Hospitals scramble to comply with HIPAA implementation

Compliance departments seek different routes to juggle priorities

With most compliance officers reporting they now spend roughly half their time working on the implementation of HIPAA mandates, compliance departments are struggling to maintain a focus on their more traditional responsibilities.

Indeed, compliance departments are taking a variety of paths to manage the workload added by the Health Insurance Portability and Accountability Act (HIPAA) without losing their focus on existing priorities such as monitoring and auditing. "The operational side of HIPAA is obviously huge from a compliance perspective," says Bret Bissey, chief compliance officer at Deborah Heart and Lung Center in Brown Mills, NJ. "That is taking up a lot of time and effort."

Like many compliance officers, Britt Crewse, associate vice president and chief compliance officer of Duke University Health System in Durham, NC, says he could easily spend all of his time on HIPAA, and trying to figure out how to operate under the new HIPAA rules has been a major undertaking.

However, Crewse says an even bigger challenge has been trying to figure out what areas the compliance department should focus on. According to Crewse, the key is to identify the most critical priorities vs. trying to focus on everything. "You can easily get overwhelmed in compliance by trying to look at everything," he explains. "Sometimes, you will end up not being able to complete any task, vs. focusing on key areas."

Allison Manney, compliance officer at Lovelace Health Systems in Albuquerque, NM, says she has worked hard to keep her department’s focus on traditional compliance. "I have waged a huge battle to keep focus on compliance," she asserts. "Once you get through the development stage, it takes a lot of work to keep up the momentum of your compliance program."

Rather than taking ownership of HIPAA, she reports that her department participates on a HIPAA committee. The new department will use the compliance department as a reporting mechanism, which is similar to how the human resource department currently interacts with the compliance department. Among the organization’s 3,200 employees, those mechanisms, including the hotline, are highly utilized, and her office views this as an effectiveness measure, Manney says.

John Harrison, corporate compliance officer at TMC HealthCare in Tucson, AZ, says that his organization has followed a similar path by developing a steering committee for HIPAA implementation that includes himself, the chief legal counsel, and management information systems (MIS) director. In addition, the organization is using an outside consultant and separate team leaders for transaction sets and security.

TMC also has established a privacy committee with representatives from legal, medical records, patient customer records, and MIS that will act as the receiving group for all privacy issues that arise. Because HIPAA is multidimensional, it is conducive to a committee approach, Harrison says.

Using an outside consultant is a common practice. According to an on-line survey conducted this summer by the Philadelphia-based Health Care Compliance Association, more than half of the 458 respondents indicated they had sought outside help to address HIPAA privacy compliance. Of the roughly 44% of the respondents who did not seek outside help, 81% indicated they had no plans to seek assistance in the future.

Two-thirds reported they had not sought help to conduct a network security/vulnerability assessment; and of the one-third who did, roughly 76% indicated they do not plan to use them for their overall compliance efforts.

As if HIPAA was not enough, compliance officers report that quality and accreditation also are taking up more time, as is an increasing emphasis on measuring effectiveness.

Al Josephs, director of corporate compliance at Hillcrest Health System in Waco, TX, says the responsibilities that have been added to his job include accreditation issues related to the Joint Commission on Accreditation of Healthcare Organizations as well as quality issues. That includes dealing with the Texas Department of Health and handling state inquiries. "I have become more heavily involved in those and actually investigate those cases," he says.

Compliance officers probably are a year away from playing a heavy role in quality oversight, Josephs says. "Some of the quality issues are showing up on the radar screen a little more than they used to from a compliance standpoint in terms of the quality of service and medical necessity as well as conditions of participation," he says.

Josephs predicts this trend will continue as peer review organizations (PRO) transform themselves into quality improvement organizations. Most compliance officers have been involved in the PRO process for payment-error prevention, he points out. "As they move to quality improvement organizations, there will be issues raised that require compliance officers to be in the loop."

Helene DesRuisseaux, chief compliance officer at Cedars-Sinai Health System in Los Angeles, says her department already tries to perform its oversight functions with the goal of improving quality of care throughout the organization. "Where we have had the opportunity to tie quality and compliance together, we have actually done that," she reports.

In some cases, she says, the compliance liaison responsible for overseeing the compliance plan implementation for a particular area also is the quality manager. "That is true for us in home care and hospice, and the laboratory compliance officer is the quality improvement officer as well," DesRuisseaux says.

At Duke, Crewse says his organization already had someone in place whose expertise is patient care. That person also is the compliance director for Duke’s hospital and reports to him on compliance-related issues, but to someone else on Joint Commission and patient-quality issues. Crewse says he is notified about those issues but is not directly responsible for them. "That has been very effective," he says.