Electronic Health Records Danielle P. Berthelot, RHIA Director, Health Information Management and Cancer Registry Privacy Officer Woman’s Hospital

Overview of Woman’s Hospital Not-for-profit 225 bed Women and Infants Specialty Facility 82 bed Level III NICU Statistics FY ,200 births 7,400 surgeries 12,000 adult admissions

Implementing an EHR Where are we going? What do we need? How do we get there? Are we there yet?

Where are we going? Set a Goal What are we trying to accomplish?

What do we need? Defining the Task Must have Would like to have Would love to have

How do we get there? Implementing the Plan Phased in approach Flip the switch approach

Benefits Forms Management Documentation Consistency Health Information Access Online Record Completion

Forms Management

Form location Form revisions Patient demographics Form packets Form identification

Documentation Consistency

Standard information Required fields and formats Automated reports

Health Information Access

Information control Remote access Multi-user access

Online Record Completion

Increased Physician Flexibility Increased Physician Satisfaction Decreased Delinquency Rates

Are we there yet?

Hurdles Human Resources Inconsistent Processes Hardware Integration

Looking Back What’s different about our organization today? What did we do to help staff accept the change? What did we do to help physicians accept the change? What challenged us as leaders? What was the best part of the experience?

Privacy and Security What is HIPAA?

Law passed by Congress in 1996 –Major rules affecting hospitals Transactions, Code Sets, and Identifiers Privacy Rule – Sets standards for the protection of patient information (oral, written, electronic) Security Rule – Sets standards for protected health information in an electronic format Health Insurance Portability and Accountability Act

HIPAA Compliance Enforcement Privacy Rule – Office for Civil Rights (OCR) Security Rule – Centers for Medicare/Medicaid Services (CMS) Criminal Matters – Department of Justice (DOJ)

What is Protected Health Information (PHI)? Name Address/Dates Telephone/fax #s Social Security #s Medical Record #s Patient Account #s Insurance Plan #s Vehicle Info. Certificate/License #s Medical Equipment #s Photographs Fingerprints /Internet address Web URLs Any other unique code, or identifier

Most Frequent Privacy Complaints Impermissible use and disclosure of PHI Lack of adequate safe guards to protect PHI Refusal or failure to provide an individual with access to his/her health records Disclosure of more information than is necessary to satisfy a request for information Failure to provide the Notice of Privacy Practices

Most Frequent Security Complaints Information access management Security awareness and training Access control Workstation use Device and media control

Hot Topics Permitted Uses and Disclosures Authorization Forms Minimum Necessary Facility Directory Access EPHI Disposal of PHI Audits

Breaches/Violations Inadvertent: accidental, often due to lack of education or awareness Intentional: accessing PHI with not legitimate business purpose for doing so Intentional with malice: accessing PHI with the intent to use for personal gain or to harm someone.

Sanctions Consistent throughout organization Fits the crime

Compliance Tips Update policies and procedures regularly. Conduct ongoing training for staff. Discuss patient information in private areas. Keep voices down. Place computers, printers, fax machines in secure areas. Direct monitors away from view of visitors. Access only the information you need to perform your job. Retrieve documents from printers and fax machines immediately. Dispose of PHI properly. Assist visitors promptly to ensure they do not access staff areas. Report and address issues immediately. Audit compliance with polices and procedures. Enforce compliance with polices and procedures.

Questions and Answers Danielle P. Berthelot, RHIA Director, Health Information Management and Cancer Registry Privacy Officer Woman’s Hospital