Access Feedback: What are you doing to get ready for HIPAA?

Workgroups, fact-collecting part of Shands’ effort

Is your access department scrambling to get ready for implementation of the Health Insurance Portability and Accountability Act (HIPAA) of 1996? You’re obviously not alone. Hospital Access Management would like to hear about HIPAA solutions you’ve developed, or even interesting dilemmas you’re facing. Maybe another HAM reader can help.

Meanwhile, Beverly Varshovi, associate director for admissions at Shands Hospital at the University of Florida in Gainesville, reports that she has her managers and assistant managers busy coming up with "HIPAA facts" to add to the department’s resource base.

"In July, I just started asking the 10 of them to bring me a fact a week," Varshovi says. "We started a box. Now we have 180 facts."

Access staff have been instructed to keep a record of individuals or organizations to whom they send data, whether by fax, e-mail, telephone, or automated reporting, she notes. "We’ve had everybody start keeping logs. We’re building a list of who we give data to and why."

Key web sites

In addition, Shands staff have been developing a departmental list of key HIPAA web sites, Varshovi says. "Some are better than others."

Most of the seven hospitals that comprise Shands HealthCare are hiring a person to oversee privacy and security issues, says Elizabeth White, JD, who was hired in August 2001 as the privacy officer for the health care system. Depending on its size, she notes, a hospital may allocate the responsibility to someone already on staff. A security officer for the Shands system was brought on board more than a year ago, White adds.

Key individuals throughout the Shands system are participating in a HIPAA task force, she says, and the task force has broken into subgroups to address individual aspects of the law. One group, for example, is dealing with the issue of obtaining consent for the release of patient records.

"We’re going through the drafting process and finding the most effective way of documenting and recording, White says. "We’re considering incorporating [the process] into the computer system."

There is a HIPAA provision, she points out, that allows the provider to refuse treatment if the patient won’t give consent, and some instances where consent is not required.

Some hospital departments, like Varshovi’s, are "good about keeping logs" of where they send patient information, White notes, and others are not as good. "Those that don’t keep control will have to make big changes."

Although the privacy rule becomes effective in April 2003, "most places are actively taking steps now to limit disclosures," she says.

One of the biggest tasks her organization faces in becoming HIPAA-compliant, White notes, has to do with the staff education and cultural change that must take place. "Changing perceptions may be the most challenging [aspect]," she adds.

[Please send your HIPAA questions and/or solutions to Lila Moore at or call (520) 299-8730. Beverly Varshovi may be reached at (352) 265-0322.]