John DesMarteau, MD FACA Kaiser Permanente Mid-Atlantic HIPAA Project HIPAA Summit V A Case Study: Kaiser’s HIPAA Compliance from the Perspectives of.

Slides:



Advertisements
Similar presentations
Tamtron Users Group April 2001 Preparing Your Laboratory for HIPAA Compliance.
Advertisements

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
Legal Work Group Developing a Uniform EHR/HIE Patient Consent Form.
And the finer details of patient privacy TCH Confidential Understanding HIPAA.
Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.
HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.
Copyright Eastern PA EMS Council February 2003 Health Information Portability and Accountability Act It’s the law.
National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.
1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.
NAU HIPAA Awareness Training
TM The HIPAA Privacy Rule: Safeguarding Health Information in Research and Public Health Practice Centers for Disease Control and Prevention Beverly A.
HIPAA Basics A Matter of Integrity. Introduction “A Matter of Integrity” defines HIPAA and protecting patient health information. Success depends on our.
HIPAA Privacy Rule Compliance Training for YSU April 9, 2014.
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
Are you ready for HIPPO??? Welcome to HIPAA
Randy Benson RHQN Executive Director May, Compliance Issues During Survey Compliance Officers monitor healthcare facilities (hospitals and clinics)
HIPAA How can you maintain patient privacy and confidentiality? General Medicine LCCA.
Developing a Records & Information Retention & Disposition Program:
Version 6.0 Approved by HIPAA Implementation Team April 14, HIPAA Learning Module The following is an educational Powerpoint presentation on the.
HIPAA Basic Training for Privacy and Information Security Vanderbilt University Medical Center VUMC HIPAA Website: HIPAA Basic.
The University of Kansas Medical Center Shadow Experience Training.
COMPLYING WITH HIPAA BUSINESS ASSOCIATE REQUIREMENTS Quick, Cost Effective Solutions for HIPAA Compliance: Business Associate Agreements.
Columbia University Medical Center Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy & Information Security Training 2009.
Notice of Privacy Practices Nebraska SNIP Privacy Subgroup July 18, 2002 Michael J. Brown, MHA, CPA Vice-President, Administrative & Regulatory Affairs,
HIPAA PRIVACY AND SECURITY AWARENESS.
“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.
Privacy and Security of Protected Health Information NorthPoint Health & Wellness Center 2011.
Health Insurance Portability and Accountability Act (HIPAA)
Confidentiality and Security Issues in ART & MTCT Clinical Monitoring Systems Meade Morgan and Xen Santas Informatics Team Surveillance and Infrastructure.
Copyright ©2011 by Pearson Education, Inc. Upper Saddle River, New Jersey All rights reserved. Health Information Technology and Management Richard.
2012 Audits of Covered Entity Compliance with HIPAA Privacy, Security and Breach Notification Rules Initial Analysis February 2013.
Computerized Networking of HIV Providers Workshop Data Security, Privacy and HIPAA: Focus on Privacy Joy L. Pritts, J.D. Assistant Research Professor Health.
1 Secure Commonwealth Panel Health and Medical Subpanel Debbie Condrey - Chief Information Officer Virginia Department of Health December 16, 2013 Virginia.
Implementing universal Lynch Syndrome screening in a large healthcare system.
April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.
Copyright © 2008 Delmar Learning. All rights reserved. Unit 8 Observation, Reporting, and Documentation.
H I P A A T R A I N I N G Self Directed Module 7 Research Disclosures For Data Custodians START Click to begin…
Medical Law and Ethics, Third Edition Bonnie F. Fremgen Copyright ©2009 by Pearson Education, Inc. Upper Saddle River, New Jersey All rights reserved.
Scott Morgan, MPH National HIPAA Health Care Operations Director Kandis McIntosh, RN, MAOM HIPAA Project Manager, Kaiser Permanente Hawaii HIPAA Summit.
Health Insurance Portability and Accountability Act of 1996 HIPAA Privacy Training for County Employees.
September 12, 2004 Simplifying the Administration of HIPAA Security Angel Hoffman, RN, MSN Director, Corporate Compliance University of Pittsburgh Medical.
PricewaterhouseCoopers 1 Administrative Simplification: Privacy Audioconference April 14, 2003 William R. Braithwaite, MD, PhD “Doctor HIPAA” HIPAA Today.
FleetBoston Financial HIPAA Privacy Compliance Agnes Bundy Scanlan Managing Director and Chief Privacy Officer FleetBoston Financial.
HIPAA BASIC TRAINING Presented by Anderson Health Information Systems, Inc.
HIPAA BASIC TRAINING MODULE 1C – Overview (For staff who do not generally create Protected Health Information) Anderson Health Information Systems, Inc.
HIPAA PRACTICAL APPLICATION WORKSHOP Orientation Module 1B Anderson Health Information Systems, Inc.
Patient Confidentiality and Electronic Medical Records Ann J. Olsen, MBA, MA Information Security Officer and Director, Information Management Planning.
The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d This material (Comp2_Unit9d) was developed by Oregon Health and Science University,
Seventh National HIPAA Summit HIPAA Compliance Case Study: HIPAA and Academic Medicine - Lessons Learned Past, Present and Future.
Rhonda Anderson, RHIA, President  …is a PROCESS, not a PROJECT 2.
HIPAA Privacy The Morning After Panel What do we do now? William R. Braithwaite, MD, PhD (moderator) Washington, DC Ross Hallberg, Corporate Compliance.
C HAPTER 34 Code Blue Health Sciences Edition 4. Confidentiality of sensitive information is an important issue in healthcare. Breaches of confidentiality.
Copyright © Emerson Strategic Group, Inc. All Rights Reserved 1 Ninth National HIPAA Summit Auditing for Privacy Compliance: A Case Study September.
1 Privacy Plan of Action © HIPAA Pros 2002 All rights reserved.
Copyright © 2015 by Saunders, an imprint of Elsevier Inc. All rights reserved. Chapter 3 Privacy, Confidentiality, and Security.
Functioning as a Business Associate Under HIPAA William F. Tulloch Director, PCBA March 9, 2004.
The Medical College of Georgia HIPAA Privacy Rule Orientation.
The Health Insurance Portability and Accountability Act (HIPAA) requires Plumas County to train all employees in covered departments about the County’s.
Privacy Notice - Requirements
Paul T. Smith Davis Wright Tremaine LLP
Move this to online module slides 11-56
HIPAA PRIVACY RULE IMPLEMENTATION – WHAT’S UP AFTER 4/14/03?
Disability Services Agencies Briefing On HIPAA
HIPAA Privacy and Security Summit 2018 HIPAA Privacy Rule: Compliance Plans, Training, Internal Audits and Patient Rights Widener University Delaware.
Lesson 1  7 Basic Components of an Effective Compliance Plan
HIPAA SECURITY RULE Copyright © 2008, 2006, 2004 by Saunders an imprint of Elsevier Inc. All rights reserved.
The Health Insurance Portability and Accountability Act
Presentation transcript:

John DesMarteau, MD FACA Kaiser Permanente Mid-Atlantic HIPAA Project HIPAA Summit V A Case Study: Kaiser’s HIPAA Compliance from the Perspectives of Kaiser’s Hospitals and Clinics

2 Focus on HIPAA Privacy Of the three key HIPAA Administrative Services components, Privacy has the first compliance date – April 14, 2003 Of the three key HIPAA Administrative Services components, Privacy has the first compliance date – April 14, 2003 Privacy requirements have a tremendous impact – touching everyone from CEO to Medical Directors to physicians to patients to office staff and volunteers Privacy requirements have a tremendous impact – touching everyone from CEO to Medical Directors to physicians to patients to office staff and volunteers

3 Kaiser Permanente: A Snapshot The nation’s largest nonprofit health plan has: The nation’s largest nonprofit health plan has:  Regions in 9 states and Washington, DC  8.4 million members  29 Hospitals  423 Medical Offices  11,000 physicians  128,000 employees  More than 3,000 applications that contain HIPAA-relevant information

4 Mid-Atlantic States: A Snapshot Kaiser’s eastern-most Region has: Kaiser’s eastern-most Region has:  525,000 members  32 Medical Centers in the District of Columbia, Maryland and Virginia  875 full and part-time physicians  7,000 employees  More than 450 applications that contain HIPAA-relevant information

5 How KP Sees Itself Under HIPAA KP is defining itself under HIPAA as regionally based “organized health care arrangements” (OHCA) that incorporate national functions using protected health information (PHI). KP is defining itself under HIPAA as regionally based “organized health care arrangements” (OHCA) that incorporate national functions using protected health information (PHI). This designation: This designation:  Better reflects the way KP uses PHI.  Makes it easier to know how to apply HIPAA rules.  Provides better service to our members (e.g., they receive one notice describing all uses versus several notices for different parts of KP).

6 How Does HIPPA Impact KP? Claims Referrals Billing IT Systems/ Applications Every Area That Handles Patient Information PhysicalPlant BusinessAssociateContracts Training MedicalRecords Membership Accounting Business, Clinical, IT Policies/Procedures …and more

The KP HIPAA Approach ExecutiveSponsorsExecutiveSponsors RegionalBusinessLeads Regional Health Care Ops Leads Regional IT Leads Multi-Disciplinary Core Advisory GroupMulti-Disciplinary Group KP-IT Functional Leads IT Team Director Business Team Director (EDI) Health Care Ops Team Director HIPAA Program Director President and Medical Director  Business Leads  Health Care Ops Leads  IT Leads  Privacy Officers REGIONAL STRUCTURE

8 Working Together on Solutions 1. Initiate Process  HIPAA National Team drafts goals and objectives for work  Forms multi-disciplinary, multi-regional work group that may include HIPAA leads, privacy officers, legal, subject matter experts, and others as needed.  Drafts preliminary work products Final drafts of work products forwarded to work group for closing feedback (2-4 week window) 2. Work Group Feedback and Revision Process  Agenda and meeting materials sent  Work group walks through materials – discussing, identifying changes and making recommendations  National and legal test against law and revise materials  Work group meets until process complete 3. Final Work Products Distributed  HIPAA Regional Leads  Work group members  Privacy Officers  HIPAA Core Advisory Group  Other key stakeholders  Post on KP HIPAA Web Site

9 How Is HIPAA Going to Affect Frontline Operations? Privacy Notice/acknowledgement may impact point of service Privacy Notice/acknowledgement may impact point of service Patients will have the right to review and copy their medical records and can ask for corrections/information to be appended Patients will have the right to review and copy their medical records and can ask for corrections/information to be appended New and revised policies and procedures Privacy and Security training for all staff New and revised policies and procedures Privacy and Security training for all staff Sanctions for knowingly misusing or disclosing health information Sanctions for knowingly misusing or disclosing health information

10 KP Has Developed Some Solutions, but Still Faces a Host of Challenges...

11 Privacy Notice HIPAA Requirement: Must make Notice of Privacy Practices available to KP members and patients and request written acknowledgement of receipt HIPAA Requirement: Must make Notice of Privacy Practices available to KP members and patients and request written acknowledgement of receipt KP Response: KP Response:  Mail notice and pre-printed receipts to current and new members  Make notices available at points of service Issues: Issues:  Low acknowledgement return rate  Confusion at point of service  Others?

12 Disclosure Accounting HIPAA Requirement : Must maintain a record for up to 6 years of how an individual’s PHI has been disclosed HIPAA Requirement : Must maintain a record for up to 6 years of how an individual’s PHI has been disclosed KP Response: KP Response:  Establish central database in each Region  Create electronic data feeds from existing applications using volumes of PHI (e.g., tumor registry, immunizations) Issues: Issues:  Accumulating disclosures could be costly if done manually  Storage capacity (electronic versus paper)  Others?

13 Facility Directories HIPAA Requirement : Must comply with patient restrictions of uses or disclosure of PHI maintained in patient directories in both inpatient and outpatient settings HIPAA Requirement : Must comply with patient restrictions of uses or disclosure of PHI maintained in patient directories in both inpatient and outpatient settings KP Response: KP Response:  Modify surgery scheduling systems to flag patient information that should not be shared, if application does not already have that feature Issues: Issues:  Outpatient facilities may not use surgery scheduling systems  Others?

14 Confidential Communications HIPAA Requirement : Must accommodate reasonable requests by individuals to receive PHI information at alternative locations by alternative means HIPAA Requirement : Must accommodate reasonable requests by individuals to receive PHI information at alternative locations by alternative means KP Response: KP Response:  Modify applications that mail appointment reminders and lab results  Develop database that maintains alternative addresses and intercepts mailings of high-priority communications Issues: Issues:  Handling of other sensitive communications (explanation of benefits, behavioral health, prescriptions)  Others?

15 Business Associates HIPAA Requirement : Must get assurance that business associates safeguard PHI HIPAA Requirement : Must get assurance that business associates safeguard PHI KP Response: KP Response:  Conducted training with contract owners in Regions and National on new contract template language  Have contract owners ensure template language is incorporated into existing, new and renegotiated contracts Issues: Issues:  Must conduct periodic audits of contracts  Others?

16 Marketing HIPAA Requirement : Must obtain authorization for HIPAA-defined marketing activities except for communications about health-related products or services HIPAA Requirement : Must obtain authorization for HIPAA-defined marketing activities except for communications about health-related products or services KP Response: KP Response:  Make minor changes to existing communication practices when they fall under HIPAA marketing definition Issues: Issues:  Maintaining awareness of HIPAA rules as new opportunities to communicate with members arise

17 Policies and Procedures HIPAA Requirement : Must document HIPAA policies and procedures to ensure compliance HIPAA Requirement : Must document HIPAA policies and procedures to ensure compliance KP Response: KP Response:  Identify which policies will be national polices, to be maintained by KP National Compliance  Create approval process that includes Regional input and review  Use these policies to shape the development of procedures at a Regional level Issues: Issues:  Changes required by stricter state laws would prevent standardized approach to compliance  Others?

18 Privacy and Security Training For All Staff and Physicians Training is vital as it must also take into account any stricter state laws, which override federal rules. And it must be tracked. Training is vital as it must also take into account any stricter state laws, which override federal rules. And it must be tracked.  HR policies must include Privacy/Security guidelines  Training delivery options include self-paced workbooks, e-learning modules, video, and instructor-led  Content must be role-based and incorporate KP-specific policies and procedures  Develop implementation template Regions can customize

19 Training Communication Themes The goal is a consistent message across KP to help staff “Get Hip to HIPAA.” The goal is a consistent message across KP to help staff “Get Hip to HIPAA.”  Patient Privacy Is a Right – Protecting It Is the Right Thing to Do (“How is patient information handled on white boards, charts, phone messages and computer screens? Keep any PHI you might come across to yourself.”)  Making Common Sense Common Practice (“Keep computer password confidential by not sharing it with others.”)  Protect Patient Information as if It’s Your Own (“Don’t discuss patient information in common areas such as hallways, elevators or waiting rooms.”)  What Information Do I Need to Know? (“Use only as much information as needed to accomplish the task.”)

20 To Keep KP’s Privacy Efforts on Track…

21 Privacy Officer’s Role Each Region has designated a Privacy Officer, who will have a dotted line to KP National Compliance. This provides a community of privacy experts sharing best practices and striving for consistency when appropriate. Each Region has designated a Privacy Officer, who will have a dotted line to KP National Compliance. This provides a community of privacy experts sharing best practices and striving for consistency when appropriate. Duties vary but all include: Duties vary but all include:  Develop/maintain privacy program/plan  Develop policies and procedures  Ensure compliance with federal/state law  Monitor systems development  Oversee privacy training/awareness  Collaborate on development sanctions  Plan for reporting concerns/violations  Risk assessments  Investigate breaches  And more...

22 Contributing to the Success of HIPAA at Kaiser Permanente HIPAA and patient privacy are in alignment with KP values HIPAA and patient privacy are in alignment with KP values Active national and regional sponsorship Active national and regional sponsorship Dedicated national and regional HIPAA teams Dedicated national and regional HIPAA teams Multi-disciplinary approach Multi-disciplinary approach KP is a “learning” organization KP is a “learning” organization Our 55-year history of providing high-quality health care service to diverse populations Our 55-year history of providing high-quality health care service to diverse populations

23 Questions? KP HIPAA Web Site: KP HIPAA Web Site: (301)