HIPAA action
HIPAA dvisory
HIPAAdvisory > HIPAAction Phoenix Health Systems
news
regs
action
tech
wares
alert
live
latest
online HIPAA training
HIPAAstore
HIPAA help desk
search
contact us
site map

A FIVE PHASE PROCESS FOR HIPAA COMPLIANCE:
A CASE STUDY IN PROCESS

November 2000

Timothy D. Miller, FACHE, President & COO, Maryland General Hospital, Baltimore, MD
Ravinder J. Singh, Vice President, Phoenix Health Systems, Inc., Montgomery Village, MD

The Place: Maryland General Hospital

Maryland General Hospital (MGH) located in Baltimore, Maryland was founded in 1881. Today, it is a 300-bed community teaching institution affiliated with the University of Maryland Medical System. MGH has emerged from the starting gate as a leader in the work toward HIPAA compliance.  Tim Miller, MGH’s President & COO, encouraged his staff to begin the HIPAA project education, stating, "We recognized that Maryland General faces a major undertaking in achieving compliance with the HIPAA regulations.  Maryland General’s leadership wanted to give ourselves the benefit of a longer window of opportunity in which to prepare."

The Problem: Determine the Impact of HIPAA

Compliance with HIPAA regulations is a daunting task for healthcare, coming close on the heels of Y2K, overlapping with reimbursement reductions from Federal programs and ever-dwindling operational profit margins.  The timeframe for HIPAA compliance, once each of the final rules are published, will only yield a 24 month period to change business practices, implement the necessary system changes, and educate an already overburdened workforce. MGH decided to start the process toward HIPAA compliance, prior to finalization of the regulations, in order to gain a head start and allow ample time to include strategic planning and operational initiatives along with the steps needed to become HIPAA compliant. 

At the time of writing this case study, only the Transaction and Code Set Standards have been finalized, with compliance mandated by October 2001. This proximity to tangible work efforts and the desire to assess the current state of MGH’s overall use of EDI transactions, security and privacy practices, lead the Executive Team to contract for assistance in the work needed to progress toward HIPAA compliance. 

The Process: Moving Towards HIPAA Compliance

The process of moving toward HIPAA compliance involved securing resources, providing education and performing an analysis of the impact of HIPAA for MGH. The scope of a HIPAA compliance project as envisioned by the Executive Leadership at MGH required professional assistance outside the capabilities of their own organizational resources. 

Consulting and project management assistance for a HIPAA Impact Analysis was requested from Phoenix Health Systems, a consulting and outsourcing firm located in the Mid-Atlantic that specializes in the needs of healthcare clients for information systems projects.  Phoenix Health Systems is a leader in HIPAA compliance consulting and noted for their establishment of HIPAAdvisory, a web-portal for HIPAA resources, HIPAAlert, a free monthly email newsletter highlighting the content and news related to HIPAA, and HIPAAlive, an email discussion group that engages a national audience in lively and controversial discussions about interpretation of the standards and efforts needed by healthcare providers, plans and clearinghouses to be HIPAA compliant.       .

The Path: Navigating an Organization Towards HIPAA Compliance

The methodology utilized to assist MGH in meeting HIPAA compliance involved five distinct phases: Education and Awareness, Impact Analysis, Planning for Implementation and Implementation, Training and Enforcement, and Audit.

Education and Awareness:

The purpose of phase one, Education and Awareness, is to educate the organization about HIPAA, and is comprised of two distinct sessions, the Executive Awareness Session and the Management Awareness and Training Session. The Executive Awareness session is one hour in length and provided the MGH Executive Leadership Team with overall content and high-level implications of HIPAA. The objectives for this session included a review of the history and background of HIPAA, an investigation of how HIPAA will affect departments and staff, and exploration of how to integrate HIPAA compliance within the organization’s strategic goals. The second session; Management Awareness and Training; is a half-day presentation geared towards the practical needs of the organization’s administrative team, department managers, and systems staff as they prepare and participate in the HIPAA Impact Analysis. The objectives for this session included educating managers about why HIPAA exists, analyzing scope and compliance timeframes, identifying departmental practices that will be affected by HIPAA, evaluating cost of compliance versus non-compliance, and identifying specific action steps. A total of 34 MGH managers, system owners, and organizational representatives participated in the Management Awareness and Training session.  Their participation in these sessions was a pre-requisite to the start of the Impact Analysis or Phase Two. 

To streamline activities for MGH, standardized questionnaires designed to obtain data/information for the Impact Analysis were distributed at the end of the half-day workshop, propelling the organization into the next phase and capitalizing upon the availability of the questionnaire recipients. This method allowed for rapid deployment of the questionnaires and limited possible additional resource time. In addition, as an added point of information that provided useful data to support rapid deployment, a HIPAA pre-proposal survey, a tool developed for use during proposal and contract negotiations, further defined the distribution of standardized questionnaires. 

Prior to the education and awareness phase, initial HIPAA perceptions and reactions of MGH staff was that HIPAA was an "Information Systems" issue; therefore non-IS participants would not be impacted. However, during the various educational sessions, as those responsible for completing the questionnaires were asked to provide operational detail as it related to HIPAA, this mindset changed.  MGH staff articulated that in fact, HIPAA issues such as data content, code set usage, identifiers, secure data, confidentiality, workstation and server location, were evident in their day-to-day operational duties and areas. Directors at MGH were struck by the wide-ranging scope of HIPAA and clearly recognized that HIPAA does have a direct impact on nearly every area of operation.

Impact Analysis:

The second phase of the methodology, the HIPAA Impact Analysis, determines the potential impact of HIPAA upon the organization. The purpose of the Impact Analysis is to uncover gaps and vulnerabilities for MGH thereby enabling the organization to identify necessary process changes, system remediation, and policies and procedure development for all areas.  Using a structured approach, MGH representatives completed questionnaires for each information system that uses or stores healthcare information or contains health identifiers. The questionnaires allow for the collection of assessment data related to the Transaction and Code Set Standards and the Security and Electronic Signature Standards. Major information systems were evaluated along with the actual processes in use by the organization, including the related policies and procedures.  The status of the remaining minor information systems, those that use or store a lesser amount of patient data, or are strictly at the department level, were analyzed using the information returned from the questionnaires and spot-checking of the organizational practices, policies, and procedural aspects for vulnerabilities and risks associated with HIPAA.  Transactions and medical data code sets were assessed utilizing specific questions and interviews, which were updated as a result of the final rule being published. Analysis also included a review of the current format being used for filling electronic transactions and comparing those against the final HIPAA electronic transaction standards. Additional mechanisms for discovery of compliance verses non-compliance within MGH included structured interviews for security and privacy issues and several departmental surveys for “physical site security” requirements.  Privacy Standard impacts were assessed using a privacy questionnaire and a review of the related processes, policies, and procedures.  A final report presented to the Executive Team outlining the impact that HIPAA will have on the organization, including information system compliance status, policies and procedures that are affected, and recommended actions to achieve compliance is planned as the final outcome and deliverable at the conclusion of the Impact Analysis.

Key Learnings and Findings

At the time of writing this case study, the Impact Analysis is near completion. A number of key process learnings have already been identified as a result of this project. A critical issue identified early in the process is that appropriate resources are required to accurately complete the Impact Analysis. Not only is it important to identify sufficient resources but also the correct resources, or experts. For example, unofficial “owners” of departmental systems can many times provide additional detail necessary to identify actual practices. One solution to combat this issue would be to engage in more focused discussions on resource identification prior to the start of the project.  Another key process learning is the identification of competing priorities and commitments of the information systems staff and operational managers prior to scheduling and initiating the HIPAA Impact Analysis phase, as fulfilling the documentation gathering requirements will mandate time commitments from key individuals.  While the use of questionnaires for data gathering is structured to minimize the time requirement, this additional request upon staff with full schedules may provoke resistance if not carefully planned and incorporated into their workload.   In addition, the support of the executive leadership is vital to ensure that staff understand the priorities of HIPAA and the efforts involved in meeting compliance. Early discussions with key leaders to identify the competing priorities may yield creative solutions to support multiple yet critical competing priorities.

Initial analysis of the results indicates a number of key areas that will require implementation of policies, procedures and process changes, as well as system remediation and organizational strategic planning. These areas include:

  • Electronic data content collection and processing
  • Code set information structure changes
  • Cost/benefit analysis to determine which standards will yield most positive results
  • Documentation of formal security policies and procedures
  • Implementation and documentation of security training and organizational policies
  • Assignment of Security and Privacy Officer

Planning for Implementation and Implementation: Phase three, Planning for Implementation and Implementation, will detail definitive resource estimates for time, capital funds, and people, based on the HIPAA Impact Analysis final report and subsequent recommendations presented to MGH’s senior leadership. As part of the structured methodology, MGH will be guided through a post Impact Analysis risk review to determine the areas of deficiencies noted during the Impact Analysis that pose the greatest threat to the operations of the hospital.  It is only then that appropriate decisions regarding policy, procedures, and needed system upgrades or purchases can occur. Monitoring of vendor compliance will be planned for and implemented within this phase to ensure HIPAA compliance remains on track through the use of requested vendor status reports.

Also included during this phase is a reassessment of key stakeholder involvement towards HIPAA compliance. To plan for the implementation of necessary changes to meet HIPAA requirements, key members of MGH staff will be recruited from across the organization to form a multidisciplinary team. While key information systems resources are expected to be heavily involved, the organization as a whole is responsible for HIPAA compliance and therefore representation from all affected areas will be critical. The organizational team created of individuals that can represent the entire organization and its uses of healthcare information will lead the effort toward HIPAA compliance. 

Training & Enforcement: Phase four, training activities and enforcement monitoring, will develop and implement the training and enforcement actions necessary to meet and maintain HIPAA compliance, based upon the implementation plan..  HIPAA standards require all staff, contractors, vendors, and medical staff to participate in a formal training program for security and privacy, therefore sessions needed to communicate new policies, procedures, and system features are planned. In addition, staff, such as, registrars and patient financial services representatives, will require additional training in order to implement the data collection required to meet the Transaction and Code Sets Standards.  Information systems users will also need training for the upgraded, replaced, or new computer systems implemented as part of the compliance efforts. 

Audit: Auditing is anticipated as the major focus of phase five. In this phase, due diligence to compare actual policies, procedures and practices against HIPAA standards will be performed. It is evident that the work of HIPAA compliance will be on-going and requires the continuous and/or periodic monitoring of practices and the application of sanctions for those that may choose not to comply with HIPAA standards and organizational policy and requirements.

Conclusions

The lack of adequate funding for healthcare initiatives, the crunch for experienced resources, and the fixed 24-month timeframe all point to the need to initiate a structured and defined approach to beginning the efforts that will be needed to meet HIPAA compliance. Experts have indicated that HIPAA requires more organizational initiatives than technical features.  The preliminary results of the Impact Analysis at MGH bear this truth.  While system features and functions can be stated in software code, it is the human code of policy, procedure and practice that will be judged for HIPAA compliance.  The major work that should be anticipated for implementation will involve the consensus of organizational leadership, the documentation of policy and procedure, and the implementation of these polices and procedures into daily practice. Maryland General Hospital can expect to have the necessary information needed to guide their planning and budgeting process related to their HIPAA strategy over the next two years because they recognized the major efforts required under HIPAA and began a structured approach, rather than waiting for all final rules to be published. As President & COO of Maryland General Hospital, Tim Miller recognized the need for a comprehensive inventory of systems and operational issues that need to be addressed to achieve HIPAA compliance.  

 

Authors

Timothy D. Miller, FACHE, President & COO, Maryland General Hospital
President and chief operating officer of Maryland General Hospital. Prior to joining the hospital in 1985, held a variety of positions at Prince George’s General Hospital and Medical Center.

Ravinder J. Singh, Vice President, Phoenix Health Systems, Inc.
Directs successful execution of firm’s HIPAA consulting services, including planning, management education, impact analysis, compliance implementation, user training, and audit. Provided leadership to the early development of HIPAA solutions methodologies.