Section 1. Compliance Case Study
It is always helpful to see real world examples of how a health care provider has successfully integrated the law into its operations. Below is a case study summarizing the successful implementation of HIPAA policy in a large health network.
Adventist Health is multi-facility, integrated health care delivery system. Because of its size and diversity of holdings, Adventist serves as an excellent case study of how to implement HIPAA in a large, decentralized medical network. When Adventist implemented HIPAA in the year 2000, its operations consisted of the following:
- 20 facilities (23 campuses)
- Four western states
- 16,000-17,000 employees
- Various affiliated medical groups
- An array of impacted business units
Setting the Stage
The Adventist senior management team was extremely invested in taking a meticulous, well-planned approach to implementing HIPAA. In this vein, the organization began its efforts in the year 2000 by convening an informal HIPAA committee to brainstorm the elements needed for a successful roll out.
The first steps that were agreed upon included the hiring of a director, in addition to a central HIPAA Privacy and Security steering committee, which would be responsible for directing the efforts of the various departments and facilities involved. In addition, the company created a "virtual implementation team." The members of this group were responsible for implementing directives at the various business units and satellite branches. Additionally, a centralized group was established to manage any legal and contracting issues.
The HIPAA Steering committee was made up of various personnel, including senior leadership and individuals from operations. This allowed for a wider range of experience, as some individuals could contribute from a strategic planning standpoint, while others could intelligently speak to how proposed changes would impact the infrastructure, employees and patients.
Ultimately there were 13 individuals on the committee, with five serving as the "executive committee." In addition, there were two subcommittees - the technical subcommittee and the operations subcommittee. These committees were responsible for the centralized development of the company's privacy policies, project management and local implementation.
The Adventist steering committee spent all day drafting a strategic plan based on the various tasks and obstacles identified in implementing HIPAA. The group conducted ongoing monthly conference calls to report on progress and address any roadblocks in the process. If needed, the executive committee made decisions on behalf of the steering committee between meetings.
The two subcommittees were given clear objectives to ensure technical and operational compliance, which encompassed a number of initiatives. Among them was streamlining their electronic claims submission process, creating new standard operating procedures and training staff. Because of the amount of work that needed to be accomplished, these groups met twice a month, while continuously worked on implementation between meetings.
These activities were all conducted under the umbrella of the "HIPAA Program Office," and the overall objectives included:
- Developing policies centrally that could then be implemented in each locality
- Interpreting HIPAA regulations for Adventist Health
- Developing the HIPAA Program Office
- Developing standards (policies, contract language, etc.)
- Developing education and training
- Managing legal services
- Developing testing, audit, certification, and ongoing compliance monitoring
The processes identified and developed by the subcommittees were disseminated to the Virtual Coordinator Council, which in turn filtered the information to team members in each facility, who were responsible for implementing the updates in their facilities and conducting staff training.
Due to their exhaustive and deliberate approach, Adventist was able to successfully implement HIPAA guidelines in their many facilities. The coordinated effort and involvement of senior leadership played a key role in the success of this effort. However, as with any endeavor of this magnitude, there were some things that could have been done better and key lessons learned, including:
- The formal project/program management approach is key to success
- Central content development is more efficient
- It is very easy to under-estimate and under-resource
- Overcoming the executive learning curve regarding operational and technical changes
- Don't build everything from scratch
- Don't forget your physicians. Educate them as well
Section 2. Patient Complaints and OCR Investigations
Below are transcripts of three actual cases that OCR has dealt with, along with the outcomes and corrective action, if necessary.
"Hospital Implements New Minimum Necessary Polices for Telephone Messages
Covered Entity: General Hospital
Issue: Minimum Necessary; Confidential Communications
A hospital employee did not observe minimum necessary requirements when she left a telephone message with the daughter of a patient that detailed both her medical condition and treatment plan. An OCR investigation also indicated that the confidential communications requirements were not followed, as the employee left the message at the patient's home telephone number, despite the patient's instructions to contact her through her work number. To resolve the issues in this case, the hospital developed and implemented several new procedures. One addressed the issue of minimum necessary information in telephone message content. Employees were trained to provide only the minimum necessary information in messages, and were given specific direction as to what information could be left in a message. Employees also were trained to review registration information for patient contact directives regarding leaving messages. The new procedures were incorporated into the standard staff privacy training, both as part of a refresher series and mandatory yearly compliance training."
"Hospital Issues Guidelines Regarding Disclosures to Avert Threats to Health or Safety
Covered Entity: General Hospital
Issue: Safeguards; Impermissible Uses and Disclosures; Disclosures to Avert a Serious Threat to Health or Safety
After treating a patient injured in a rather unusual sporting accident, the hospital released to the local media, without the patient's authorization, copies of the patient's skull x-ray as well as a description of the complainant's medical condition. The local newspaper then featured on its front page the individual's x-ray and an article that included the date of the accident, the location of the accident, the patient's gender, a description of patient's medical condition, and numerous quotes from the hospital about such unusual sporting accidents. The hospital asserted that the disclosures were made to avert a serious threat to health or safety; however, OCRs investigation indicated that the disclosures did not meet the Privacy Rule's standard for such actions. The investigation also indicated that the disclosures did not meet the rule's de-identification standard and therefore were not permissible without the individual's authorization. Among other corrective actions to resolve the specific issues in the case, OCR required the hospital to develop and implement a policy regarding disclosures related to serious threats to health and safety, and to train all members of the hospital staff on the new policy."
Private Practice Implements Safeguards for Waiting Rooms
Covered Entity: Private Practice
Issue: Safeguards; Impermissible Uses and Disclosures
A staff member of a medical practice discussed HIV testing procedures with a patient in the waiting room, thereby disclosing PHI to several other individuals. Also, computer screens displaying patient information were easily visible to patients. Among other corrective actions to resolve the specific issues in the case, OCR required the provider to develop and implement policies and procedures regarding appropriate administrative and physical safeguards related to the communication of PHI. The practice trained all staff on the newly developed policies and procedures. In addition, OCR required the practice to reposition its computer monitors to prevent patients from viewing information on the screens, and the practice installed computer monitor privacy screens to prevent impermissible disclosures.
As you can see from the examples above, Protected Health Information may be accessed without authorization in a number of ways. The role of OCR is to thoroughly investigate each complaint against the verbiage of the Privacy and Security policies and make a determination as to the guilt or innocence of the covered entity.
Section 3. Fines and Penalties
As mentioned previously, OCR may impose fines on a covered entity if, after a thorough investigation, they determine there was wrongdoing. Usually, the first step that OCR will take is to notify the covered entity of the judgment against them and allow them to voluntarily come into compliance. However, if the entity fails to respond within 30 days, or voluntarily to come into compliance, then monetary penalties may be assessed. Also, if the covered entity was shown to have been willfully negligent in the case, fines may be assessed as well.
OCR is aware that there may be circumstances in which the covered entity may not have been aware of a judgment against them, or had not had sufficient time to respond. If the covered entity can submit just cause as to why they were delayed, the penalties may be reduced or canceled.
Penalties are assessed on a "per infraction" basis, with a yearly cap on the overall amount that a covered entity can be fined. For infractions prior to 02/18/2009 a penalty of $100 per occurrence is assessed, with a yearly maximum of $25,000. Violations after this date may be assessed a fine anywhere from $100 to $50,000 or more per occurrence, with a yearly cap of $1.5 million.
If fined, a covered entity has the option of writing to the OCR requesting a reduction or dismissal of a penalty. The covered entity must submit evidence to warrant a change in the determination within 30 days of the judgment. There is also the option of requesting an administrative hearing, in which the covered entity may plead its case.
Unfortunately, there are instances of improper use and disclosure that are clearly of a criminal nature. If a covered entity is found guilty of criminal wrongdoing involving PHI, may be assessed fines, as well as time in prison.
The penalties and prison terms vary, based on the intent and nature of the offense and are outlined by OCR as follows:
"A person who knowingly obtains or discloses individually identifiable health information in violation of the Privacy Rule may face a criminal penalty of up to $50,000 and up to one year imprisonment. The criminal penalties increase to $100,000 and up to five years imprisonment if the wrongful conduct involves false pretenses, and to $250,000 and up to 10 years imprisonment if the wrongful conduct involves the intent to sell, transfer, or use identifiable health information for commercial advantage, personal gain, or malicious harm. The Department of Justice is responsible for prosecution under the privacy rule."
Section 4. Evaluating the Success of HIPPA
The following represents the most common type of complaint:
- Impermissible uses and disclosures of protected health information
- Lack of safeguards of protected health information
- Lack of patient access to their protected health information
- Uses or disclosures of more than the minimum necessary protected health information
- Lack of administrative safeguards of electronic protected health information
The types of covered entities with the highest instance of violations resulting in corrective action were:
- Private Practices
- General Hospitals
- Outpatient Facilities
- Health Plans
If so, would you consider reporting it to OCR now that you are aware of the complaint process?
Do you think the fines imposed on covered entities that disclose PHI are reasonable?