Collaboration is the key word that has made it possible for Crozer-Keystone Health System (CKHS) to successfully implement the privacy standards contained within the federal Health Insurance Portability and Accountability Act (HIPAA) legislation. 

Through the tireless efforts of numerous employees across the health system, CKHS was able to transition to compliance with the new standards, which became effective on April 14, 2003.   Although much of what is mandated by the federal privacy rule is not new to the health care industry, it was a challenge to implement these federally mandated changes in our current environment given the complexity of our business and the resource constraints we are under.

Collaboration was the theme of this initiative from the start, with the formation of the HIPAA Privacy Committee in July 2000. This committee brought together representatives from across multiple CKHS entities and departments who were tasked with becoming the subject matter experts on the privacy rule requirements as well as determining what the new federal standards meant to our current operations. Much of the remainder of 2000 was spent trying to understand the complex privacy requirements being proposed by the federal government. In addition, many meetings were spent with the various CKHS entities and departments getting acquainted with each other's lines of business and operational differences. It quickly became evident that this privacy regulation was going to be challenging to implement in an already complicated health care delivery system.  

In December 2000, the final privacy rule was issued in the last few days of the Clinton administration. This rule was met with strong industry opposition. In early 2001, with the transition from the Clinton administration to the Bush administration, the privacy rule was re-opened for public comment. It then took over a year and a half until August 2002 before the federal government issued final changes to the privacy rule and set firm the compliance date for the privacy standards of April 14, 2003. The CKHS Privacy Committee continued to meet in 2001 and 2002 to work on developing strategies to implement privacy standards that were still uncertain. 

Although the privacy standards were being changed, CKHS moved forward in developing a Notice of Privacy Practices. Our Notice of Privacy Practices is another example of a cooperative system-wide effort that resulted in the creation of a single Notice that is distributed to patients during the admission and registration process.

 

Our Notice of Privacy Practices has a summary incorporated into it as the first few pages of the document. The inclusion of a summary Notice to this document is in line with the health system's commitment to adult literacy. Although much of the language contained in the Notice of Privacy Practices is mandated by federal law, we had flexibility in creating a summary that used everyday language and could help our patients be better informed about their privacy rights and how we use and share their health information. In addition to distributing our Privacy Notice to our patients, copies are posted at all points of entry into our heath system as well as on our web site.  

Coordinating and successfully completing a federal training mandate of this magnitude within CKHS would not have been possible without the commitment of numerous core trainers from across the health system who generously gave of their time. Only a truly collaborative system-wide effort made it possible for over 200 training sessions to be held to educate all CKHS employees - including volunteers and physicians - by April 14, 2003.    

Another example of collaborative HIPAA teamwork has been the creation of the privacy program support structure within CKHS.  In addition to the designation of Nancy Bucher, vice president and chief compliance officer, as the Privacy Officer for CKHS, the heath system has designated Privacy Liaisons at each facility that will serve as a local resource to address privacy issues and support the system-wide privacy program. These support team members meet on a monthly basis to review the health system's privacy program and work to address privacy issues in a consistent and coordinated manner.

Although much of what is mandated by the federal HIPAA privacy rule is not new, it does require every one who works in health are to examine how he or she handles patient information. The privacy rule recognizes that there is no such thing as absolute privacy.  However, it also recognizes that certain best practices can be implemented in our daily routines to help reduce the risk that patient information will be improperly used or disclosed. 

Health care providers are given flexibility in implementing reasonable safeguards to reduce the potential for inadvertent breaches of patient confidentiality. To the extent that we are able to include safeguards in our daily routine, we are better able to protect our patients' right to privacy. Reasonable safeguards are based upon industry best practices. For example, it is reasonable when faxing patient information to include a cover sheet with your name and phone number and the name and phone number of the person you are faxing to in the event the fax goes to the wrong person or organization. 

In the process of implementing the HIPAA privacy rule requirements, we have tried to bring some consistency regarding how CKHS implements these requirements within our organization. A Privacy and Information Security manual was developed and distribute to all CKHS departments.

Where it has been possible to implement the HIPAA privacy requirements on a system-wide basis, we have done so. As we have moved toward a greater understanding of the all-encompassing nature of the privacy rule, we realized the need to allow flexibility for CKHS departments to implement processes that work best in their environments and with the resources available to them. We will publish HIPAA "Frequently Asked Questions (FAQs)" as a way to create system-wide operational standards to promote consistency in our work environments. It is our goal to ensure that our patients leave our health system with the believe and impression that their privacy is important to us as we care for them.

As you will remember, the privacy requirements were just one of three main components of the HIPAA legislation. Our health system continues to work together in a collaborative manner to successfully implement the Transaction & Code Set requirements that become effective October 16, 2003, and the Security requirements, which become effective April 2005.