Centura Health, a faith-based, not-for-profit IDS headquartered in Denver, Colorado, recently undertook a rapid assessment to determine its readiness to comply with the standards mandated by the Health Insurance Portability and Accountability Act (HIPAA) of 1996. The assessment process consisted of a business-impact assessment, compilation of results, a gap analysis, and a preliminary business case. The business-impact assessment involved a series of interviews.
For the business case, results of the business-impact assessment were compared with the related HIPAA standard to determine the current level of compliance and develop an action plan, for approval by the project steering committee, to correct deficiencies. The HIPAA readiness assessment uncovered numerous areas in which Centura needed to implement changes, particularly with respect to ensuring the security and privacy of patients' paper records.
Denver-based Centura Health recently completed a rapid assessment to determine its readiness to comply with regulations promulgated under the Health Insurance Portability and Accountability Act (HIPAA) of 1996 (a) Centura Health is a faith-based, not-for-profit integrated delivery system (IDS) sponsored by Catholic Health Initiatives and Adventist Health System. Centura is the largest IDS in Colorado, comprising 10 acute care hospitals located throughout central Colorado, four full-service medical/surgical centers, 10 long-term care facilities, and a statewide home care and hospice division.
Centura's leaders decided that a HIPAA readiness assessment should be performed as quickly as possible. Unlike a stand-alone hospital, Centura would require considerable time and effort to analyze the impact of HIPAA on each component of its delivery system, present HIPAA remediation proposals for multiple facilities to its board for funding approval, and implement a statewide HIPAA training program for all IDS staff.
The readiness assessment was conducted with two basic premises in mind. First, HIPAA compliance is not a finite undertaking like the Year 2000 compliance initiative, but rather, requires adoption of policies and procedures to facilitate ongoing compliance. Second, because the priority of the HIPAA readiness assessment is compliance, solutions need to be found within the IDS's current IT capabilities, and transformation of system capabilities should be considered only when absolutely necessary and in accordance with the organization's strategic plan.
To begin, Centura organized a steering committee of senior management from across the organization. The IDS then formed a statewide task force to perform the basic work of the assessment and to report findings to the steering committee. The task force was composed of about 40 staff members, including billing and accounts receivable personnel; medical records personnel; the chief privacy officer; the chief security officer; IT program office staff; representatives from the medical/surgical department, intensive care unit, emergency department, and other specialty lines of services; and quality, integrity and legal staff.
The HIPAA readiness assessment was piloted at one of Centura's hospitals. This phase of the assessment took about six weeks, The assessment process involved four phases:
* Business-impact assessment;
* Compilation of results;
* Gap analysis; and
* Business case.
Business-Impact Assessment
The business-impact assessment focused on the business office, IT functions, and clinical operations. Interview questions were developed to elicit information about Centura's HIPAA-compliance readiness in each of these three areas with respect to security privacy and transaction code sets. The interviews were conducted with various constituents throughout the organization. The IDS allotted three weeks for this process, whose broad goals were to:
* Identify gaps between Centura's current policies and procedures and HIPAA compliance by analyzing the impact of HIPAA on targeted systems, processes, and business-associate relationships;
* Determine the effect of HIPAA on the IDS's current strategic initiatives, including a clinical messaging project designed to provide physicians across the state with intranet access to information on patient outcomes, and a patient management project designed to facilitate patient access to the health system; and
* Identify alternative solutions to close gaps in HIPAA compliance.
The interview questions were designed by a consulting firm in a format that would enable task-force members to conduct the interviews without needing a thorough knowledge of the HIPAA regulations. The HIPAA standards were broken down into specific points, each of which could be addressed by a focused question. Because interviews were conducted face-to-face, interviewers could ask respondents follow-up questions, as necessary.
Interviews were conducted with individuals and, in some instances, small groups. The interviews on privacy and security issues took about six hours for each participant or group, and the transaction-code-set interviews took much longer, largely because many of these interviews involved vendors. All participants were asked in advance to bring an outline of their current policies and procedures to the interview.
Security. The proposed HIPAA rule on health data security was published in the August 12, 1998, Federal Register. Although the proposed security standards still are under review, and it is uncertain when the final standard will be issued, Centura determined that a readiness assessment should be conducted for this area because of the considerable time and expense that would likely be required to comply with the final standard. Important issues addressed in the interviews included:
* Administrative procedures, including employee termination policies;
* Physical safeguards, including locks and keys; and
* Technical security, including access, passwords, and encryption.
Exhibit 1 provides a sample question regarding security.
Privacy. The HIPAA final privacy rule was published in the December 28, 2000, Federal Register, with an effective date of April 14, 2003. On July 7, 2001, HHS Secretary Tommy Thompson issued a new statement regarding privacy, which relaxed some of the more stringent standards related to nonwritten communications about a patient's medical condition, use of prior consent, prescription pickup, and consultations.
To assess Centura's current state of compliance with the final rule and Secretary Thompson's revisions to it, the readiness-assessment questionnaires sought information on:
* The revenue cycle, especially whether billing personnel's access to protected information is limited to only that information required to perform their duties and whether the business-office activities are sufficiently out of public view to safeguard protected information;
* Clinical operations, including steps taken to safeguard information in the patient medical record, as well as faxed and written information;
*Administrative functions, including the positioning of computer screens and message boards and steps taken to safeguard patient lists and schedules; and
*Pastoral care providers and volunteers and the degree to which they can access protected information.
Transaction code sets. The final rule on transaction formats and code sets was published in the August 17, 2000, Federal Register with a compliance date of October 16, 2002. Centura's HIPAA readiness questionnaires focused on:
* Payment collection on patient accounts;
* Management of patient access and eligibility;
* Communications with physicians and other members of the professional community; and
* Employer information.
Exhibit 2 provides a sample of a typical question regarding code sets.
Compilation of Results
Because Centura's HIPAA readiness assessment involved multiple facilities, it was necessary to compile results into a database to facilitate comparison of findings. Data entry was time- and labor-intensive, requiring the dedication of two staff members to the task almost full-time for about 10 days. A stand-alone hospital with just one set of responses for each area evaluated may be able to skip this step. For Gentura, however, the use of the database was necessary to aggregate information regarding all results statewide, thereby allowing for easier analysis of results, businesscase preparation, and costing during the planning and implementation phase of the project.
Gap Analysis and Preliminary Business Case
The results of the pilot assessment were analyzed to identify gaps in compliance, and a preliminary business case was prepared for review and confirmation by the steering committee and task force. The preliminary business case included
results of the business-impact assessment, gaps identified, alternative solutions, a risk assessment, preliminary work plans, resource requirements, and a budget for completing the initiative.
Accountability for the business case was assigned to the HIPAA project manager, who, in turn, designated responsibility for developing reports on each focus area (ie, privacy, security, and transaction code sets) to individuals who also would be responsible for implementing changes in the business office and IT and clinical areas.
A formal review process was established to give task force members an opportunity to review the business case before it was presented to the steering committee. Following approval of the remediation plan by the steering committee, the task force met to discuss individual projects, time frames, and costs; develop an action plan; and designate the individuals who would be responsible for overseeing remediation activities. This phase of the project took about two weeks.
Project Findings
The following are representative findings for each area assessed:
Security. The task force determined that authentication and identification of all users, within or outside of Gentura's facilities, were required. One area requiring increased security was vendor screening in materials management, including the need to safeguard protected information of patients who receive prosthetics and implants.
In addition, physical security for all locations in which patient data are used or stored needed to be strengthened. The task force was surprised by the lack of sufficient physical security of paper records, finding that copies of records had proliferated across the organization's hospitals as a result of efforts to obtain rapid access to the information. Although the task force acknowledged that implementation of a systemwide electronic medical record eventually would solve this problem, immediate measures were required to eliminate these copies and secure the original records.
Privacy. The task force determined that training programs on privacy/confidentiality were required for physicians and other staff, and forms and processes for ensuring patient consent and tracking disclosure of protected health information needed to be developed and disseminated. Increasing the awareness of patient privacy standards among all medical staff was identified as a priority An unexpected finding with significant implications for capital investment was that some family conference rooms might need to be redesigned to afford patients greater privacy for discussing healthcare issues.
Transaction and code sets. The task force found that Centura's eligibility transactions were not HIPAA-compliant. The IT department therefore was charged with ensuring that all eligibility transactions involving Gentura's business partners use the prescribed ASC X12N format. Also, because the business community was not prepared to provide details regarding its HIPAA compliance efforts, continued monitoring of business partners' progress was deemed necessary
The task force also found that Centura was using local billing codes for several of its managed care contracts, whereas HIPAA regulations mandate the use of prescribed code sets. The IDS therefore has begun mapping its procedures to the national code sets.
The task force was surprised to find substantial inconsistency in code structures among Centura's payers. It became evident that the Federal requirement to standardize code sets would help the organization substantially reduce overhead costs with electronic eligibility, authorizations, and claims submissions.
HIPAA's Financial Impact
Consulting firms offer a number of tools to assist organizations in preparing a business case and a two- to three-year financial pro forma for HIPAA compliance initiatives. The financial models reviewed by the task force tended to project relatively high costs for compliance projects. Nonetheless, use of these tools helped senior management better understand the financial impact of HIPAA.
The total financial impact of Centura's HIPAA compliance measures remains uncertain, but substantial technology infrastructure changes already have been implemented to protect patients' protected medical information in electronic formats. It was determined that having the right IT infrastructure is critical to properly protect confidential electronic data and to ensure that future software systems are HIPAA-compliant.
A major technology expense for Gentura will be implementation of an electronic medical record for postdischarge information. Fortunately for a large IDS, such large-scale IT initiatives need to be implemented only once as a single, systemwide solution.
There also will be significant costs associated with training medical and administrative staff on the organization's policies and procedures and with revising paper processes at each facility to safeguard paper records. Centura acknowledged that initial and ongoing training would be required on all HIPAA issues, thus requiring integration of HIPAA training into basic employee orientation and training programs. It was estimated that HIPAA training would cost about $50 per staff member. Centura also is seeking grant funding for education of its physician partners.
Centura anticipates that the greatest privacy-related expense, in addition to staff education, will be the redesign of patient consent forms. In addition, as noted previously the IDS expects to incur some remodeling expense to ensure patient privacy in conference areas.
Next Steps
Centura currently is completing the business-impact assessment for the remainder of its hospitals and facilities, using lessons learned from the initial assessment to improve and streamline the process. Centura has estimated that it will take eight to 12 weeks to complete the assessment of all its facilities, with a targeted completion date of October 30, 2001. For each facility, the task force will develop a business case, with priorities set among recommended solutions. The final, statewide business case, including the estimated costs for HIPAA remediation, will be presented to the steering committee in December 2001.
In general, Centura is seeking standard solutions that will be applicable to all facilities (eg, with respect to transaction code sets, patient consent forms, and communication of electronic patient information). In some instances, however, the business case may be hospital specific. For example, registration areas in some of Centura's older hospitals may need to be remodeled to meet the HIPAA privacy standards, whereas those in the IDS's newest hospitals already offer patients sufficient privacy.
In addition, Centura is implementing automated clinical and billing systems in its long-term care facilities and home health agencies. These applications are accessed through Centura's intranet to ensure appropriate safeguarding of patient information. Although the HIPAA compliance dates for home health agencies, long-term care facilities, and clinics are not until 2003, the need to eliminate duplicate paper records and implement a systemwide electronic medical record compelled Centura to develop business-impact assessments immediately for these areas as well.
Conclusion
For organizations that have not yet begun the HIPAA assessment process, the need for such a process is becoming acute. Many of the HIPAA mandates make good business sense and will have a positive effect on U.S. healthcare delivery. Some require substantial work to ensure compliance, including redesigning facilities, raising physician awareness (since their offices will not be affected until 2004), and--perhaps the greatest challenge of all--working with hospital managers to transform noncompliant practice habits.
Elaine Callas is senior vice president and CIO, and executive HIPAA sponsor, centura Health, Englewood, Colorado.
Karl Brockmeier is director, IT Program Office and HIPAA project manager, Centura Health, Englewood, Colorado
(a.) For a discussion of the HIPAA standards, see Hamby, Pat H., and McLaughlin, Mark, 'HIPAA Standards Offer More Accuracy and Eventual Cost Savings,' HEALTHCARE FINANCIAL MANAGEMENT, April 2001, pp. 58-62.
RELATED ARTICLE: EXHIIT I: SAMPLE HIPAA QUESTION/GAP ANALYSIS SECURITY
HIPAA Requirement: Security and Electronic Signature Standards
HIPAA Regulation Section: 42.308(b)(4)(i)
HIPAA Standard Description: Physical Safeguards: Policy/Guideline on Work Station Use
Question Regulation Text: Policy and Guidelines on Work Station Use require documented instructions and procedures delineating the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific computer terminal site or type of site, dependent upon the sensitivity of the information accessed from that site.
Question Text: Are there documented policies and procedures for storing patient-identifiable information on workstation hard drives and a means to mitigate the risk?
Priority: Medium
Department: Patient Accounting
Gap/Explanation: There are no written policies for storing protected health information on workstation or portable PC hard drives.
Implications: Unauthorized access to restricted information is possible by accessing the hard drives of the PCs.
Alternatives:
1. Forbid storage of protected health information on PC hard drives.
2. Issue thin-client workstations without hard drives.
3. Implement policies governing storage of protected health information.
Solutions: Need to implement policies governing the storage of protected health information and the security of PCs.
Comments: Removal of portable PC hard drives is not practical because it would cripple the PCs capabilities. Forbidding storage of all protected health information on PC hard drives is too restrictive; it would interfere with the ability to perform analyses and produce custom reports.
EXHIBIT 2: SAMPLE HIPAA QUESTION/GAP ANALYSIS: CODE SETS
HIPAA Requirement: Standardization of Code Sets
HIPAA Regulation Section: 62.1002
HIPAA Standard Description: HCPCS
HIPAA Regulation Text: Standardization of Code Sets: Drugs and Biologics National Drug Codes (NDC), as maintained and distributed by HHS, in collaboration with drug manufacturers, will be mandated for the following: (1) Drugs, (2) Biologics
Question Text: HCPCS Level 2 J-Codes will not be used as of October 16, 2003. Are you currently utilizing HCPCS Level 2 J-Codes for drugs and injections?
Priority: High
Department: Pharmacy
Gap/Explanation: Pharmacy is using J-codes for drugs and injections. HIPAA requires a change to NDC codes.
Implications: Cash-flow impact when bills are rejected.
Alternatives: Replace J-codes with NDC codes.
Solutions: Replace J-codes with NDC codes.