AAMC Home   Tomorrow's Doctors Tomorrow's Cures
  Home  Government Affairs   Newsroom   Meetings   Publications Shopping Cart   Site Map    

GIR Home

About GIR

Resources

GIR Members Only
AAMC Login required

Contact

AAMC/UHC - Convergent Validity: A forum for AMC’s to Discuss HIPAA Implementation

The Convergent Validity HIPAA Forum was a great success. Thanks to all of the members that participated and contributed to the process. Your assistance in identifying issues, providing solutions and willingness to share your experience has started the collaborative process off in the best possible way.

Materials from the meeting are available at http://www.aamc.org/members/gir/hipaa/forum/start.htm

After a great deal of discussion and sharing, the result of the meeting was that we identified five work groups to address questions in specific areas. We are working on a very short turnaround- the work groups need to respond to the questions by December 15 so that we can then circulate the results to the members for comment. The final summary will be completed by January 30th.

To move us to this next phase we are now seeking volunteers to participate in these work groups.

The following are the work groups, their co-chairs, and date of the first conference call.

** If you are interested in participating in one of the work groups please send me an email and I will forward the call information to you. (limited space, first-come basis)**

Workgroup 1: Operations And Implementation Risk
[Conference Call: Dec 2, 12:30 - 1:30 Pm Est]

Co-Chairs:
Maria J. Pekar, M.B.A.
Director, Corporate Compliance
Loyola University Health System
Joe Schlesinger, Sr.
Manager, HIMS
Stanford Hospital & Clinics

  1. Operations:
    • Identifying/Operationalizing Restrictions & confidential communications Restrictions-policy that gives pt rights to restrictions; Stanford has a form that explains rights to restriction, including facility opt out and clergy, explains process and what we will not allow as restriction. Fundraising; alias allowed; restriction on phone calls; VIP, social stigma, victims of crime/abuse;
    • Determining the Scope of the DRS - DRS-attorneys view DRS as all information needed to make decision about care vs. operational view that this is what patient should be allowed to access, copy, amend. Need solution for the tension. Policy: anything outside of medical record is duplicative.
    • Determining what constitutions the Mental Health DRS - Psychotherapy notes-what is sufficient protection to provide for "separately held": In maintenance of notes in confidential documents with restricted access and restricted access policy sufficient to satisfy the "separately held" requirement-in the electronic environment? Separately held would allow psych note to be eligible for special protections.
    • Operationalizing the Family Members "Safe-Harbor" -Individuals involved in care-professional judgment. Notice advises that if there are individuals you don't want us to give information to, you must specifically tell us, otherwise we assume part of family.
    • OHCA-what is clinically integrated enough or not for purposes of using a joint Notice-e.g. faculty private practices?
  2. Implementation Risks
    • Operationalizing Patient Rights - Patient Rights-once HIPAA implemented that will be source of complaints; plaintiff lawyers will see this as litigation opportunity
    • Identifying Disclosures That Need to Be Accounted/Operationalizing the Accounting Process -Accounting of disclosures-employees must account for those in central data base; developing a web-based tool where the division is responsible for accounting for disclosure and a designee may do so (i.e., does not have to be the direct treatment provider)
    • Generating Buy-In Tactics -Privacy at the institutional level-risk if the departments and faculty and workforce don't take these to heart and comply
    • Identifying BAs for reasons other than TPO; decedents;
    • Discuss Shadow records-1) must have inventory of and track shadow records; or 2) audited and if don't meet audit requirements, no longer use shadow records; and 3) no disclosures from shadow records
    • Identifying Best-Training Practices - Training-link the regulation to policy and procedures to training to performance; continual cycle; is there an IT solution (Tier Track); everyone has Basic Training and specialized tiers; web-based augmented by stand-up training
    • Combine w/f - Breadth and depth of HIPAA Training--what is reasonable? How much can you demand of people? Is there a web-based AHC solution? New staff will be trained during new employee orientation? Temporary and registry staff?
    • Combine w/b - Accounting for: BA for reasons other than TPO; decedents; public health; victim of abuse, neglect; health oversight unless law enforcement unless judicial and administrative proceed; victim of crime; crime on premises; crime in emergency; research not authorized; avert serious threat to h & S; military/vets; president; admin of pub benefit program; worker's comp; any identified non-routine disclosure

Workgroup 2: Education of the Workforce
[Conference Call: Nov 27, 1:00 -2:00 Pm Est]

Co-Chairs:
Regina Kilkenny, Ph.D.
Assistant Dean
University of Colorado School of Medicine
Elizabeth D. Winter
Associate General Counsel
University of Utah Health Sciences Center

  1. Workforce scope-non-CE students; visiting professors; VIPs; guests; vendor reps.
  2. Volunteer Faculty-those who come to the CE and involved in teaching: they would be HIPAA trained and a part of the workforce; no BA
  3. Volunteer Faculty-when our students go into small community offices with the 1-year delay; we would have to accept the delay; volunteer faculty may object to student placement if they have to go through HIPAA training-solution: provide the community volunteer faculty with the CE's training modules and other HIPAA materials
  4. Business associate agreements with those who come into the CE for teaching: amend current teaching affiliation or clinical teaching agreements to recognize the function-no BA
  5. Consequences/sanctions/penalties for those who do not complete training on time

Workgroup 3: Teaching/Operations
[Conference Call: Dec. 6, 2:00 -3:00 Pm Est]

Co-Chairs:
Maria Faer, M.P.H.
Director of HIPAA and Corporate Compliance
University of California
Office of the President
Joanne Koterwas
HIPAA Project Manager
Stony Brook University Hospital and Medical Center

  1. Resident eligibility to sit for specialty boards and certification-solutions: a) make this a part of operations; b) ACGME make part of board requirements to accept certification from privacy officer or other institutional official so PHI not given to board; : work with the Boards to change their requirements to allow for Dean or other official certifying that student has provided records to CE; work with the AAMC to take the lead for us; look at what the regs say under operations/#2-can we interpret the language stating "credentialing" as operations
  2. Students who are from non-covered entities: can we use Data Use Agreement or BAA?

Workgroup 4: Institutional Advancement (development, fundraising, media, marketing, and communications)
[Conference Call: Dec 3, 3:00 -4:00 Pm Est]

Co-Chairs:
Nancy Dent
Director of Development
University of Texas Health Science Center at San Antonio

Khawar Ali Khan
Acting Director
Annual Giving
University of Pennsylvania


Craig K. Matthews
Director, Development Marketing
University of California, San Francisco

Martha M. Chase
University Counsel
University of California

  1. Authorization-how and at what point
  2. Physician/provider team can sign on chart that he had spoken with the patient, then DO can go to patient and get authorization
  3. Can individuals or groups of individuals be identified for fundraising lists by department, division, provider without authorization
  4. Existing data bases-scrub PHI if can't get authorization; future data bases get authorization

Workgroup #5: Research
[Conference Call: Dec 3, 4:00 - 5:00 Pm Est]

Co-Chairs:
Lawrence H. Muhlbaier
specialized tiers; web-based augment
Assistant Research Professor
Duke University Medical Center

Karen Blackwell, M.S.
Director, HIPAA Compliance
University of Kansas Medical Center
James A. Moran
Executive Director
Research Integrity & Compliance
University of Pennsylvania

  1. Is research a part of the covered entity?
    • If yes, how have you defined "research"-by function, individual, site?
    • What are advantages and disadvantages?
  2. Can we reach consensus that AHCs will require research sponsors to include confidentiality language in contracts so that we can provide individuals with some level of assurance that PHI will not be redisclosed?
  3. Research data bases: Post April 2003
    • Who "holds" the data bases-the CE, the faculty provider, the researcher? How do you locate all data bases in a CE?
    • What are the risks of faculty data bases? What is best legal protection?
    • How do you create
    • What are the permissible uses for the data bases
    • How does the researcher access data base
    • When does researcher need IRB or Privacy Board? When not
  4. Recruitment-when a researcher/provider does not have a treatment relationship to the individual, you can not approach the individual to participate in the study without individual's authorization. Time sensitive research studies-e.g., neonates-how can we implement the contact with the individual in a timely manner? Solution: Treatment team or someone expected to know the situation may contact the patient representative
  5. Common criterion for IRBs to use to access privacy risks; develop list for routine uses and disclosures and MNS for non-routine uses and disclosures; define Teaching; define Research

Contact Us    © 1995-2009 AAMC    Terms and Conditions    Privacy Statement