The trusted source for
healthcare information and
Compliance efforts expanded to address identity theft concerns
Privacy protection begins with 'easy ID,' on-line preregistration
At Gwinnett Hospital System in Lawrenceville, GA, the HIPAA compliance program has been broadened to include "any and all sensitive information," not just protected health information (PHI), says Nadia Fahim-Koster, MBA, CHPS, CISSP, information privacy and security director and officer.
In view of the growing problem of identity theft, adds Fahim-Koster, the decision was made to include financial information and employee information in the scope of material protected under the constraints outlined in HIPAA, the Health Insurance Portability and Accountability Act.
Gwinnett's privacy protection program is introduced to the public at the site of registration in a couple of different ways, Fahim-Koster notes.
Patients who preregister over the Internet begin by reading — in English or Spanish — the notice of privacy practices, after which they check a box indicating that they have done so, she says. "On the next page, they start to register and give us their PHI."
For face-to-face registration, employees use a system called "easy ID," Fahim-Koster continues. "It's an information system that prints all the documentation paperwork that a registration associate will need to register the patient."
The process includes a form developed in-house that gives patients the opportunity to tell hospital staff "who they want us to be able to communicate with during their stay," she says. "It is not a blanket release of their records," Fahim-Koster explains, but rather permission to verbally provide certain information to the person or persons designated.
Individuals listed on the form will get more detailed information on the patient's condition than is available from the facility directory, she says. Patients typically put their spouse's name on the form, for example, Fahim-Koster adds, but some choose to designate additional or different "personal representatives," as they are called.
"By law, if you arrive in an emergency situation, you will be included in the facility directory until you're conscious and tell us not to put you there," she says. "That [directory information] includes your first and last name and your condition, whether good, fair, or critical."
While the facility directory data are given to any individual who calls and asks about the patient by name, those designated as personal representatives are given additional information, Fahim-Koster says. "We can say to your personal representative, for example, 'She just got out of surgery; there are no tumors but there is a cyst, and we need to do this or that and the other."
However, the personal representative is not provided with complete detail, she notes. "We will not give, for example, the discovery that the patient is HIV-positive."
Even so, there is a clause that allows for the clinician's professional judgment, Fahim-Koster says. "If the condition has impacted the patient's health so badly that he or she is no longer able to make decisions, the hospital can share even that more detailed information."
The form was created as a result of initial HIPAA-related concerns on the part of employees, she adds, and "has helped us help staff make decisions without using their own judgment."
"Sometimes, for example, there is a woman who is going through a divorce but still married," Fahim-Koster says. "If the husband, who is not listed [as her personal representative], calls and asks for information, staff say, 'Sir, I'm going to refer you to the patient's personal rep.'" In such a case, she notes, the personal rep might be the woman's mother or another relative.
The personal representative procedure has been in place since January 2003, notes Fahim-Koster, who says she established it because "the anxiety level was palpable" as hospital staff prepared for the advent of HIPAA regulations.
"It was almost like HIPAA took away all of their [knowledge about protecting] confidentiality and they were locked down," worried that if they gave the wrong information, they would lose their jobs, she recalls.
In addition to helping to allay staff fears, the form has been useful in hospital investigations, Fahim-Koster says. "The form goes with the face sheet and becomes part of the patient's chart, and we always have that information. If somebody says, 'You disclosed information to my wife and I didn't want you to,' we can see [from the file] that he did give permission."
Training, auditing in place
New hires at Gwinnett Hospital System are required to complete a segment on HIPAA as part of the training they receive within two weeks of their start date, she says. The HIPAA training — developed in-house — incorporates slides explaining the privacy and security regulations, Fahim-Koster adds. "We use hospital scenarios as examples and fit those into the policies and procedures."
Following the training session, employees answer 25 questions on the material, and must get at least 80% correct to pass, she notes. "The last question is a confidentiality agreement — 'I agree' or 'I disagree' — that serves as an electronic signature."
Those who don't agree to the terms — not sharing protected information or user IDs, and acknowledging responsibility for anything done under their log-in — cannot work for the hospital system, Fahim-Koster says.
The current HIPAA training, which takes about an hour and is available on-line, took the place of a lengthier session that had been done by an outside company, she says.
The previous training used material written at a Grade 16 level and comprised three phases — an explanation of HIPAA, a description of what Gwinnett Hospital System has done to incorporate HIPAA, and the signing of a confidentiality agreement to go in the employee's file. "It took an average employee upwards of three hours to complete," she says
Gwinnett's program for auditing compliance includes a combination of physical and system audits, she says.
"We do walk-throughs on a rotating schedule and make sure passwords are not taped to computers and patient charts are not in view," Fahim-Koster says. "Every month we audit a few requirements of HIPAA, and once a year we walk through every single floor, every department, and write a detailed status report on what we've done."
Audits of HIPAA security procedures follow the specifications outlined in the rule, she says. "We map those out to all of our policies and then figure out [exactly] what to do. For example, we have a 'minimum necessary' [policy], where users should look only at the records of those they treat. I do an audit to see who has looked at their own records or at relatives' records. Sometimes I see where [staff] have looked at the records of VIPs or of other employees."
If employees are allowed to view their own records, Fahim-Koster explains, "they pretty much think they can look at the records of anyone they know. We want them to go through the proper channels."
To further protect sensitive information, Gwinnett employs "role-based access," she says, whereby the necessary level of access to data is precisely determined for every job code in the hospital.
"Every time [an employee] walks in the door, we know exactly what systems they need to have access to," Fahim-Koster adds.
As for the next step toward safeguarding information, "security is our biggest challenge and our biggest hurdle to true compliance with HIPAA," she says. "True privacy can only be achieved if you have good security.
"All you need is one laptop lost, one employee walking away with a file and losing it in a parking lot" to subvert the effectiveness of the most stringent confidentiality and privacy procedures, Fahim-Koster says, noting that it will take "strong safeguards and technical controls" to do the job right.
"Unfortunately, because [compliance departments] are cost centers and not revenue centers," she adds, "it is difficult to obtain funding."
To have a successful compliance program, Fahim-Koster emphasizes, "it's important to have executive management buy in. It's very important for the program to report high enough up the food chain so that it gets heard. Strong alignment [with management] is definitely needed."
Fahim-Koster reports jointly to the hospital's legal counsel and to the chief information officer, she says.
Use of SS numbers questioned
One of the compliance challenges being reported by access services staff at Gwinnett is the increasing number of patients refusing to provide their Social Security numbers during the registration process, Fahim-Koster points out.
Patients tell registrars that their health plans no longer require Social Security numbers and wonder why the hospital doesn't follow suit, she says. What she instructs the staff to respond, Fahim-Koster says, is that while the health plan may not be using the Social Security number on the patient's insurance card, it very well may be the unique identifier on the back end.
"We still need the unique identifier in our system," she adds. "More and more people are aware of identity theft and trying to protect their identity at all cost. The thing to remember is that [hospitals] always have the right to refuse treatment if it's not an emergency."
So far, staff have been able to make patients understand that if the hospital doesn't have the Social Security number to differentiate between people with the same first and last name, it can impact care, Fahim-Koster says. "It takes a lot of explanation with your front-end people."
[Editor's note: Nadia Fahim-Koster can be reached at (678) 442-4691.]