Using a case study to improve HIPAA readiness

Even for hospitals and other providers attempting to be proactive, preparing for compliance with the Health Insurance Portability and Accountability Act (HIPAA) is no easy task. "Unfortunately, the regulations keep changing," says Ted Sanford, clinical professor of anesthesiology and compliance officer at the University of Michigan Health System (UMHS) in Ann Arbor.

Sanford says the first step UMHS took was to assess where the organization stood in terms of HIPAA compliance. As a large health system, the university confronted an organizational chart that included student health services, athletic department, staff benefits, health-related schools, and the Office of Vice President for Research, he says. "There is a lot of personal health information in each of these areas. If you are not just an academic medical center, you may have some campus issues."

Sanford and his colleagues also uncovered what he says are some "hidden issues" regarding HIPAA. For example, UMHS contracts for equipment, drugs, and other items that come to the medical center. For that reason, Sanford says, the first thing compliance officers should do is assess the overall structure of their organization.

Another top priority for the health system has been bringing physicians, faculty, and executive staff on board with HIPAA, Sanford reports. He says UMHS decided to educate its managers and executives about HIPAA using a case study that demonstrates the law’s impact on clinical issues, patient treatment, and billing transactions as well as research and business operations.

According to Sanford, it is difficult to "throw the law at them" without putting it in some context. However, using a case study can help prompt the thinking that must take place within an entity with regard to HIPAA. UMHS started that process with its executive committee.

In the UMHS case study, a patient is brought by ambulance to the emergency room of "St. Elsewhere" on May 1, 2003, unconscious with a gunshot wound.

"Here are the questions you have to ask yourself," says Sanford. Can the emergency room treat the patient? Does St. Elsewhere need a business associate agreement with the ambulance company? Can St. Elsewhere report the gunshot wound to the public heath service?

If the patient’s family and friends make inquiries, what can they be told? What can his employers be told? What can the emergency room ward clerk tell the news media? Can the patient be listed in the hospital directory?

If the patient has surgery and tests positive for HIV, drugs, and alcohol, can the public health department be told about his HIV status? What can his family be told? "These are all questions that you will have to keep in mind," warns Sanford.

Once the patient recovers, a new set of questions arise, he says. What must St. Elsewhere ask and tell the patient? What about consent? What about his HIV status? Must he be told that the gunshot wound was reported to the local health department?

In the case study, the patient reports prior treatment at other facilities and reports that he has a local physician. Was it a psychiatrist? Can St. Elsewhere obtain his protected health information from another facility or from another physician? What can St. Elsewhere tell the other facility about the patient’s condition?

In this scenario, the patient also has some personal information on a web-based site that stores important data. Is it personal health information? Does the hospital require a business associate agreement to see the data? Does the site need to give the patient a notice of privacy and obtain his consent if any of that information is going to be shared?

If the patient’s neighbor happens to work in pathology and is able to access information from the patient’s records, is that permissible? What should St. Elsewhere do once it learns she has accessed his records without anybody’s knowledge? "This is going on daily within your institutions," says Sanford. "There is no doubt about it."

A range of research-related questions may arise as well, says Sanford. If a patient has an interesting case, does St. Elsewhere have to obtain consent from the patient in order to present his case at a morbidity and mortality conference? If a researcher wants to include the patient in his or her records, must the patient’s permission be obtained? Does the researcher need permission from the institutional review board (IRB)? Can the IRB waive consent?

Sanford says the scariest issue of all involves laptops and Palm Pilots, many of which are used by medical students. "You are going to have to look at your facility’s rules about personal health information and how it is transported and removed from the institution," he says. "These are all issues that are going to have to be on your mind when you implement HIPAA at your institution."