specifically, we disagreed on whether we needed to account for public health disclosures that are required under state law (such as infectious disease reporting, births, deaths, gunshot wounds, etc.). Some in the group argued that since these are required by state law, and required under our licensure, the disclosures would be considered health care operations and consequently would fall outside the Accounting requirement. Others felt that the comment section specified that public health disclosures were required. When we reach an impasse, we continue topics until the next month in order to consult with our own legal counsel as to how to interpret the regulations.

We have also had conversations about topics that on the surface appear nearly laughable, but I think serve to point out our commitment to privacy, our confusion about the intent of the regulations, our concern about enforcement and sanctions, and of course, public scrutiny. For example, we discussed whether baby pictures sent in by parents to their Obstetrician or Pediatrician can be displayed in those departments. Are these photos Protected Health Information? One the one hand, this is information that is not created or maintained by our health care organizations. On the other hand, these photos are facially recognizable, and are thus PHI. What should we do? Post them and note this in our NPP, or should we develop an entire policy about this? Are we driving ourselves crazy? (That answer would be yes!). Generally, we do try to stop and remind ourselves that the goal is to protect patient privacy in the context of delivering quality health care, and that we need to find REASONABLE ways to accomplish this.

Here is a list of the initial topics the NE HIPAA Provider group was interested in addressing from an operations point of view, in the hopes of arriving at either a community standard or a shared understanding of the regulations:

Registration areas and patient confidentiality: How are providers maximizing patient confidentiality while minimizing the budget impact?
Patient communication: appointment reminders, overhead paging
Patient requests to restrict data: Is anyone planning to agree to this type of request? (No)
Training both awareness campaigns and the more formal training programs
Designated record sets
Minimum necessary requirement, and role-based access
Transportation of medical records
Notice of Privacy Practices
Business Associates
Fundraising
Disposal of PHI (both paper and non-paper waste)
Authentication of patients

Not only have we shared ideas and approaches to the privacy rule, we have also shared some of our draft or completed policies with one another (but not for public distribution). We would certainly embrace any best practices, but generally any new policies and procedures have not been tested long enough to call anything a best practice, but rather a really good idea. The philosophy of the group seems to be that we are all in this together, and if we can help each other out, we will. I find that when I leave these meetings, I have the feeling that implementing the privacy rule is actually do-able (this is often a different experience from how I feel about HIPAA on other days).

The other sources of information that I have used regularly are the list serves on HIPAA. It is important to sift through the varying advice, but I have learned a lot about the nuances of the privacy rule that would have taken me longer to discover on my own. On the other hand, this research can be time consuming, and the level of detail discussed can be quite overwhelming.

In addition, there are web sites WEDI/SNIP, Health Privacy Project, the Association of American Medical Colleges, to name a couple, that have useful information and provide helpful links to other websites. Also, some law firms have put together HIPAA information that is either displayed on their website, or have policies and procedures available for a fee. Harvard Vanguard opted to purchase a set of policies/procedures from a law firm we work with, to provide us with a basis to compare with our existing privacy policies. This seemed more economical than to interpret the regulations completely on our own.

However, there continue to be information gaps. For example, I would love to see a good summary of HIPAA in a brochure format for both staff and patients. I havent seen one anywhere. Also, more frequent guidance from HHS is critical. This can be either a formal guidance document, or more frequent updates to FAQs. There are so many nuances to this regulation that need to be clarified, and it would save us all a lot of time that is currently being spent either reading arguments on the list serves, or contributing to the discussion.

In spite of our questions, we are continuing to move forward. We are planning to begin a HIPAA awareness campaign in September at Harvard Vanguard. From the beginning, our philosophy on the privacy rule has been that we want to protect patient privacy because it is the right thing to do, not just because of the new federal law. We want our patients to trust that we are handling their personal information confidentially. We have incorporated this philosophy into the awareness campaign, and will continue it into the formal training program as well.

We have developed a poster campaign with a theme of the week (for example, computer security, telephone privacy, access to medical records, etc.). The privacy tips associated with the theme will be displayed on the posters, distributed by email, and found on the Harvard Vanguard Intranet. We will also have an information booth at each site for a limited period of time, and privacy hotline number to field staff questions, a staff quiz (complete with prizes) and a campaign to acknowledge staff who go the extra mile to protect patient privacy. The goal is to get staff thinking more actively about privacy.

We have not yet finalized our formal HIPAA training for the nearly 4000 staff at Harvard Vanguard. We are still considering three options: (1) doing the training ourselves in either large groups or in department staff meetings, (2) a train the trainer model, and (3) using an on-line training program. We are leaning towards doing the training ourselves primarily so that we fully address the notion that compliance with the privacy rules will involve some culture change on the part of the staff. We can also respond immediately to any questions that may come up, and we can tailor the presentation to the audience here at HVMA. We are concerned that using a train the trainer model may dilute the message.

Our strategy is to develop a core training program that can be easily tailored to the various departments. Certainly some issues are the same for everyone how to authenticate the callers, the minimum necessary requirement, computer related security, etc. However, we recognize, for instance, that the privacy issues that the clinical medical assistants are grappling with may be quite different than those in medical billing.

We evaluated several on-line training programs that offer role-based training and have found a few programs that are informative, and reasonably interesting to watch and listen to. However, we are concerned that while most of the on-line programs do a good job of describing the HIPAA regulations, they generally do not provide the flexibility to also train staff on Harvard Vanguard's specific policies and procedures. Some of the on-line programs do allow for customization, and we may offer this solution for staff who are unable to attend a regular training program. We have not yet determined how we will be able to track attendance at these training programs, although we are hoping to craft an electronic link to our human resources information system.

We are fortunate at Harvard Vanguard that we have had an electronic medical record for over 30 years. As a result, I believe our staff has always had a heightened awareness of privacy issues. Our medical record system already has role-based access, based on the job title of the employee. Medical assistants have a different level of access to patient information than registered nurses, who have a different access than physicians. While we will need to review these levels of access under the privacy rule, we do not have to start from the beginning, which will save us a significant amount of time. We will still need to develop standards for the minimum necessary requirement for management staff, however.

Harvard Vanguards patient confidentiality policies and policies on breaches of confidentiality were at one time considered to be best practice and can be found on several industry websites. We have existing written policies that allow patients to access their medical record, or to request an amendment to their record. However, these, and other policies must all be modified to be HIPAA compliant. In addition, our medical record system records staff access to the patient records on a fairly granular level, which allows us to perform audits when a breach of confidentiality is suspected.

Implementing the privacy rule is a large effort. Yes, there are many policies and procedures to either develop or modify to reflect the new regulations. We will need to train nearly 4000 staff, which we hope will result in a culture change that furthers our existing climate of protecting patient privacy. However, it is not the actual work that is daunting, it is trying to understand these complex regulations. It is scary and frustrating when two intelligent, informed individuals can arrive at different conclusions from the same document. This happens over and over again. There is so much information that trying to summarize even one aspect of the regulations requires a significant effort. Each thoughtful question from a staff person can involve large amounts of time to research. With only eight months left before we are expected to be in full compliance with the regulations, I dont have that kind of time to spend researching.

Fortunately, enough organizations or private individuals have been willing to share their knowledge on privacy with the rest of us. I have greatly appreciated their willingness to fill the knowledge gap. I believe the federal government needs to do more to clarify what is reasonable, before it is decided in the media or through the court system. I hope the National Committee on Vital and Health Statistics can encourage the Department of Health and Human Services to publish regular guidance and FAQs on the privacy regulations so that we can spend more time implementing the rule, and less time trying to decipher it.

Thank you.