Search the KHIT Blog

Sunday, June 10, 2012


I'm having to help write some core draft "Policies and Procedures" for our new HIE (Breach Notification, Disclosures Accounting, HIE Employee Confidentiality Agreement, etc). I know what I need to do, but I spent a bit of time late in the week seeing what other HIEs have done, to the extent that they've posted stuff on their sites.

I have never seen so much crap.

Do these people get paid by the word or page? “Procedures” sections bloated up with what are really redundant regurgitations of policy statements?  Like, what part of the definition of the word “procedure” do they not understand?
  • Policies tell you "what" and "why."
  • Procedures tell you "how," "who, and "when." **
Now, stylistically, we frequently see the "why" stuff put up front in a "Background, Purpose, and Scope" section -- a Preamble, as it were.
** In some industries it is also commonplace to provide a subsection of "Procedures" entitled "Work Instructions" -- a granular level enumeration of short cycle repetitive tasks embodied within a procedure. Procedures and work instructions essentially comprise "workflow" and should reflect specificity, efficiency, effectiveness, and logical coherence.
There are other conventional housekeeping elements whose order and format may vary, to be sure:
  • Definitions, acronyms
  • References
  • Attachments
  • Revision Control
  • Approvals
  • Required Records

A template I recently circulated to staff (I more or less filched this from my wife, though we've both been immersed in such things since the '80's):
I. Background, purpose, and scope
Compose the “Why” statements here, (the legal/contractual/regulatory context, purposes, and limitations). Clearly summarize the need and the boundaries.

II. Policies
Insert the “What” statements here (“Shalls” [the required] and “Shoulds” [the recommendeds, where appropriate]). Declarations of corporate, legal and regulatory compliance requirements and recommendations that map to background, purpose, and scope.

III. Procedures
Insert the “How” (e.g., methods/processes, tools, information, documentation) “Who” (can be generic, i.e., “The Privacy Official or his/her designee”), “When” (how often/frequency) statements here. How shall we go about demonstrably complying with Policy?

IV. Required records
Maps back to procedures (documentation). Answers the question what if we were to be audited? Could we demonstrate that we have procedurally walked our policy talk? Auditors seek to “confirm that what is there is documented and that what is documented is there (and, that it all complies with purpose and scope).”

V. Acronyms and definitions
Insert all that apply.

VI. References
Insert all that apply (e.g., legal, regulatory, industry standards, publications, etc).

VII. Attachments
Note as applicable (usually required forms identified in Procedures sections).

VIII. Approval(s)

Signature: ________________________________________
Date: ______________________

Print Name: ______________________________________

Not exactly rocket science. (I've posted on the topic before).

From two P&P sections a major eastern U.S. HIE:
Title of Policy: Compliance with Law and "HIE" Policies
 Title of Policy: Use and Disclosure of Protected Health Information (PHI)

"Procedures"? Those are ""shall do X" policy statements.

One nice breath of fresh air amid all the rhetorical smog I slogged through was the Policies and Procedures page on the VITL website (Vermont Information Technology Leaders).



Meaningful use’s stage 2: A recipe for failure
The proposed next stage of the EHR incentive program promises to be so burdensome as to discourage embracing the technology it is attempting to promote.
Editorial. Posted June 11, 2012.

Winning over skeptics was, no doubt, a big consideration in crafting the first stage of the federal electronic health records incentive program. The requirements were substantial, but for many physicians, they also appeared to be achievable. With stage 2 on its way, the new unrealistic demands of the program now seem better suited to creating cynics...
Interesting. See also "Missive from the DMZ" on The Health Care Blog. David Shaywitz's "What The Emergence of an EMR Giant Means For the Future of Healthcare Innovation" is equally interesting (the "giant" being EPIC).

Each Indemnifying Party’s indemnity obligations hereunder shall be subject to the Indemnified Party: (a) promptly notifying the Indemnifying Party in writing of the claim (except that any failure to promptly notify the Indemnifying Party shall excuse the Indemnifying Party’s obligation to indemnify only to the extent of any prejudice to the Indemnifying Party resulting from such failure); (b) granting the Indemnifying Party sole control of the defense and settlement of the claim; and (c) providing the Indemnifying Party, at the Indemnifying Party’s expense, with all assistance, information and authority reasonably required for the defense and settlement of the claim.
Okee-Dokee... From a document I had to review. You too can make $500 an hour composing such inscrutable gibberish. You'll pay off those law school loans in no time.


Public health: Where policy is tougher than police work
June 11, 2012 | Tom Sullivan, Editor
WASHINGTON – For anyone who thinks walking the police beat on big city streets is a hard way to earn a living, ONC’s Jason Kunzman might just set them straight.

“I used to think law enforcement was a tough gig,” said Kunzman, a former Baltimore policeman. “Until I got into policy.”

Variations on that theme wove through three public and population health sessions on Tuesday here at the Government Health IT Conference, be that about electronic health records, information exchange, or distributed query, among others.

Kunzman, a project officer at ONC, questioned the perception that health IT will deliver “unbelievable improvements and dramatic changes” as easily as deploying the technology, and asked panelists if their experience proved that?

In Southeast Michigan, six major health systems run a variety of different vendors’ electronic health records products, according to Steven Grant, MD, executive vice president of physician partnerships at Detroit Medical Center.

“If you think they talk to each other or want to talk to each other, then you’re dreaming,” Grant said. “When everybody gets together they all make nice, when they get back to their office, they think about how to beat the brains out of each other so they can be the one standing.” ...
Yeah. Opacity = "Business Intelligence" = Margin.

Courtesy of JDSupra

Last week at the OCR/NIST conference, Building Assurance through HIPAA Security, Linda Sanches of the Office for Civil Rights provided an extensive update on the pilot HITECH audit program, including preliminary findings,  what regulated entities can expect next and suggestions for covered entities concerned about being audited...

...The most common privacy findings included misuse of the PHI of deceased individuals, compliance with the patient confidential disclosures right, disclosures for judicial  proceedings, compliance with the patient access right, failure to follow policies and procedures, no evidence of policy and procedure implementation, insufficient policies and procedures, [emphasis mine - BG] failure to review and update policies on an ongoing basis, and failure of the organization to prioritize HIPAA compliance...

Policies and "Pruh-SEE-jers," folks.


From a nice article by L.A. health law attorney Carol Scott, a couple of money shots.
Physicians Beware, HIPAA Violations can Affect Your Bottom Line Regardless of the Size of Your Practice
Written by  Carol D. Scott, JD, Fenton Nelson, June 13, 2012

...Token compliance with HIPAA is not enough. It is not enough to reprint canned policies and procedures; the provider must train staff, conduct risk assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of PHI held by the provider. Practices must appoint a privacy and security officer and ensure that it has reviewed its entire operation for compliance with the Privacy and Security Rules and understand its technology to determine if and under what circumstances PHI can be accessed on its systems. 

Documentation of HIPAA policies and procedures and training is essential, as are disclosure logs, investigations and disciplinary actions....
It's a lot of work. Too much for a lot of small shops to bother with. Until OCR comes knocking.

More to come...

No comments:

Post a Comment