AAMC Home   Tomorrow's Doctors Tomorrow's Cures
  Home  Government Affairs   Newsroom   Meetings   Publications Shopping Cart   Site Map    

GIR Home

About GIR

Resources

GIR Members Only
AAMC Login required

Contact

AAMC/UHC - Convergent Validity: A forum for AMC’s to Discuss HIPAA Implementation

Top Issues for Academic Health Centers
November 12, 2002

Teaching: (Part of operations/academic mission:)
Can Academic Health Centers Agree On A Definition For Teaching That May Help Cover Questions?

  1. Exchange of PHI between two covered entities for teaching purposes?
  2. Exchange of patient information between a covered entity and non-covered entity for teaching purposes?
  3. Training of students who rotate through multiple covered entities? If a resident rotates through 5 affiliated institutions, does she have to receive 5 HIPAA training sessions at each institution? Faculty?
  4. Disclosure of PHI to covered and non-covered entities where there is no teaching relationship but in a setting-e.g., CME-that is a learning environment?
  5. How we you handle students using PHI when they need to sit for their boards? Is this part of teaching?
  6. How are you treating students from other covered institutions-part of workforce for education? From non-covered institutions?
    • Are visiting students, faculty part of workforce?
  7. Tele-teaching-can we engage in distance learning that includes PHI without authorization? Is this part of operations/teaching?

Reseearch

  1. Is research a part of the covered entity?
    • If yes, how have you defined "research"-by function, individual, site?
    • What are advantages and disadvantages?
  2. If a research subject is not going to receive treatment, do they get Notice?
  3. Faculty with multiple functions: covered provider, researcher, and researcher who provides treatment: Does HIPAA distinguish between functions? What is required by HIPAA when you wear different hats? What is required by the Covered Entity? What is required by the IRB or Privacy Board? What is required under the Common Rule?
  4. Does HIPAA distinguish between research/treatment and research?
  5. Does the CE distinguish between research/treatment and non-treatment/research for purposes of requiring health information to be put in the medical record & DRS?
  6. Can we reach consensus that AHCs will require research sponsors to include confidentiality language in contracts so that we can provide individuals with some level of assurance that PHI will not be redisclosed?
  7. When sponsors want PHI that has been excluded from trials, what does HIPAA require? What does CE require?
  8. Multi-center Trials: are researchers business associates? What does HIPAA require? What does CE who has released PHI to researcher require? What is IRB or Privacy Board responsibility?
  9. Who is responsible for HIPAA research compliance if research if off-site?
  10. Transition Period
    • Exempt protocols-how to define? What to do?
    • Protocols with "express legal permissions" prior to April 2003
      • If consented study, what do you do with new enrollees post-April 2003
    • If IRB granted "waiver of consent" Pre-April, what will you do?
  11. Limited Data Set and Data Use Agreement-How to create, control, when to use, strategies (Permitted for research, public health purposes, operations #1 and #2, including teaching)
    • Are there situations when the CE workforce would sign a Data Use Agreement with the CE? When?
  12. Recruitment
    • Can IRB allow a subject to be contacted without a specific authorization for recruitment?
    • Can IRB provide a limited waiver? (define limited waiver and purpose)
  13. Privacy Board or IRB or both
    • Establish Privacy Board to handle select issues: waivers for decedent PHI, pre-April 2003 exempt protocols
  14. Research data bases: Pre April 2003
    • How do you recruit from these data bases
  15. Research data bases: Post April 2003
    • Who "holds" the data bases-the CE, the faculty provider, the researcher? How do you locate all data bases in a CE?
    • What are the risks of faculty data bases? What is best legal protection?
    • How do you create
    • What are the permissible uses for the data bases
    • How does the researcher access data base
    • When does researcher need IRB or Privacy Board? When not
  16. Organ and Tissue Banks
  17. Fundraising for research purposes
    • What data bases can we use?
    • Can the CE's development office access researcher's data base for fundraising on behalf of researcher?
  18. How are you training researchers? Covered faculty/researchers? IRB and IRB staff and administrators?

Fundraising

  1. Survivor Parties: Can we continue to do? (Upon discharge, get "Grateful Patient" authorization to be contacted in the future by Development Office)
  2. How specific should we be in fundraising solicitations?
  3. How do you locate all data bases within CE used for Fundraising? Faculty private data bases? Is it the responsibility of the CE or the individual Covered provider or both?
  4. Can a researcher access the CE's data base for fundraising for research projects?
  5. If the Development Offices are "outside the CE" ---what do we do? Are they business associates?
  6. How do we handle major donors?
  7. Grateful patient programs?
  8. Foundation solicitations of CE's patients

Media

  1. Media contact for high profile patients-what happens when the reporters call?

Designated Record Set

  1. Define
  2. Are shadow charts, 3X5 cards a part of the designated record set?
  3. Do we have to inventory shadow charts-if not, what is the responsibility of the CE and/or the covered faculty for these charts? What is the best legal defense for the CE? The faculty?
  4. Are source systems in the DRS? Echocardiograms

Education of the Workforce

  1. How do you define workforce for purposes of HIPAA? How broad do you cast the net?
    • When someone is working in your institution who is not a university-employee, do you treat them as business associate or member of the workforce? E.g., students from other covered institutions-part of workforce for education? From non-covered institutions?
    • Visiting faculty (covered providers) who attend ground rounds?
    • VIPs and others (who are not providers) who want to tour and observe as part of fundraising? Development?
  2. What is the breadth and depth of the HIPAA training on "your policies and procedures"? What is the minimum required to provide for some level of competence and understanding of HIPAA in order to do the job? To provide a legal defense for the institution?
  3. What is the minimum level of documentation required?
  4. Who is responsible for maintaining training documentation?
  5. How are you tackling training issues of retention and turnover?
  6. When must new employees be trained?
  7. How often are you providing a refresher course?

Minimum Necessary Standard (not required for treatment)

  1. Can we establish criterion or job specific categories for MNS?

Accounting of Disclosures (exclude T,P,O, Authorizations, Limited Data Set, Deidentified)

  1. What specific uses and disclosures must we account for?
  2. How do we track mandated disclosures?
  3. What are we considering as healthcare operations for purposes of excluding from accounting?
  4. Disclosure accounting without permission?
  5. Strategy: if CE has intranet site for listing all disclosures that require accounting, how to you train workforce to use? How to protect?

Databases

  1. Can you locate all data bases? What is CE responsibility versus individual responsibility if all have received training? Best legal defense for instititution?
  2. Transition Periods for Pre-April Data Bases?

Cancer Registries

Authorizations

  1. Can CE have a blanket authorization? (define "blanket'. You can have compound authorizations, but authorizations must be specific as to use and disclosure of PHI, to whom, what, when and how long)

Security - What is expected under the Privacy Rule? Can we have Privacy now without Security?

  1. How do we merge HIPAA requirements with current security capacity at our institutions?
  2. PDAs-consensus and shared policies?
  3. EMAIL-consensus and shared policies?

Publish or Perish under HIPAA

  1. How does faculty or students use PHI for publications?
  2. PHI in photos/radiologic images for presentations at CME or other medical type conferences?
  3. CD: Can PHI on CD be used for presentations? How does CE control that practice? Patient authorization? Covered Entity versus covered faculty responsibility and liability?
  4. How do we train faculty regarding potential change in practice?

Liminted Data Set and Data Use Agreement
(Permitted for research, public health purposes, operations #1 and #2, including teaching)

  1. How to create, control, when to use, strategies?
  2. Are there situations when the CE workforce would sign a Data Use Agreement with the CE? When?

Exchange of PHI with other Covered Entities

  1. When the University does not own the practice plan-what is our responsibility? Do we have to track with these outside entities?
    • What is the purpose of PHI use and disclosure? (Exchange of PHI between providers, either covered or non-covered providers for treatment purposes is permitted; no accounting)
  2. Telemedicine
    • What is CE's responsibility under telemedicine? When PHI is used and disclosed by entities outside U.S.?

Hyprid Covered Entities

  1. How do you identify all CEs?
  2. How sweeping can you be in including functions in the CE?

University's HIPAA Liability

  1. What are the biggest areas of risks to the University?
  2. What is our best legal defense?
  3. What is the University/CE's responsibility?
  4. What is the individual faculty and workforce member responsibility? How do you get faculty to comply and change behavior?
  5. Disciplining and sanctions -what are you doing?

Disciplining and Sanctions

  1. Where is the teeth in the program?
  2. What does HIPAA require?
  3. How will you handle sanctions and disciplining of faculty versus other employees?

Business Associates Amendments Versus Confidentiality Agreements

  1. How do we distinguish?
  2. Is the CE a BA of a Health Plan when it is making coverage determinations or utilization review determinations in full-risk arrangements?

Student Records, Student Health Centers, Athletic Departments

  1. FERPA versus HIPAA
  2. How are we distinguishing when HIPAA applies and doesn't

Operations and Patient Rights

  1. Is there a difference between public and private institutions?
  2. Patient request for restrictions
    • Are AHCs accepting any restrictions? If so, what?
    • How are you operationalizing request for restrictions? Form?
  3. Opting out of Facility Directory-how are we operationalizing
  4. Notice and acknowledgment process
    • What are you doing to make a good faith effort to obtain written acknowledgment
    • Notice to patient prior to first encounter if not face-to-face-i.e., telephone or electronic
    • Provision to non-employee physicians in your institution
  5. Access to records at multiple sites-how to handle? What are risks?
    • If CE does not own the site where records are located, what do you do?
  6. Criterion for routine and non-routine disclosures and use within an institution-share policies or forms?
  7. Patient representatives and Family Members
    • How do you decide who gets to participate in care discussions and decisions
    • Non-custodial parent
    • Parent or patient reps-how do you determine and certify?
  8. Requests for confidential communications
    • Define
    • What are you allowing? Forms? Policies to share?
    • What is reasonable and workable in decentralized organization?
  9. Privacy Officer job description-can we share
    • Should Privacy and Security Officer be same?
  10. How are you assigning and managing accountability and responsibility in the organization? How are you getting the attention of leadership in order to allocate resources? What cultural changes must be achieved?
  11. Decentralized Model: What are the challenges and solutions for implementing in a decentralized model?
    • How do we handle confidential communications across the enterprise
  12. Resources needed for HIPAA? How are you budgeting? What are you doing when the solutions, particularly IT cause big bucks?
  13. Are institutions adapting more stringent policies for exchange of PHI for treatment than HIPAA provides?
  14. IT Solutions-are there homegrown solutions that we can share or develop as AHC community?
  15. Is the CE a BA of a Health Plan when it is making coverage determinations or utilization review determinations in full-risk arrangements?
    • Can we argue that this is Health Plan operations where both Ces have a relationship to the patient and is, therefore, allowed?

Questions

  1. Disclosure accounting without permission
  2. Disciplinary actions for med staff versus non med staff
  3. Provision of Notice of privacy practice for non employee physicians in your institution-can your notice suffice
  4. FERPA versus HIPAA: designation of SHS
  5. Identify dept and campus operations with covered functions
  6. Coordination of training of non-student workforce
  7. Research-Privacy Board to handle waivers for decedent PHI?
  8. Organ and Tissues Banks
  9. Opting out of facility directory-how to handle & operationalize
  10. Media relations?
  11. Research: recruiting from data base, what use for data base, how to access data base, permissible uses of data base, use of data with or without IRB approval
  12. Marketing
  13. Can IRB provide a limited waiver-can IRB allow a subject to be contacted without a specific authorization for recruitment
  14. Fundraising-Survivor parties are they gone?
  15. Email and what people are doing-faculty and patients? Are email information in med record?
  16. Education regarding relationship to schools and taking data out?
  17. Education for faculty and students-once for multiple sites?
  18. Who collects documentation of education and how much documentation is enough?
  19. Visiting students, VIPs, take out of institution, even at night?
  20. Research: how are we handling people with multiple hats-e.g., treatment purposes vs research purposes?
  21. Accounting of disclosures-what can be considered healthcare operations? What are others considering under that definition?
  22. CD Rom: can that information be used for a presentation? Controlling reuse? Do you have to have the patient's authorization?
  23. High risk areas-where does one get the resources?
  24. Identifying all entities in the CE that disclose information.
  25. Educational use of PHI: grand rounds when people are not part of workforce? Faculty with photos with PHI-can they put in manuscript or present at conferences without authorize?
  26. Research that does not involve treatment vs research that does? How do you handle training of physicians for diff phases? Limited data sets-who controls? Do people within your workforce sign a Data Use Agreement?
  27. Access to records: multiple location and patient comes to one location-how do you respond to pt request for access? What are the risks? If you don't own the site of the records-how do you coordinate with the site?
  28. Accounting: internet site-how do you get people on board to use the site
  29. How to you locate all the data bases within the CE?
  30. Fundraising and marketing: Contain phi?
  31. Development offices outside the CE? Business associates? What about major gifts and big donors-grateful patient program?
  32. Media contact for high profile pt-what happens when reporters call?
  33. What do you do with PHI when CE's students take PHI off site? When they sit for boards?
  34. Tackling training issues of retention and turnover? How to do efficiently?
  35. When univ does not own the practice plan - how do we track with outside entities?
  36. How do we convince leadership that HIPAA is important?
  37. Who is responsible that students rotating through our facilities are trained?
  38. Inventory shadow charts? How do we? Do we have to? Achieve cultural change?
  39. Liability for HIPAA to University?
  40. How do we merge HIPAA requirements with current security capacity at our institutions?
  41. Cancer registries?
  42. Teleradiologists and other telemedicine responsibility
  43. What is the DRS?
  44. Fundraising for research: is research is out of the OCHA, how do you use the CE's information for fundraising?
  45. If the subject is not going to receive treatment in research, do you have to provide NOTICE?
  46. Research authorizations for past PHI? Transition Period?
  47. Notice to patient when first encounter is on the telephone or electronic?
  48. Family relationships in discussion of care-what are policies?
  49. Minimum Necessary Standard: categories
  50. Research: Pre HIPAA database? Faculty data bases? Recruitment for research? How to train researchers and IRBs?
  51. Location of research-who is responsible for compliance if off-site?
  52. Education: train the workforce? How to monitor and track? How do you differentiate the job functions training? When must new employees be trained? How often will you require refresher course?
  53. Fundraising: how do you handle foundation solicitations of CE's patients? Is foundation part of CE?
  54. PDAs?
  55. Mandated disclosures: how do you track the mandated disclosures?
  56. Non-custodial parent and others who want PHI? How do you determine who can receive patient information? Patient representative?
    Boiler plate policies?
  57. Blanket authorization concept? How specific do you have to be for authorization?
  58. Should you use Privacy Board for research prep?
  59. How long can you retain research records?
  60. Is research covered or not? How do you distinguish the individual's functions as researcher and covered provider? How do you sort out and reduce risks?
  61. Many IT solutions-all cost money-so are there homegrown solutions that we can share?
  62. Consensus for ahcs to get research sponsors to put confidentiality languages into contracts so that we don't have to say we can't control redisclosures of your PHI once it leaves our hands-However…
  63. Multicenter trials-what are we? Business associates?
  64. Many sponsors ask for your information on subjects in trial cleaning-and they want PHI that has been excluded from trials. How do we handle?
  65. Do we have mechanism to screen faculty for case reports that are being published? Is this authorized? How do we train faculty if they don't use deidentified data?
  66. Assigning and managing accountability and responsibility in the organization? Achieving cultural change?
  67. Give us a list for what must be accounted for-
  68. HCE: how sweeping can you be? If covered and non-covered functions within a unit? How sweeping can you be in pulling in those?
  69. How does one implement HIPAA in a decentralized model?
  70. Hidden research databases
  71. Confidential communications across the enterprise-how to handle?
  72. Definition of patient? Unique identifiers?
  73. Security issues: specific policies other than what in Security REgs
  74. Is there difference between private and public for disclosure of PHI
  75. Dinner help? If the request is from the patient? From patient's friend?
  76. Fundraising: HOW SPECIFIC can we be with promoting the cause-can you reference the disease in the letter?
  77. How are we budgeting HIPaa
  78. What should be consequences when employee does not comply?
  79. When a record is transferred out of the country-does HIPAA apply?
  80. Can a nurse get access to PHI in emergency?
  81. Open source policies amongst all HC providers
  82. Behavioral health-state versus HIPAA?
  83. Should Privacy and Security officer be the same?
  84. Student health activities in non-clinical setting? Is this a covered function?
  85. Workforce: tools or approaches?
  86. What PHI can CEs share with other CEs? Treatment? Payment? Operations?
  87. What are uses for DRS? Are source systems a part of DRS-e.g., echocardiogram?
  88. When does an activity become research?
  89. How do we get physicians to comply and/or change current culture-e.g., PDAs?
  90. What, if any, restrictions are you accepting and which ones?
  91. EUnion policies regarding privacy protection impact research? EU safe harbor?
  92. Distance learning-surgeon broadcasting a procedure to medical schools in foreign countries?
  93. Business Assoc Amendment versus Confid Agreement
  94. Pros and Cons of including research in CE?
  95. Is the physician's name outside demographic information for fundraising purposes?
  96. Athletic depts.-IN of out
  97. Translating regs into research guidance
  98. Information to national organization for fundraising collaborations
  99. Request for confidential communications-how do we comply? Restrictions? Particularly in decentralized organizations? What is reasonable and workable?
  100. Criterion for routine and non-routine disclosures and use within an institution-has anyone done and can we share?
  101. Are people adopting more stringent policies for exchange of PHI for treatment than HIPAA provides?
  102. Is the CE a BA of the Health Plan if it is making coverage determinations or utilization review determinations-i.e., full-risk arrangement? What are we doing for or on behalf? Can we argue that this is operations for the Health plan?

Contact Us    © 1995-2009 AAMC    Terms and Conditions    Privacy Statement