HIPAA Regulatory Alert: HIPAA compliance: Technology plus culture plus operations

Train-the-trainer approach saved money on consultants

For Baystate Health System, a $1 billion integrated health system operating in western Massachusetts, HIPAA compliance has been seen as more than a technology issue. It also is a major cultural and operational issue that has an impact on systemwide operations and the way the system and its staff interact with patients.

Baystate HIPAA project manager Jim DiDonato described the organization’s compliance efforts in a presentation at the Sixth National HIPAA Summit in Washington, DC, saying that Baystate’s approach to following the regulations includes technology solutions, new and revised policies and procedures, new and revised contracts, work force training, and ongoing maintenance and reinforcement.

Named one of the nation’s 100 leading integrated health care networks, Baystate is based in Springfield, MA, and includes an academic medical center, two community hospitals, numerous outpatient facilities and programs, an ambulance company, home care and hospice services, an employed primary care provider group with multiple sites, and other support services.

Included in its HIPAA compliance planning were the medical practices and ambulatory care services, administrative support, the ambulance company, the three hospitals, Visiting Nurse Association and hospice, infusion and respiratory services, and the employee health plan. Not included were the for-profit HMO in which Baystate has a majority interest and other affiliated organizations that are joint ventures.

Assessment identified many gaps

DiDonato says a steering committee and project teams initially performed an assessment that compared the HIPAA regulations with their current practices and identified gaps. Their security and privacy assessment uncovered many items needing to be addressed, he says, such as contracts that were not compliant, patient consents and authorizations not compliant, patient information found in the trash, patient charts exposed on hospital hallway walls and counters, fax machines and printers left unattended, medical records not adequately secured, computer terminals pointing toward the public, employees and physicians not aware of existing policies, a need to designate a security officer and a privacy officer, a need to conduct security certification, doors left unlocked (medical practices, hospital stairwells, and other "secure" areas), and a need for new policies for things such as passwords and workstation use.

Following the assessment, they agreed on a strategy to examine compliance options with a focus on costs, risks, and resource needs. They developed and implemented work plans to obtain compliance by specified dates, and established accountabilities and processes to ensure ongoing compliance.

Presentations to many groups

With more than 8,200 employees spread across four states, Baystate made a significant effort to help people become aware of HIPAA and the activities that would be undertaken. The purpose of administrative simplification under the HIPAA regulations was stated as "improving the efficiency and effectiveness of the health care system by standardizing electronic data interchange for administrative and financial transactions, and enhancing the security and privacy protections over patient information."

Presentations outlining the purpose, project organization, and schedule were made to boards of trustees and the board compliance committee, senior executives, management teams from operating units, the community hospital medical staffs, teaching hospital surgeons and residents, community practice managers, and others.

Consultants were brought in to train selected Baystate staff in a train-the-trainer approach that saved some money over making total use of consultants. A budget in excess of $1.6 million was set for both capital costs and operating costs related to necessary changes.

DiDonato shared with the Summit audience Baystate’s security and privacy workplans and time charts showing completion dates. He also provided information on the approval process used for needed new privacy policies, and a listing of the policies and communications that were involved.

Training included an initial heads-up session that HIPAA was coming, followed by "HIPAA Lite," Phase I training that included a manager’s guide, handbook for employees, quiz, and videotape. Phase II was specific training on privacy policies, and included a manager’s guide, employee handbook, and use of the system intranet for policies and forms and other resources. Role-playing examples were built into the privacy training.

According to DiDonato, the group planned to assess the situation after its April 14 compliance date to see what had been missed and which procedures were not working as planned. An additional follow-up is scheduled for fall 2003, including compliance reviews by the system privacy workgroup and any necessary modifications or tweaking to policies, procedures, and processes.

[Editor’s note: Contact DiDonato at (413) 784-8100.]