Scott Morgan, MPHNational HIPAA Health Care Operations Director

Kandis McIntosh, RN, MAOMHIPAA Project Manager, Kaiser Permanente Hawaii

HIPAA Summit West IIHIPAA Summit West II Case StudyCase Study A Multidisciplinary Approach: A Multidisciplinary Approach: Organizing Focused Work Organizing Focused Work GroupsGroups

2

Kaiser Permanente: A SnapshotKaiser Permanente: A Snapshot

Kaiser Permanente has:Kaiser Permanente has: Regions in 9 states and Washington, DC Regions in 9 states and Washington, DC 8.3 million members8.3 million members 29 Medical Centers29 Medical Centers 423 Medical Offices 423 Medical Offices 11,345 physicians11,345 physicians 122,473 non-physician employees122,473 non-physician employees More than 3,000 applications that contain More than 3,000 applications that contain

HIPAA relevant informationHIPAA relevant information

3

The KP HIPAA ApproachThe KP HIPAA Approach National sponsorship: Health Plan, Hospitals,

Medical Groups and IT

Regional sponsorship: Regional Health Plan Presidents, Medical Directors

Multi-disciplinary core advisory group: Legal and Government Relations, Internal Audit, Public Affairs, IT Security, Health care operations, Labor Relations, Others as needed

National and Regional Teams: National directors for IT, Business, Health Care Operations; Regional leads for IT, Business, Health Care Operations; KP-IT Functional Leads

Legal expertise: Internal and external

Advocacy: To achieve favorable interpretations

4

National Team OrganizationNational Team Organization

HIPAA HIPAA ProgramProgramDirectorDirector

HIPAAHIPAAProgramProgramSponsorsSponsors

Business TeamDirector (EDI)

Health Care OpsTeam Director

IT TeamDirector

RegionalBusiness

Leads

Regional Health CareOps Leads

Regional ITLeads

Core Advisory Core Advisory GroupGroup

Policy Analyst

ProgramManagement Office

Communications

Regional Project StructureRegional Project Structure

RegionalHealth CareOps Leads

RegionalBusiness

Leads

RegionalIT Leads

Regional President & Medical Director

ITFunctional Area Leads

5

Kaiser Permanente Hawaii: A Snapshot Kaiser Permanente Hawaii: A Snapshot Kaiser Permanente Hawaii has:Kaiser Permanente Hawaii has:

220,000+ members220,000+ members 1 Medical Center and contracts with local hospitals 1 Medical Center and contracts with local hospitals

on Oahu and 3 neighbor islandson Oahu and 3 neighbor islands 17 Medical Offices 17 Medical Offices 350+ physicians350+ physicians 3,500+ non-physician employees 3,500+ non-physician employees More than 100 applications that may contain HIPAA More than 100 applications that may contain HIPAA

relevant informationrelevant information We have initiated implementation of an EMR We have initiated implementation of an EMR Hawaii’s approach to developing their strategic Hawaii’s approach to developing their strategic

plan: the Path Forwardplan: the Path Forward

6

SPONSORS

Authorizing: Medical Group President, Regional Manager

Top Reinforcing: Controller, Government Programs Director, Marketing Director, Hospital Administrator, Ancillary Services Director, IT Manager OVERALL PROJECT MANAGER

PROJECT COORDINATOR

REGIONAL HEALTH CARE LEADS

Clinics Hospital

REGIONAL BUSINESS LEAD

REGIONAL IT LEAD

SECURITY OFFICER

PRIVACY OFFICER

PROJECT MEDICAL DIRECTOR

Hawaii

HIPAATeam

COMMUNICATIONS & POLICY ANALYST

7

We’re Going to Focus on KP’s We’re Going to Focus on KP’s Approach to HIPAA PrivacyApproach to HIPAA Privacy

8

HIPAA Privacy ComponentsHIPAA Privacy Components

Required to comply with HIPAA Privacy rule by April 14, 2003

Key Topics: Consent Disclosure Accounting Training Research Other - Marketing, Authorization, Facility

Directories, Confidential Communications, Access/ Amend Protected Health Information

A S O N D

KP HIPAA Privacy TimelineKP HIPAA Privacy Timeline2002 2003J F M A M J J A S O N D J F M A M J

Consent

Disclosure Tracking

2001TOPIC

Legal InterpretationWork Group RecommendationsPolicy Recommendations/Detailed DesignRegional Implementation

IT DesignIT BuildIT TestIT Implement

Training

Research

(Source Systems)

(Application Interfaces - Rolling)

Other Privacy Topics

(LMS)

10

How KP Work Groups WorkHow KP Work Groups Work Overarching Privacy Work Group defined key

issues Charter and key deliverables developed for

individual work group Participants from multiple disciplines invited (e.g.,

national and regional HIPAA staff, representation from affected work areas, subject matter experts, IT, Labor/ Management Partnership, others)

Each topic “worked” via conference call Focus on deliverables, raising issues, sharing

expertise, building consensus Subgroups split off for focused work as needed Recommendations prepared for key decision

makers

11

Privacy/Security Training GroupPrivacy/Security Training Group Phase I (Aug. - Dec. 2001) deliverables:

Strategic Approach Document

Communications training options document by subgroup

HIPAA Security & Privacy Training Design Document

HIPAA national and regional leads, training experts, compliance, labor/management, IT

Subgroups take some tasks “off line” National HIPAA staff developed “strawman”

documents to support work group tasks

12

Phase II Training Up and RunningPhase II Training Up and Running

Phase II (Feb. – May 2002) deliverables: HR policies

Vendor selection for HIPAA privacy and security content

Collaboration with Kaiser Permanente Learning Management Initiative

Strategize development and customization of training content

Develop implementation template regions can customize

Reconfigured work group

13

Disclosure Accounting Work Disclosure Accounting Work Group Group National work group August - October 2001

Work group representation from Health Information Management (HIM)/Medical Records, Legal, operations

Scope: health plan, providers, national, regional, business associates

IT system needed for most departments making disclosures required in accounting

HIM/Medical Records often have release of information tracking already

Enhance/build/buy decisions

Issues: business associates, research disclosure accounting

14

Research Work GroupResearch Work Group National work group: February - April 2002;

Work group representation from KP research centers, IRBs, and Legal Dept.

Topic include:

Authorizations for research combined with treatment

Waiver requirement for research approved by IRBs

Major issue: Tracking and accounting of disclosures of PHI for research

15

Case Study:Case Study:HIPAA Consent Work GroupHIPAA Consent Work Group

16

Taking on HIPAA ConsentTaking on HIPAA Consent

Demanding set of requirements

Highly visible to our customers

Impacts operational areas with potential service delays and need for communication and training

Volume of HIPAA consent collection large at first, then tapers off

17

Consent Planning and Roll OutConsent Planning and Roll Out Nearly 40 participants from across KP on Consent

Work Group, including: compliance, regulatory, operations, member marketing, public affairs, pharmacy, publications distribution, IT, member web site, HIPAA staff

Aggressive timeframe: Weekly meetings November 2001 to January 2002

Regional review of recommendations and requirements in February

Policy decisions slated for March and April

IT design January through June

Roll out July 2002 through April 2003

18

Work Group Consent ConsensusWork Group Consent Consensus KP will define itself as an “organized health care KP will define itself as an “organized health care

arrangement” (OHCA) under HIPAA, allowing joint arrangement” (OHCA) under HIPAA, allowing joint notice of privacy practices, joint HIPAA consent, and notice of privacy practices, joint HIPAA consent, and joint health care operationsjoint health care operations

KP will obtain HIPAA consent in a variety of ways, KP will obtain HIPAA consent in a variety of ways, including in person at medical facilities, online, and including in person at medical facilities, online, and mail outreachmail outreach

KP will store HIPAA consent information in existing KP will store HIPAA consent information in existing databases and retrieve it at key locations, e.g., databases and retrieve it at key locations, e.g., medical office registration, pharmacy, admitting, medical office registration, pharmacy, admitting, appointment and advice servicesappointment and advice services

KP will scan HIPAA consent forms and store them KP will scan HIPAA consent forms and store them electronicallyelectronically

KP will not allow restriction of uses and disclosures KP will not allow restriction of uses and disclosures for treatment, payment and health care operationsfor treatment, payment and health care operations

19

Key Issues Affected by PotentialKey Issues Affected by PotentialPrivacy Rule RevisionsPrivacy Rule Revisions

Arranging services and providing treatment over the phone before consent obtained

Health care operations disclosures for quality and regulatory purposes prevented by HIPAA but required by other laws or for accreditation and licensing

20

From A Regional PerspectiveFrom A Regional Perspective

21

What’s in it for Hawaii...What’s in it for Hawaii...

Provided “real time” opportunity for regional input on policy decisions

Facilitator created “safe environment” to promote creative, interactive dialogue, and participant commitment

Enabled work group to leverage resources

Provided platform for consistency across the enterprise

Achieved synergistic outcomes

22

Benefits of Involvement...Benefits of Involvement...

Provided a foundation for the local team to communicate national decisions

Presented opportunity to solicit feedback on policies/business requirements

We didn’t have to do it all ourselves

Provided an avenue to educate key stakeholders within the region

Created an environment of inclusion

23

So How Do We Get That So How Do We Get That Signature?Signature? Engage staff from the entire organization Inform a wide audience regarding the

regulatory requirements Develop content experts within the front

line staff Then create diverse methodologies to

acquire the HIPAA consent Construct an effective tracking mechanism

24

What Are We Doing Next in What Are We Doing Next in Hawaii?Hawaii? Conduct continuous educational sessions

Early identification of operational issues/barriers

Generate solutions prior to implementation

Ensure visible executive (sponsor) support then seek organizational buy-in

Participate in the Hawaii Health Information Corporation/HIPAA Readiness Collaborative

25

What Have We Learned?What Have We Learned?

It’s an enormous effort Process is not going to be pretty or perfect To meet the compliance deadline we will

have to take risks regarding what will happen with Privacy Rule revisions and final Security Rule

Make “best guesses” and be ready to adapt as components of rule finalized

Do advocacy: collaboratively (e.g., industry groups) and as an individual organization

26

Questions?Questions?

scott.morgan@kp.org

(925) 926-7602

kandis.mcintosh@kp.org

(808) 432-5026