National Committee on Vital and Health Statistics
Subcommittee on Privacy and Confidentiality
HIPAA Privacy Rule Implementation Testimony
Jean Ahn, HIPAA Project Director, Yale New Haven Health System
September 10, 2002
Introduction/Background:
Good morning, my name is Jean Ahn. I am the HIPAA Project Director for the Yale
New Haven Health System. I have been asked to provide testimony on the
difficulties the System is facing in regard to the Privacy Rule implementation.
Before I do so, I will provide some brief background information on Yale New
Haven Health System.
The Yale New Haven Health System (YNHHS), located in Connecticut, is
composed of three main Delivery Networks that include Yale-New Haven Hospital
(YNHH), Bridgeport Hospital (BH), and Greenwich Hospital (GH). For HIPAA
purposes, the System will consider itself a single Affiliated Covered Entity
(ACE).
In addition, Yale-New Haven Hospital/Yale New Haven Health System and the
Yale University School of Medicine are legally separate entities within the
academic medical center, which therefore also pose unique challenges for
implementation. The entities, however, have proposed to collectively form an
organized health care arrangement (OHCA).
For comparative purposes, some general YNHHS FY 2001 statistics are
provided. Greenwich Hospital, which is a small community hospital, numbered 160
beds and roughly 10,443 admissions in FY 2001. Bridgeport Hospital, which is a
mid-sized hospital, totaled 425 beds and 20,528 admissions. Yale-New Haven
Hospital, which is a larger hospital, included 944 beds and 41,620 admissions.
The number of employees System-wide totaled 9,476 in FY 2001, while the number
of medical staff totaled 3,237, all of whom will need to be trained on the
HIPAA Privacy regulations and internal policies and procedures.
Implementation Structure:
To facilitate HIPAA implementation, the implementation structure, depicted in
the PowerPoint slide above, was instituted in January 2002, following a HIPAA
assessment phase that kicked off last July (July 2001). Spearheading the
efforts are the System Executive Group led by Yale New Haven Health System CEO
& President Joseph Zaccagnino and the System HIPAA Council led by System
EVP Gayle Capozzalo. Chairing the Delivery Network Coordinating Councils are
Bridgeport Hospital COO Hope Juckel-Regan, Greenwich Hospital COO Quinton
Friesen, and Yale-New Haven Hospital Senior VP Brian Condon.
As depicted, there are four main System task forces for EDI, Education,
Privacy, and Security. At each Delivery Network, local Privacy and Security
task forces have also been designated. Collectively, roughly 135+ individuals
are represented in the above structure. In addition, under both the System
Privacy and Security task forces, there are approximately 20 subgroups each
that are working on policy and procedure documents related to Privacy.
Projected Three-Year System HIPAA and Corporate Compliance Budget:
As evidenced on the PowerPoint slide here, significant amounts (collectively
$14.5 million) have been designated for the Health System’s HIPAA and
Corporate Compliance budget for Fiscal Years 2002-2004, reflecting the fact
that patient information, privacy, and confidentiality have always been key
concerns at Yale New Haven Health System and will continue to be so. The
noticeable capital amount in 2003 relates to expected technical outlays for
Security, many of which are closely intertwined with the Privacy requirements.
The budget concerns expressed by members within YNHHS revolve around (1) the
fact that there are no monies available to assist hospitals’ efforts
towards HIPAA compliance during financially difficult times for health care
organizations, and (2) although important to accomplish, no savings are
envisioned as a result, with the exception of possibly EDI in the long run. In
particular, areas which YNHHS anticipates will be burdened are Medical
Records/Health Information Management (HIM) and Billing due to the variety and
number of forms to distribute, file/scan, track, and monitor.
The remaining bulk of the presentation will focus on (1) the areas where
YNHHS is facing implementation challenges, (2) free and low-cost resources
YNHHS has obtained to facilitate in its implementation, and (3) the proposed
approach for training and education of the YNHHS workforce.
Implementation Issues and Concerns:
The Yale New Haven Health System HIPAA subcommittees, have voiced the following
questions and concerns in attempting to comply with the Privacy regulations:
- Right to request Notice of Privacy Practices: YNHHS is
currently reviewing a two-page condensed template of a complete Notice from
another health system. When it was first received, the relevant subcommittee
was skeptical since it had previously been working on a 7-8 page document.
However, after reviewing it and trying to balance (1) the System’s
responsibility to its patients in outlining all uses and disclosure with (2)
the likelihood that patients would completely read and understand a 7-8 page
document and (3) coupled with administrative burden, the subcommittee has
proposed to adopt the short version as long as it includes all required
elements and is reviewed and approved by both outside counsel and HIPAA
consultants. Does HHS foresee any prohibiting factors/concerns?
- Right to request Access: One issue to be addressed regards
frequent requests to inspect PHI by inpatients. For example, inpatients who
frequently request to inspect their records, such as several times per week or
even on a daily basis, require clinician time to sit, review, and answer
questions, which may impede care provided to other patients. Although time and
manner of access are addressed in the Privacy regulations, guidance on allowed
frequency would be appreciated.
- Right to request Amendment: For standard phone calls received
by billing departments from patients requesting a simple correction of an error
on their billing record, the billing departments propose, for the sake of
patient satisfaction and efficiency, to continue to verify and resolve these
issues over the phone, making an electronic notation in the patient’s
record. For non-standard requests, the patient will be requested to complete
the form to request an amendment. Guidance is sought on whether the procedure
laid out above is satisfactory.
- Right to request Restrictions/Confidential Communications: Given
both the decentralized nature and current status of information systems,
particularly at larger institutions, the ability to guarantee absolute
restriction or confidential communications across-the-board is limited.
Therefore, although best efforts will be made, accommodation of requests for
restrictions will also be reviewed against the following criteria: Is the
patient in harm’s way? Do the information systems permit us to comply
consistently with the requested restrictions? Will the restriction limit YNHHS
facilities’ ability to provide quality health care treatment, obtain
payment, or manage YNHHS facilities’ health care operations? From a
technical perspective, does HHS have greater expectations?
- Right to request an Accounting of Disclosures: YNHHS requests
that accounting for disclosures to public health authorities and as required,
to government authorities and the FDA be re-considered, given the following:
(1) notice of these disclosures would be included in the Notice of Privacy
Practices; and (2) the significant expected (and cumulative) administrative
burden on organizations’ HIM or Medical Records departments, which in
addition to being the key department for other patient requests such as access
and amendment, will be required to log the numerous disclosures to outside
authorities, some of which currently do not originate from Medical Records but
from physicians or clinicians directly, the ED, Social Work, or other
departments. For disclosures of PHI for reviews preparatory to research, again
accounting for these disclosures will represent a tremendous administrative
burden that should be re-considered. YNHH, for example, currently releases
roughly 14,000 records per year for research. Regarding reviews preparatory to
research, given the following: (1) only a portion of all records
reviewed will eventually be used as part of a research study; (2)
authorization from the patient (or IRB waiver) will be required if the record
is eventually selected and used in a study; and (3) in the case of
electronic records, since physicians have full access to records, there is no
way to know whether a physician is viewing the record for treatment reasons or
for a review preparatory to research, is it reasonable and feasible to account
for all reviews preparatory to research? The alternative mechanism adopted in
the final modifications (for reviews of 50 or more records) does not appear to
greatly simplify the burden given the fact that the institution must ultimately
be prepared to provide specific information to a patient if s/he so requests.
- Right to file a Complaint: There are no major questions at this
time.
Request for Guidance on Email/Fax:
- Guidance: Although the July 2001 issued Guidance notes that PHI
transmitted in any form is subject to the HIPAA regulations, no specific
information is provided regarding Email and Fax, which presently are frequently
used. YNHHS would appreciate guidance regarding these topics.
- Implementation Difficulty: For example, in regard to Email, the more
the YNHHS Email committee researches this issue, particularly regarding
clinicians who send Email messages to patients, the more the committee is
tempted to state that Emailing of PHI should not be allowed. Although a secure
Web portal is being rolled out and piloted in some areas, for policy purposes,
this method is not currently universally available. Therefore, the subcommittee
is presently faced with the dilemma of proposing a policy and procedure that
either (1) YNHHS facilities may ultimately be unable to implement in all
circumstances (mandatory use of a secure Web portal or encrypted Email), or
that (2) will most likely result in non-compliance (no Emailing of PHI
allowed).
- In addition, regarding Fax, for departments that have different staff
members who fax documents to dozens or hundreds of different pre-programmed Fax
numbers on a frequent basis, what are the practical and feasible expectations
for testing/verifying the numbers? Are there expectations that Fax
confirmations be retained or autofaxing logs be kept, and if so, for how long?
Request for Guidance on Research:
- Guidance: YNHHS and its affiliated medical school have
proposed to form an organized health care arrangement (OHCA). However,
clarification is sought whether OHCAs are intended solely for treatment,
payment, and operations, or whether they can also be expanded to cover reviews
preparatory to research or research activities within an academic medical
center. Or alternatively, would the two need to designate themselves as
business associates of each other?
- Implementation Difficulty: To reiterate, the accounting of
disclosures preparatory to research will be burdensome whether each disclosure
is accounted for, or whether the alternative method for disclosures of 50+
records is used (since if a patient requests the information regarding the
disclosure, the specifics must be obtained and provided anyway). Will guidance
be provided on how access should be granted and monitored for reviews
preparatory to research and for access to patient databases beyond what has
been provided? In addition, the issue of freestanding Access (and other types
of) databases containing PHI that are currently unidentified and unknown is of
concern. Even with education/training and perhaps a business associate
agreement in place with the medical school, such databases may continue to
exist or be generated for uses such as reviews preparatory to research.
- A related issue is the fact that PHI disclosed for a health care operations
purpose (e.g. quality assessment and improvement, case management, etc.) and
therefore, not subject to the accounting of disclosures, may eventually become
the subject of a research study. Therefore, whether known or not at the time of
disclosure, the noted PHI essentially represents information used in a review
preparatory to research.
Request for Further Guidance on Reasonable Safeguards:
- Guidance: Further clarification is needed regarding what constitutes
reasonable safeguards vis-à-vis incidental uses & disclosures,
beyond what was provided in the July 2001 Guidance.
- Implementation Difficulty: For example, one of the YNHHS hospitals
attached polarizing screens to computer monitors on several units at
significant cost as an attempt at reasonably safeguarding against incidental
disclosures. Upon unit visits, the screens were, however, often found removed
from the monitors and discarded to the side. When asked why, staff responded
that the screens made it extremely difficult to read and gave them headaches.
When the screens were reviewed by a physician in Occupational Health to assess
whether the screens might constitute an occupational safety hazard, the
physician supported staff concerns. Therefore, short of costly restructuring or
building monitors into desktops, few alternatives remain, and the issue could
possibly result in occupational safety hazards if the current method is
enforced.
- Similarly, at one of the larger YNHHS hospitals, a pilot of removing
patient names off doors resulted in significant pushback. Physicians, family
members, and even patients themselves had difficulty locating the correct rooms
quickly. Trial and error attempts appear to represent cases of patient privacy
and confidentiality versus safety. YNHHS’s assumption obviously is that
patient safety always comes first. However, as indicated in the final
modifications as forthcoming, guidance would be appreciated in cases such as
these. When good faith efforts have been attempted, would documentation of
these efforts suffice indicating that due to safety reasons, certain practices
will be kept in place with minor modifications where possible (e.g., turning
computer screens away from public view)?
Request for Guidance on Training of Physicians and Traveling/Rotating
Employees:
- Guidance: For individuals such as physicians and traveling nurses
who move from institution to institution, both within and outside the Health
System and designated OHCAs, could one HIPAA training session suffice if
institutional-specific policies and procedures are provided and reviewed?
- Implementation Difficulty: The issue is relevant for
physicians on the medical staff who attend at multiple hospitals (including
ones outside the System), physicians employed by the medical school who attend
in System hospitals, and other clinicians who work/rotate at multiple
hospitals. Compliance with one institution’s mandatory training will be
difficult enough to achieve, without having to require individuals to undertake
multiple training sessions.
- Perceived Best Practice: For institutions in a state hospital
association or group who have not yet built customized training or purchased
commercially available education/training content, it would seem to make sense
to collaborate on a single custom-built or commercial product. Due to volume,
discounts or savings may be substantial. In addition, for collaborating
hospitals, one agreed-upon training program for key groups would eliminate the
issue of redundant training.
Request for Guidance on HIPAA Concept of Workforce
The following implementation issues and questions have surfaced regarding
“workforce”:
- Background Investigations: YNHHS sub-committees are running
into difficulties addressing non-standard members of the workforce such as
volunteers, students, contracted employees, temp agency employees, etc. For
example, background investigations, which generally represent a $75 or more
cost per person for a basic check, are not currently completed on non-standard
employees. What are the expectations here? For example, would a tiered system
work, such as simple reference checks for volunteers, reference checks and drug
screens for students, more thorough checks for traveling nurses, etc.?
- Role-Based Access: Granting and terminating access to
systems and facilities for a large decentralized organization is a daunting
task. One method is to use the electronic payroll system with its start/stop
dates to facilitate the granting and termination of access. However, again this
system would only apply to regular employees on the payroll. In an academic
medical center, where students and non-employee clinicians are on the payroll
of a medical school or outside private practice, generally how should
role-based access be handled?
- Training/Screening of Temporary Employees: What are the
expectations for training a temp employee who will be onsite just a day or two
but who will have access to medical or billing PHI? What are the expectations
for background screening the same individual? The case of the temp worker at
Easton Hospital in Pennsylvania who took patient records home without
permission that were later found littering the streets highlights this issue.
Available Resources Used:
In addition, I was asked to provide information on some of the low-cost or
publicly available resources that are available to assist in HIPAA
implementation:
- Websites/Available Documents: The slide above lists
documents YNHHS has obtained and reviewed in the preparation of relevant
policies:
- Internal HIPAA Intranet Site/Documents: A YNHHS HIPAA
Intranet site is available to employees to obtain more information on HIPAA. In
addition, the site has a secure work space for task force members to access
working documents, minutes, status updates. To increase HIPAA awareness among
staff and engage employees in identifying potential violations and low-cost
solutions, “HIPAA Hunts” were conducted at each System hospital. (An
example of a HIPAA Hunt flyer is on the next slide of this PowerPoint
presentation). For particular internal incidents with implications post-HIPAA,
YNHHS has begun conducting case studies to review circumstances, internal
policies, lessons learned, and necessary remediation.
- HCPro Videotape: Prior to mandatory training, to raise
awareness about the privacy and confidentiality of patient health information,
YNHHS purchased 8 videotapes of “Keeping it to Yourself.” Although
not specifically about HIPAA, the tape provides good scenarios that depict
violations of patient privacy, which managers and staff have found helpful. The
discounted cost for the purchase of 4 tapes was roughly $1,000.
- The Connecticut Hospital Association (CHA) HIPAA Privacy and Security
Workgroup: The Workgroup has commissioned on behalf of its members a
Connecticut state/Federal preemption analysis which will be ready for
distribution in September. The Workgroup has been a valuable forum for
Connecticut hospitals to discuss/share ideas and concerns.
Proposed Training Approach:
Lastly, another requested item to be addressed in this testimony was the
System’s proposed training approach.
- Prior to mandatory training, while gearing up, the YNHHS
Education Task Force has been presenting HIPAA awareness sessions to management
staff, physician groups, and at department staff meetings that include viewing
of the patient privacy videotape.
- Hospital/System Employees: Depending on role and access to
PHI, employees will receive either the basic Privacy core course or a
more-detailed Privacy course relevant to their position.
- Fulltime Faculty Physicians: In order to avoid redundant
training at both the School of Medicine and the Hospital/System for physicians,
YNHHS will collaborate to develop a single course that will be signed off on by
both sides regarding content. However, since the medical school is on a
different platform from YNHHS for computer-based training, a link will be
needed to the unique YNHHS policies and procedures.
- Medical Staff: Tracking of physician compliance with the
training requirement will be a big task especially for the larger hospitals.
Medical Staff offices have indicated that they have insufficient resources to
track compliance, which raises a budgetary issue.
- Volunteers, Students: Volunteers and students will receive
training at orientation.
Finally, in wrapping up, I would like to voice two concerns, (1)
timely finalization of the Security regulations, which affects both the
implementation of the Privacy regulations and the mandatory workforce training
and (2) avoidance of potential conflict of interest issues for individuals who
both sit on committees and bodies that help form HIPAA policy/regulations and
who provide external HIPAA consulting and vendor services. These individuals
must understand that healthcare organizations are looking to them to assist in
clarifying the regulations as much as possible to ensure appropriate protection
of patient health information and to generate regulations that are as
practical, reasonable, simple, and cost-efficient as possible, which in turn
means, ultimately reducing or eliminating the need for the consulting services
and sometimes costly HIPAA vendor services that they provide.
Thank you very much for this opportunity to present my testimony. Please let
me know if there are any questions I may be able to answer.
Jean Ahn
HIPAA Project Director
Yale New Haven Health System