Computer Quarterly Update

Computer Quarterly Update
HIPAA Update for LTC Facilities
By Malcolm H. Morrison, PhD
Although you have heard about delays in federal implementation of the Health Insurance Portability and Accountability Act (HIPAA), most of the more important provisions are now scheduled for implementation in 2003. (That is, the Privacy Standards must be implemented by April 14, 2003, and the Transaction and Code Sets provision must be implemented by October 16, 2003, so long as the facility provides a compliance plan to HHS by October 2002.)

A significant number of providers continue to believe that HIPAA compliance in long-term care requires only modest or even minimal change that can be accomplished shortly prior to the compliance deadlines. This view is inaccurate; in fact, there are numerous HIPAA risk areas for long-term care, including:

  • Access and control of medical charts, medical records and Minimum Data Set information (including electronic data)
  • Access to and control of protected health information (PHI) at nursing stations, in offices and on resident floors
  • Security of storage areas where resident files are kept
  • Security of printers, fax machines and computers in offices and elsewhere
  • Security of offices themselves, including offices occupied (or partially occupied) by non-facility-controlled staff
  • Security of admission information

With proper planning, most long-term care providers can comply with HIPAA requirements in a timely fashion. Careful thought and planning will get them there with minimal wasted time and effort. Steps to consider now (if you haven’t already) include:

1. Initiate HIPAA compliance planning.

  • Assign a specific HIPAA planning officer and appoint members to a planning team.
  • With these individuals, review HIPAA requirements as they apply to the facility.
  • Brief key executives on HIPAA compliance requirements, compliance planning steps, resources needed (staff and budget) and timetable.
  • Determine organizational structure requirements (e.g., use of planning resources across multiple organizations and development of standardized HIPAA procedures for patient consent, patient authorizations and complaint documentation).

2. Evaluate HIPAA compliance risks.

  • Review and document all major types of protected health information in the facility, including that documenting routine care. Evaluate and prioritize solutions to protect data and information that appear to be at risk.
  • Review/evaluate electronic and paper records and operational security procedures needed.
  • Identify HIPAA-related software applications and contact software vendors to obtain their HIPAA compliance plans.
  • Identify business associates and (if applicable) Chain of Trust Contracts to which HIPAA standards will apply.
  • Identify and contact vendors providing transaction codes and obtain HIPAA compliance plans/assurances from them.
  • Prior to adopting “final” new procedures, evaluate recent modifications to HIPAA provisions arising from proposals published in the Federal Register (e.g., the recent HHS proposal to eliminate the need for patient consent for provider use of PHI for patient/resident treatment, payment and operations, which could be finalized as soon as this month).
  • Review possible HIPAA compliance barriers possibly unique to long-term care facilities, e.g.: frequent access to PHI by multiple staff members; significant volume of PHI because of required documentation for pharmacy, therapy, medical treatments, medical notes, etc.; and common use of paper records, which are more difficult to protect.

3. Develop a compliance plan.

  • Assign staff to specific responsibilities for major compliance areas, i.e.: staff communication and education; consents, authorizations, notices, etc.; clinical coding, patient care documentation, auditing methods; procedures for complaints, grievances, compliance violations, tracking; transaction codes, contracts, contacts with vendors; physical security of plant and operations; electronic data (computer) security; disaster planning/recovery procedures; and special HIPAA provisions for psychotherapy records.
  • Develop a detailed workplan, with assignments, time frames and due dates. Schedule periodic reviews of policies and procedures. Provide briefings of top management and board.
  • Develop a system for documenting all decisions, procedures and policies.

4. Monitor plan results.

  • Review the facility’s risk analysis and priority compliance areas to ensure that their requirements are addressed according to plan.
  • Conduct “tests” of new policies and procedures.
  • Ensure functioning of incident tracking/review system.
  • Ensure functioning of auditing system.
  • Ensure functioning of complaint/grievance tracking and resolution.
  • Monitor results of staff communications and education.
  • Establish a procedure to resolve new issues, questions and complaints about compliance policies and procedures.
  • Test and retest all electronic security procedures.
  • Test and retest disaster planning/recovery procedures.

This appears to be a major effort and, often, long-term care facilities have neither the financial nor the staff resources to support a large HIPAA planning and compliance effort. Furthermore, many facilities have only limited electronic data technology but have large quantities of paper records. Many facilities have multiple contractual and vendor arrangements that must be accounted for in HIPAA compliance. Clearly, compliance efforts must be prioritized.

The most important factor in ensuring HIPAA compliance is managing the compliance planning and change effort so that a clear HIPAA compliance plan is developed, put in place and monitored. Ample time remains to develop and execute such a plan, even with the limited resources and staff time available. It all comes down to thinking out a plan and working it. Waiting until HIPAA requirements are about to go into effect is a recipe for trouble. NH

Malcolm H. Morrison, PhD, is president and CEO of Morrison Informatics, Inc., an information technology and data analysis consulting firm specializing in long-term care and postacute care. He can be reached at or by calling (800) 559-8410.

Materials from James R. Albert, vice-president and chief information officer of Masonicare, presented at the 2002 Health Information Management and Systems Society (HIMSS) annual conference were referenced in this article.

Topics: Articles