HIPAA: Is it for us?

ISAC TRAINING

SEPTEMBER 18, 2002

Vision Statement

Counties and the public will benefit from adopting policies and changing procedures to safeguard confidential information.

HIPAA

Health Insurance Portability and Accountability Act

What needs to happen

Counties need to determine what they will do in response to the new Federal law, if anything

An assessment of the amount of Protected Health Information within the county will help decide the strategy

Increasing the awareness of potential pitfalls is important

Today’s situation:

Polk County has identified significant amounts of Protected Health Information in various county departments and offices

The policies and protocols for safeguarding and accessing the information come from different sources, e.g., State law, medical ethics, and other sources

Today’s situation:

Personnel files– Initial employee physical– Worker’s compensation information– Claims for accidents– Filtered back information from self-insurance

health claim files (Plan sponsor role)– Time records with health status implications

Today’s situation:

General assistance files– 20,000 files– Most stored in 6 shelf lateral shelves with no

doors; some info and coding on main frame computer

– Files located in locked area– All employees have access to area– Approximately one-third have medical information– Tax suspension—300-400 files

Today’s situation:

Youth and shelter detention files– Initial history and physical for each youth served– Mental and behavioral health information a key to

services delivered– Files generally locked in office drawers or central

file room

Veteran’s affairs– Health information in many files

Today’s situation:

Mental health records– Polk County Health Services, a private non-profit

corporation, houses most mental health information– Records are stored for 18,000 persons with PC legal

settlement– 99% of the storage is electronic plus 30 filing cabinets of

paper files– Other paper files: Cluster Board, exceptions to policy,

appeals, lawsuits, etc

Today’s situation:

Mental health files (continued):– Mental health commitment files– Auditor’s office has copy of servers– Three in Auditor’s Office have full access to all

mental health files– Mental health electronic files available to General

Assistance, and three others in Community/Family services

Today’s situation:

Auditor’s Office– All mental health records– Legal settlement information– Commitment information for mental health and

substance abuse– Mental health institutional placement information

Today’s situation:

Public Health Department– Employee physicals– HIV initial testing and treatment– Sexually transmitted disease testing and followup

About 40 boxes

– Substance abuse testing results for all of 5th Judicial District supervised persons, e.g., juvenile court parents, criminal case followup

– Mainframe records which can be drilled down

Today’s situation:

Community and Family Services Victim Services Senior Services

– 6800 seniors attended “wellness” clinics, such as arthritis screening, blood pressure, podiatry, hearing, physician assistant screenings, etc.

– 1 file drawer of medical documentation for special diets, – Meals on wheels, para transit—10,000 total; 2000-3000

new per year.

Today’s situation:

Family Enrichment Center (case management for employment support to families)– Health and mental health information can be

found in client files– Stored in locked file cabinets

Today’s situation:

Archived administrative files—both on and off site storage systems– Many are in boxes in the basement of the

administrative building, stacked on open shelves with mixed access

– Paid secure storage off-site—where the computer back up files are kept; daily access

Attorney files

How did we get here?

Current laws protect some information, but

the laws and policies have never been standardized

Mistakes have been made, usually in other places. We hear about the lawsuits.

How did we get here?

People are getting more sensitive about privacy issues.

Giving out private information might have serious consequences to the individual, such as the loss of a job or job opportunity, or disqualification from insurance coverage

Storage issues

Privacy and security are difficult to maintain in open boxes of files

Existing laws are prompting an improvement in storage methods aside from any HIPAA requirements

It is improvident to spend large amounts on file cabinet storage when “imaging” technologies will be available within a matter of years.

Available options

Do nothing and wait for a complaint. Implement everything immediately.

– Costly, disruptive, and possibly ineffective

Change only the minimum required by Federal law by April, 2003.

Make gradual changes over the next 2-3 years.

Recommendation

Implement gradually and in a reasonable manner. Do what makes sense to protect the type of information you have.

Counties appear to be a hybrid organization under the HIPAA regulations.

Action Steps

Convene centralized committee for the purpose of developing a work plan.

Develop a policy statement for the implementation of HIPAA county-wide and seek BOS endorsement of resolution adopting the policy.

Offer training for all county units on the impact of the policy statement in modifying behavior.

Action Steps

Identify gaps in physical and electronic storage Begin process of developing Information Practices

statements and notices. Possible plan—use a workshop format and an outline.

Develop and train on workstation practices Develop access log systems where needed Identify business partners and develop agreements

Corporate Compliance

Policy Oversight

Training

Discipline Monitor

Why bother?

Counties have a wide variety of confidential, personal information about people, including medical information.

Some sensitive information is required to be given in order to receive services or to qualify for county activities

Even the unintentional release of personal information may be harmful to the individual

Why bother?

As our society becomes more complex, the danger of unintended release of information increases.

Congress is concerned about the need to be more careful in the storage and handling of sensitive health information. There will soon be new “rules of the game” for providers and insurance companies. Counties need to keep up.

Why bother?

Our constituents and employees will expect us to be careful with their sensitive information about their health.

There are stiff penalties for failing to comply.

User Groups

Monthly meeting Policy Development Privacy Notices Communications with operating units

Storage issues….

More storage issues….

And more storage issues…

And still more storage issues!