Technology helped facility with HIPAA compliance

Train-the-trainer approach saved money

For Baystate Health System, a $1 billion integrated health system operating in western Massachusetts, compliance with the privacy standard of the Health Insurance Portability and Accountability Act (HIPAA) has been seen as more than a technology issue. It also is a major cultural and operational issue that has an effect on system-wide operations and the way the system and its staff interact with patients.

Baystate HIPAA project manager Jim DiDonato described the organization’s compliance efforts in a presentation at the Sixth National HIPAA Summit in Washington, DC. DiDonato said Baystate’s approach to following the regulations includes technology solutions, new and revised policies and procedures, new and revised contracts, workforce training, and ongoing maintenance and reinforcement.

Named one of the nation’s 100 leading integrated health care networks, Baystate is based in Springfield, MA, and includes an academic medical center, two community hospitals, numerous outpatient facilities and programs, an ambulance company, home care and hospice services, an employed primary care provider group with multiple sites, and other support services.

Included in Baystate’s HIPAA compliance planning were the medical practices and ambulatory care services, administrative support, the ambulance company, the three hospitals, visiting nurse association and hospice, infusion and respiratory services, and the employee health plan. Not included were the for-profit HMO in which Baystate has a majority interest and other affiliated organizations that are joint ventures.

Assessment identified many gaps

DiDonato said a steering committee and project teams initially performed an assessment that identified gaps between the HIPAA regulations and Baystate’s current practices. The security and privacy assessment revealed many items needing to be addressed, he says, such as contracts that were not compliant, patient consents and authorizations not compliant, patient information found in the trash, patient charts exposed on hospital hallway walls and counters, fax machines and printers left unattended, medical records not adequately secured, computer terminals viewable by the public, employees and physicians not aware of existing policies, a need to designate a security officer and a privacy officer, a need to conduct security certification, doors left unlocked in medical practices, hospital stairwells, and other "secure" areas, and a need for new policies governing passwords and workstation use.

Following the assessment, the committee agreed on a strategy to examine compliance options with a focus on costs, risks, and resource needs. They developed and implemented work plans to obtain compliance by specified dates, and they established accountabilities and processes to ensure ongoing compliance.

With more than 8,200 employees spread across four states, Baystate made a significant effort to help people become aware of HIPAA’s requirements and the activities that would be undertaken to achieve compliance. The purpose of administrative simplification under the HIPAA regulations was stated as "improving the efficiency and effectiveness of the health care system by standardizing electronic data interchange for administrative and financial transactions, and enhancing the security and privacy protections over patient information."

Presentations to many groups

Presentations outlining the purpose, project organization, and schedule were made to boards of trustees and the board compliance committee, senior executives, management teams from operating units, community hospital medical staffs, teaching hospital surgeons and residents, community practice managers, and others.

Consultants were brought in to train selected Baystate staff in a train-the-trainer approach that saved money relative to using consultants to train all staff. A budget in excess of $1.6 million was set for both capital costs and operating costs related to necessary changes.

DiDonato shared with the Summit audience Baystate’s security and privacy workplans and time charts showing completion dates. He also provided information on the approval process used for new privacy policies, and a listing of the policies and communications that were involved.

Training included an initial heads-up session that HIPAA was coming, followed by "HIPAA Lite," Phase I training that included a manager’s guide, a handbook for employees, a quiz, and an educational video tape. Phase II provided specific training on privacy policies and included a manager’s guide, an employee handbook, and use of Baystate’s Intranet for policies and forms and other resources. Role-playing examples were built into the privacy training.

According to DiDonato, the group planned to assess the situation after its April 14 compliance date to see what had been missed and which procedures were not working as planned. An additional follow-up is scheduled for fall 2003, including compliance reviews by the system privacy workgroup and any necessary modifications of policies, procedures, or processes.