Chairman Rothstein, members of the Privacy Subcommittee, I want to thank you for the opportunity to speak to you. I am Mary Thomason, RHIA, the HIPAA Project Leader for Intermountain Health Care. My primary focus has been to coordinate the implementation of the privacy regulation throughout IHC. My background has been in Health Information Management, Information Systems, as well as in the clinical laboratory.
The most difficult HIPAA privacy regulation implementation issues for Intermountain Health Care are related to two main areas: IHC’s size and complexity, as well as the hybrid nature of how health information exists and is maintained by IHC today.
Intermountain Health Care is a nonprofit integrated delivery system. We provide both health care and health plans. To put our size into perspective, we serve 480,000 covered lives with our Health Plans, and in the year 2001 had 117,872 inpatient visits, 28,600 births, and 5,612,399 opportunities to provide outpatient services.
We provide both traditional and non-traditional forms of health care. On the more traditional side, we have 21 hospitals that range from 520-bed LDS hospital to several 20-bed rural facilities, a Physician’s Division of around 400 physicians with 89 clinics, an Air Ambulance service, Home Care and Medical Equipment services, retail pharmacies, and occupational medicine clinics. On the non-traditional side, we have unique health care arrangements such as participating in joint clinics with the State of Utah for children who were in Newborn ICUs, providing athletic trainers for high school football teams, and serving as the official sports science and medicine supplier to the US Ski and Snowboard teams.
To support our business, we have divisions that include a physician’s billing service for employed physicians, a collection agency, and 14 legally separate but affiliated Foundations.
IHC Health Plans offers HMO and Point-Of-Service plans as well as contracts with other insurance companies, TPAs, PPOs, self-funded employers, and so on to lease the IHC network of providers and hospitals.
Both IHC Health Services and IHC Health Plans are single legal entities. Since our Health Services is a single legal entity and our focus is health care, we do not consider ourselves a hybrid entity even though some of those “unique” health care settings may not involve covered functions as defined in HIPAA.
After more than seven months of discussion and several legal opinions, we decided the relationship between IHC Health Services and IHC Health Plans would be one of an Organized Health Care Arrangement as defined in the regulation. We decided this arrangement allowed the most flexibility to adequately share data for our joint operations. However, since our data is co-mingled in some databases, we have difficulty addressing minimum necessary policies and procedures, because we must be very careful how much information is shared and for what purposes.
Probably one of the major implementation struggles we are having is regarding the accounting of disclosures. We realized one of the implications of being a single covered entity was that we would need to provide a single accounting for a patient across all of IHC Health Services: especially since many of our disclosures which must be in an accounting, i.e. based on State law requirements, are done electronically on a corporate basis. We have estimated we make 1,092,700 electronic disclosures per year that must be in the accounting, largely to meet the requirements of the Utah Health Data Commission or Department of Vital Statistics. We know some health care providers interpret these types of disclosures as health care operations, but we do not use this information for our operations purposes so we feel we cannot justify this as operations. This estimate does NOT include disclosures for research. We have around 500 research projects active at LDS hospital currently, for example, but we do not know yet how many projects have IRB authorization waivers and therefore patient record access would need to be recorded in an accounting.
The acknowledgment of the Notice of Privacy Practices may also be very challenging since we have such a variety of health care settings, and no one way or centralized system where we can check that we have already provided the Notice. Right now, we are planning to provide the Notice once in clinics, where we know we will see the same patient again and again, but otherwise we will probably be providing the Notice and seeking acknowledgment every time we see the patient in Inpatient, Urgent care, or other settings.
Finally, the size and complexity of IHC presents unique workforce training issues. We have 23,000 employees, not counting volunteers and non-employed credentialed providers. We decided early on that it would slow or even prevent the process of health care to funnel all disclosures of information to expert departments, such as medical records or the billing departments. Much of the protected health information that must be disclosed for treatment, for child abuse reporting, or to funeral directors, for example, currently happens in clinical areas. However, this decision has major training implications. In order to provide the level of training needed for those clinical front-line people, we are focusing the training on what they need to know and in the detail they need. Based on early assessments, we have defined 53 different groups who need specialized training and 52 different focused content modules we will need to develop. For example, the Emergency Department will get training not only with basic modules on general privacy but also in-depth modules on prevention of incidental disclosures, recommended efforts to verify identity, disclosures to law enforcement, disclosures to media, and how and when to enter information for an accounting of disclosures. We are planning to provide limited training to non-employed providers, to the extent they need to understand our policies and procedures, what it means to be in an Organized Health Care Arrangement, and shared Notice provisions, for example.
This decision not to centralize disclosures also impacts the need for a widely accessible accounting of disclosure tool, as well.
How does the hybrid, multi-media nature of how information is stored in IHC present additional challenges for the Privacy Regulation implementation? To date, we have found 78 different databases or record sets that contain protected health information at IHC or are maintained by our business associates. Of these, we have determined 18 are “designated record sets” as defined in the regulations, including, by the way, the 2002 Olympic Treatment Records. We have a complicated network of interfaces between the electronic systems, both to and from clinical and billing databases, but no one system contains all of the identifiable information “used to make decisions” about an individual’s care, let alone all billing or payment information. Some, like our Clinical Data Repository, contain much but not all of our clinical information. For example, we have a system called Storkbytes that is an electronic medical record for Obstetric patients. Although key information is interfaced from Storkbytes to the Clinical Data Repository, Storkbytes also contains critical information on fetal monitoring, and it is stored only in that system. Therefore, sections of both the Clinical Data Repository and the Storkbytes system are Designated Record Sets. In spite of being named one of the “most wired” health care systems in the United States, many of our medical records and some of our billing records are totally on paper, and paper records on a patient may be maintained in different locations even within the same facility. Because of this, we cannot provide a patient with all of their IHC records at one contact point. We will have to send them to the IHC facilities or agencies where they have received treatment, and we have to train the front line employees to know where all the records are stored, both electronically and on paper, to assist the patients with access or copies as required by the regulation.
Finally, this multi-media, multi-location of protected health information brings up the issue of attachment of amendments. In the paper world, this was not a major issue; the amendment documents are added to the records. However, we have so much that is electronic and we do not always have the capability in each system to attach an amendment at all, let alone attach it to the pertinent section of the record. We must be careful not to destroy the integrity of the data. Also, with existing interfaces, we do not always know where the information is distributed, so we do not always know where to forward copies of amendments.
What recommendations can we make to the Committee that would assist us in implementing the Privacy regulations?
We commend OCR’s efforts in clarifying various privacy related issues, especially their FAQs. We know there has probably been a high volume of questions submitted to the OCR about the privacy regulations. We have submitted questions ourselves, which have not been addressed in the regulations or in the discussions published by DHHS. It would be very helpful to have replies to these specific questions, if that is possible, because some issues have policy and procedural impact and it is difficult to know how to proceed without an answer.
Providing education for covered entities would be very valuable. Of the 2500 physicians affiliated with IHC, only 400 IHC employed physicians and their staff will be trained by us to any great extent. The rest are dependent on professional organizations, consultants, or seminars. I believe you have already heard the concerns about accuracy of some of the information that is being distributed, and the confusion of covered entities of all types as to what the regulations state. We believe that before you provide education to the public about their rights, it is imperative that the providers have accurate and substantial education or the covered entities are doomed to endure embarrassment at the best and lawsuits at the worst.
We also have a couple of requests that would make at least our efforts easier. We recommend that for public health or vital statistics disclosures, or other routine disclosures mandated by law, that the regulations allow us to educate the patient via a list of these routine disclosures required by law rather than have a specific accounting every time we disclose their information for those reasons. That would make the accounting provision less expensive and onerous; yet still educate the patient on where their information is disclosed and why.
The other suggestion is that there be a phased-in approach to the privacy regulations. We will endeavor to be compliant by April 14; however, we have been working on this over a year and recognize yet we still have major efforts to complete requirements such as the training, minimum necessary protocols, research procedures, and developing or buying an accounting of disclosure software tool. Allowances were made to allow extra time for small health plans in the regulation, but it is the large organizations that need time to assess the impacts on their policies and procedures as well as make any necessary cultural changes. As the saying goes, it takes a while to turn an ocean liner! This would also allow vendors time to develop software solutions to assist in the privacy regulation implementation.
I have included separate documentation that outlines in greater detail what IHC has accomplished in implementing the privacy regulation. I would like to thank you for the opportunity to present our major privacy implementation challenges as a large and complex health care system.