MIS 567 You Decide

Barbara Silva is the CIO for Peachtree Community Hospital in Atlanta, Georgia. As the chief information officer, it has been her duty to assemble a team of healthcare information professionals to prepare for the implementation of HIPAA Privacy Rules.

How did Barbara and her team orchestrate moving forward toward HIPAA Privacy compliance? First, she established a steering committee responsible for HIPAA Privacy planning. The committee focused on three broad areas of development, including:

• education;
• assessment; and
• development of policies and procedures.

The steering committee recognizes that the scope of this project is quite vast and that it encompasses many different areas of the facility. The scope involves not just hospital information systems, but the operations of many departments and manual processes. These varied items are included in the scope of assessment and are found to be the biggest challenge. Developing HIPAA compliant policies and procedures is not a one-time activity as changes are constant. Development and continuous updating will mean that this project is one that will be an ongoing effort.

Part of Peachtree Community Hospital’s key to success has been pulling together the right combination of professionals. The result is a multidisciplinary team which will include the HIM services director and the CCO (chief compliance officer).

Barbara has garnered the following information from experts in the area of HIPAA Privacy Rules who have suggested that healthcare organizations consider the following steps to become compliant:

• Inventory the organization’s data as the first step in policy implementation.
• Read the Federal Register information on HIPAA.
• Focus on HIPAA as a business process issue.
• Secure the support of top management and the active involvement and participation of staff in all affected areas.
• Thoroughly review outside vendor contracts to ensure compliance with business associate agreements.
• Appoint a dedicated staff to the HIPAA privacy initiative.

Preparing for HIPAA compliance will require a complex and thorough evaluation and realignment of business and operational processes.

You have been consulted by CIO Barbara Silva as the healthcare information systems expert. You will be working directly with the director of HIM services. As a consultant, you have vast experience with HIPAA implementations. Your expertise will be required in several areas.

K E Y  P L A Y E R S

Barbara Silva, CIO

As the chief information officer, Barbara will assemble a team of healthcare professionals to prepare for the implementation of HIPAA Privacy Rules. She must ensure that Peachtree is in full compliance with HIPAA regulations for every aspect of the organization – not just hospital information systems, but also the operations of related departments and manual processes. Her concerns encompass a large scope of the project, and she will need to identify key people to become involved in this project.

James Hall, Director of HIM Services

James Hall is the director of health information management services and is a key player in the implementation strategy. From a technological standpoint, James is responsible for making sure all health information is accurately collected, stored, and protected. His concerns are related to the privacy rules, but not limited to: right of access to PHI; use, release, and disclosure of health information; use and disclosure of de-identified PHI; and requesting privacy protection for PHI.

Mark Totten, CCO

Mark Totten is the chief compliance officer at Peachtree. Compliance with HIPAA Privacy is crucial to maintain the accreditation of the hospital. Three basic areas that HIT professionals must be concerned with include: the release of information (ROI). JCAHO requires that healthcare organizations develop role-based access to information. Organizations must review the types of people who access information and limit their access to the information needed to perform their job. Misuse of blanket authorizations can result in non-compliance with the HIPAA Privacy Rule; protection of privacy, maintenance of confidentiality, and protection of data security. This includes the physical and electronic protection of the integrity, availability, and confidentiality of computer-based information and the resources used to store, enter, process, and communicate it; and  management of sensitive health information. Strict compliance of state and federal laws govern the release of health information.

Cynthia Wong , Corporate Attorney

Cynthia Wong is the corporate attorney for Peachtree Community Hospital. Her responsibility is to ensure the HIPAA policies and procedures that are implemented are legally sound and in compliance with all state and federal laws governing the use and management of health information. Areas of concern include ensuring that the collection, storage, and reporting of health information is accurate and complies with all laws. The compilation and maintenance of health information must be in conformance with all legal and ethical standards.

Y O U  D E C I D E

Prepare a two-page executive report for Barbara Silva, CIO, addressing the following:

Section 1: State the overview of HIPAA Privacy Rules.

Section 2: Respond to the following questions:

1. Steering committee: Who would you include on the steering committee that is responsible for ongoing HIPAA privacy compliance? Who should lead this committee?
2. HIPAA education: What type of ongoing education activities would you provide for the workforce of this organization to facilitate compliance with the HIPAA Privacy Rule? How would you implement these activities?
3. Business associates: How would you ensure that you have identified all of the organization’s current business associates and developed business associate agreements with them?
4. HIPAA compliance: What process would you use to update these policies and procedures? How frequently would you update them? How would you ensure that they continue to be valid and HIPAA compliant?