Presentation is loading. Please wait.

Presentation is loading. Please wait.

John DesMarteau, MD FACA Kaiser Permanente Mid-Atlantic HIPAA Project HIPAA Summit V A Case Study: Kaiser’s HIPAA Compliance from the Perspectives of.

Published byRodger Sutton Modified over 9 years ago

Similar presentations

Presentation on theme: "John DesMarteau, MD FACA Kaiser Permanente Mid-Atlantic HIPAA Project HIPAA Summit V A Case Study: Kaiser’s HIPAA Compliance from the Perspectives of."— Presentation transcript:

1

2 John DesMarteau, MD FACA Kaiser Permanente Mid-Atlantic HIPAA Project HIPAA Summit V A Case Study: Kaiser’s HIPAA Compliance from the Perspectives of Kaiser’s Hospitals and Clinics

3 2 Focus on HIPAA Privacy Of the three key HIPAA Administrative Services components, Privacy has the first compliance date – April 14, 2003 Of the three key HIPAA Administrative Services components, Privacy has the first compliance date – April 14, 2003 Privacy requirements have a tremendous impact – touching everyone from CEO to Medical Directors to physicians to patients to office staff and volunteers Privacy requirements have a tremendous impact – touching everyone from CEO to Medical Directors to physicians to patients to office staff and volunteers

4 3 Kaiser Permanente: A Snapshot The nation’s largest nonprofit health plan has: The nation’s largest nonprofit health plan has:  Regions in 9 states and Washington, DC  8.4 million members  29 Hospitals  423 Medical Offices  11,000 physicians  128,000 employees  More than 3,000 applications that contain HIPAA-relevant information

5 4 Mid-Atlantic States: A Snapshot Kaiser’s eastern-most Region has: Kaiser’s eastern-most Region has:  525,000 members  32 Medical Centers in the District of Columbia, Maryland and Virginia  875 full and part-time physicians  7,000 employees  More than 450 applications that contain HIPAA-relevant information

6 5 How KP Sees Itself Under HIPAA KP is defining itself under HIPAA as regionally based “organized health care arrangements” (OHCA) that incorporate national functions using protected health information (PHI). KP is defining itself under HIPAA as regionally based “organized health care arrangements” (OHCA) that incorporate national functions using protected health information (PHI). This designation: This designation:  Better reflects the way KP uses PHI.  Makes it easier to know how to apply HIPAA rules.  Provides better service to our members (e.g., they receive one notice describing all uses versus several notices for different parts of KP).

7 6 How Does HIPPA Impact KP? Claims Referrals Billing IT Systems/ Applications Every Area That Handles Patient Information PhysicalPlant BusinessAssociateContracts Training MedicalRecords Membership Accounting Business, Clinical, IT Policies/Procedures …and more

8 The KP HIPAA Approach ExecutiveSponsorsExecutiveSponsors RegionalBusinessLeads Regional Health Care Ops Leads Regional IT Leads Multi-Disciplinary Core Advisory GroupMulti-Disciplinary Group KP-IT Functional Leads IT Team Director Business Team Director (EDI) Health Care Ops Team Director HIPAA Program Director President and Medical Director  Business Leads  Health Care Ops Leads  IT Leads  Privacy Officers REGIONAL STRUCTURE

9 8 Working Together on Solutions 1. Initiate Process  HIPAA National Team drafts goals and objectives for work  Forms multi-disciplinary, multi-regional work group that may include HIPAA leads, privacy officers, legal, subject matter experts, and others as needed.  Drafts preliminary work products Final drafts of work products forwarded to work group for closing feedback (2-4 week window) 2. Work Group Feedback and Revision Process  Agenda and meeting materials sent  Work group walks through materials – discussing, identifying changes and making recommendations  National and legal test against law and revise materials  Work group meets until process complete 3. Final Work Products Distributed  HIPAA Regional Leads  Work group members  Privacy Officers  HIPAA Core Advisory Group  Other key stakeholders  Post on KP HIPAA Web Site

10 9 How Is HIPAA Going to Affect Frontline Operations? Privacy Notice/acknowledgement may impact point of service Privacy Notice/acknowledgement may impact point of service Patients will have the right to review and copy their medical records and can ask for corrections/information to be appended Patients will have the right to review and copy their medical records and can ask for corrections/information to be appended New and revised policies and procedures Privacy and Security training for all staff New and revised policies and procedures Privacy and Security training for all staff Sanctions for knowingly misusing or disclosing health information Sanctions for knowingly misusing or disclosing health information

11 10 KP Has Developed Some Solutions, but Still Faces a Host of Challenges...

12 11 Privacy Notice HIPAA Requirement: Must make Notice of Privacy Practices available to KP members and patients and request written acknowledgement of receipt HIPAA Requirement: Must make Notice of Privacy Practices available to KP members and patients and request written acknowledgement of receipt KP Response: KP Response:  Mail notice and pre-printed receipts to current and new members  Make notices available at points of service Issues: Issues:  Low acknowledgement return rate  Confusion at point of service  Others?

13 12 Disclosure Accounting HIPAA Requirement : Must maintain a record for up to 6 years of how an individual’s PHI has been disclosed HIPAA Requirement : Must maintain a record for up to 6 years of how an individual’s PHI has been disclosed KP Response: KP Response:  Establish central database in each Region  Create electronic data feeds from existing applications using volumes of PHI (e.g., tumor registry, immunizations) Issues: Issues:  Accumulating disclosures could be costly if done manually  Storage capacity (electronic versus paper)  Others?

14 13 Facility Directories HIPAA Requirement : Must comply with patient restrictions of uses or disclosure of PHI maintained in patient directories in both inpatient and outpatient settings HIPAA Requirement : Must comply with patient restrictions of uses or disclosure of PHI maintained in patient directories in both inpatient and outpatient settings KP Response: KP Response:  Modify surgery scheduling systems to flag patient information that should not be shared, if application does not already have that feature Issues: Issues:  Outpatient facilities may not use surgery scheduling systems  Others?

15 14 Confidential Communications HIPAA Requirement : Must accommodate reasonable requests by individuals to receive PHI information at alternative locations by alternative means HIPAA Requirement : Must accommodate reasonable requests by individuals to receive PHI information at alternative locations by alternative means KP Response: KP Response:  Modify applications that mail appointment reminders and lab results  Develop database that maintains alternative addresses and intercepts mailings of high-priority communications Issues: Issues:  Handling of other sensitive communications (explanation of benefits, behavioral health, prescriptions)  Others?

16 15 Business Associates HIPAA Requirement : Must get assurance that business associates safeguard PHI HIPAA Requirement : Must get assurance that business associates safeguard PHI KP Response: KP Response:  Conducted training with contract owners in Regions and National on new contract template language  Have contract owners ensure template language is incorporated into existing, new and renegotiated contracts Issues: Issues:  Must conduct periodic audits of contracts  Others?

17 16 Marketing HIPAA Requirement : Must obtain authorization for HIPAA-defined marketing activities except for communications about health-related products or services HIPAA Requirement : Must obtain authorization for HIPAA-defined marketing activities except for communications about health-related products or services KP Response: KP Response:  Make minor changes to existing communication practices when they fall under HIPAA marketing definition Issues: Issues:  Maintaining awareness of HIPAA rules as new opportunities to communicate with members arise

18 17 Policies and Procedures HIPAA Requirement : Must document HIPAA policies and procedures to ensure compliance HIPAA Requirement : Must document HIPAA policies and procedures to ensure compliance KP Response: KP Response:  Identify which policies will be national polices, to be maintained by KP National Compliance  Create approval process that includes Regional input and review  Use these policies to shape the development of procedures at a Regional level Issues: Issues:  Changes required by stricter state laws would prevent standardized approach to compliance  Others?

19 18 Privacy and Security Training For All Staff and Physicians Training is vital as it must also take into account any stricter state laws, which override federal rules. And it must be tracked. Training is vital as it must also take into account any stricter state laws, which override federal rules. And it must be tracked.  HR policies must include Privacy/Security guidelines  Training delivery options include self-paced workbooks, e-learning modules, video, and instructor-led  Content must be role-based and incorporate KP-specific policies and procedures  Develop implementation template Regions can customize

20 19 Training Communication Themes The goal is a consistent message across KP to help staff “Get Hip to HIPAA.” The goal is a consistent message across KP to help staff “Get Hip to HIPAA.”  Patient Privacy Is a Right – Protecting It Is the Right Thing to Do (“How is patient information handled on white boards, charts, phone messages and computer screens? Keep any PHI you might come across to yourself.”)  Making Common Sense Common Practice (“Keep computer password confidential by not sharing it with others.”)  Protect Patient Information as if It’s Your Own (“Don’t discuss patient information in common areas such as hallways, elevators or waiting rooms.”)  What Information Do I Need to Know? (“Use only as much information as needed to accomplish the task.”)

21 20 To Keep KP’s Privacy Efforts on Track…

22 21 Privacy Officer’s Role Each Region has designated a Privacy Officer, who will have a dotted line to KP National Compliance. This provides a community of privacy experts sharing best practices and striving for consistency when appropriate. Each Region has designated a Privacy Officer, who will have a dotted line to KP National Compliance. This provides a community of privacy experts sharing best practices and striving for consistency when appropriate. Duties vary but all include: Duties vary but all include:  Develop/maintain privacy program/plan  Develop policies and procedures  Ensure compliance with federal/state law  Monitor systems development  Oversee privacy training/awareness  Collaborate on development sanctions  Plan for reporting concerns/violations  Risk assessments  Investigate breaches  And more...

23 22 Contributing to the Success of HIPAA at Kaiser Permanente HIPAA and patient privacy are in alignment with KP values HIPAA and patient privacy are in alignment with KP values Active national and regional sponsorship Active national and regional sponsorship Dedicated national and regional HIPAA teams Dedicated national and regional HIPAA teams Multi-disciplinary approach Multi-disciplinary approach KP is a “learning” organization KP is a “learning” organization Our 55-year history of providing high-quality health care service to diverse populations Our 55-year history of providing high-quality health care service to diverse populations

24 23 Questions? KP HIPAA Web Site: KP HIPAA Web Site:http://kpnet.kp.org/hipaa john.desmarteau@kp.org john.desmarteau@kp.org (301) 523-7571

Download ppt "John DesMarteau, MD FACA Kaiser Permanente Mid-Atlantic HIPAA Project HIPAA Summit V A Case Study: Kaiser’s HIPAA Compliance from the Perspectives of."

Similar presentations

Tamtron Users Group April 2001 Preparing Your Laboratory for HIPAA Compliance.

Tamtron Users Group April 2001 Preparing Your Laboratory for HIPAA Compliance.
HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
Legal Work Group Developing a Uniform EHR/HIE Patient Consent Form.

Legal Work Group Developing a Uniform EHR/HIE Patient Consent Form.
And the finer details of patient privacy TCH Confidential Understanding HIPAA.

And the finer details of patient privacy TCH Confidential Understanding HIPAA.
Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.

Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.
HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.

HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.
Copyright Eastern PA EMS Council February 2003 Health Information Portability and Accountability Act It’s the law.

Copyright Eastern PA EMS Council February 2003 Health Information Portability and Accountability Act It’s the law.
National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.

National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.

Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.

The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.
1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.

1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.
NAU HIPAA Awareness Training

NAU HIPAA Awareness Training
TM The HIPAA Privacy Rule: Safeguarding Health Information in Research and Public Health Practice Centers for Disease Control and Prevention Beverly A.

TM The HIPAA Privacy Rule: Safeguarding Health Information in Research and Public Health Practice Centers for Disease Control and Prevention Beverly A.
HIPAA Basics A Matter of Integrity. Introduction “A Matter of Integrity” defines HIPAA and protecting patient health information. Success depends on our.

HIPAA Basics A Matter of Integrity. Introduction “A Matter of Integrity” defines HIPAA and protecting patient health information. Success depends on our.
HIPAA Privacy Rule Compliance Training for YSU April 9, 2014.

HIPAA Privacy Rule Compliance Training for YSU April 9, 2014.
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.

COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
Are you ready for HIPPO??? Welcome to HIPAA

Are you ready for HIPPO??? Welcome to HIPAA
Randy Benson RHQN Executive Director May, 2012. Compliance Issues During Survey Compliance Officers monitor healthcare facilities (hospitals and clinics)

Randy Benson RHQN Executive Director May, Compliance Issues During Survey Compliance Officers monitor healthcare facilities (hospitals and clinics)
HIPAA How can you maintain patient privacy and confidentiality? General Medicine LCCA.

HIPAA How can you maintain patient privacy and confidentiality? General Medicine LCCA.
Developing a Records & Information Retention & Disposition Program:

Developing a Records & Information Retention & Disposition Program:

Similar presentations

Ads by Google