The trusted source for
healthcare information and
Hospitals gearing up to meet the patient privacy requirements of the Health Insurance Portability and Accountability Act (HIPAA) of 1996 should bear in mind that the Joint Commission on Accreditation of Healthcare Organizations (JCAHO) has no plans to abandon its role in this area. Rather, it is is attempting to merge its own standards for security of information and patient privacy with the final regulation released Dec. 28, 2000.
According to Margaret Van Amringe, vice president for external relations in Washington, DC, JCAHO is working aggressively now to develop a HIPAA strategy.
She says one challenge is that this strategy must include hospitals, home health agencies, ambulatory surgery, laboratories, behavioral health, community health centers, and mental health programs. That makes it difficult as JCAHO attempts to move into these areas in a "technology-neutral" fashion while maintaining standards that are relevant across all of these provider types, she explains. She notes that the organization recently has beefed up some of its standards and has specifically reviewed the information management chapters in all of its manuals as well as the patient rights, responsibility, and ethics chapter.
Van Amringe says JCAHO now wants to make sure hospitals maintain codes and passwords as well as the ability to determine who has accessed the information and when that occurred. "We also added some statements about when consent was required and added some standards on preventing falsification."
JCAHO also is looking at how standards apply to areas such as telemedicine or telehealth, the electronic patient record, and some Web-based compliance products, she reports. But educating more than 1,000 surveyors in this area is going to be a major challenge, she says. Van Amringe says the Joint Commission’s biggest concern is how to balance the need for quality of care with HIPAA requirements. "We firmly believe quality of care needs to be able to be very timely. You need care when you need care, and sometimes the information may not get there if it is bogged down in HIPAA compliance issues."
According to Van Amringe, JCAHO’s options fall into two main categories: standards and compliance. In terms of standards, she says JCAHO is looking at three different options. The first simply is to boil down the HIPAA requirements for privacy and security and incorporate them wholesale into the Joint Commission’s manuals. "That is an extreme position," she asserts. "Our manuals are already pretty large, and this would make them very large." She says it might not be very practical in terms of JCAHO’s ability to train surveyors.
A second option the organization is considering is to assess its existing standards and determine where they fall short of some of the HIPAA requirements. "The area where they may fall short is in having enough explanatory materials and direction to guide organizations on how to determine when there are professionally acceptable situations for releasing information," she explains.
A third possibility the Joint Commission is considering is basically to leave its standards alone or just tweak them in a few places and then rely on the standards it has throughout all of its programs. Those standards require that organizations comply with federal and state laws.
Van Amringe says that JCAHO’s enforcement of HIPAA will turn to some extent on the decisions it makes regarding standards. She says five different approaches are on the table:
1. Adopt HIPAA standards on its own, but that will mean training at least a small cadre of surveyors to be HIPAA experts. She adds that even if JCAHO selects this option, a legal audit probably would not be possible, which makes this option unlikely.
2. Put more emphasis in its surveys on privacy and security, at least during the five years of HIPAA implementation. That option would also entail more weighting of JCAHO’s information management and patient rights chapters in its overall accreditation decisions, Van Amringe adds.
3. Don’t modify the processes but require an independent HIPAA audit. She says that raises questions about who would conduct that audit, how often it would take place, and what it would include.
4. Certify some JCAHO-approved auditing organizations that may meet appropriate standards, she says.
5. Rely mainly on complaints or incidents to trigger a site visit in order to focus on privacy and security beyond what already is encompassed in a survey.
Those options are not mutually exclusive, Van Amringe says. "You can rest assured that we will not ignore obvious violations of HIPAA regardless of which of these particular compliance regimens we opt for. It is too important an issue, and we believe our standards are really very simpatico with the objectives of HIPAA privacy and security."
According to Van Amringe, JCAHO will be pulling together a technical advisory panel this month to begin looking at some of these issues. That will include the development of a complaint-handling process to determine how HIPAA complaints should be addressed and what to do if the organization gets flooded with HIPAA complaints far beyond the number it currently handles.
She says the Joint Commission also is trying to determine whether there is an opportunity with the Department of Health and Human Services for recognition of HIPAA requirements that are included in JCAHO’s standards as a way to reduce duplication. She says that would amount to a sort of deemed status for security and privacy.