Search the KHIT Blog

Sunday, April 29, 2012

Policies and Procedures

Let us recap, shall we? (from my prior post)
Appendix A
V. Corrective Action Obligations
The Covered Entity agrees to the following:
A. Policies and Procedures
1. The Covered Entity shall develop, maintain and revise, as necessary, written policies and procedures (“Policies and Procedures”) that (i) address the Covered Conduct specified in paragraph 2 of the Agreement and (ii) are consistent with the Federal Standards for Privacy of Individually Identifiable Health Information (45 C.F.R. Part 160 and Subparts A and E of Part 164, the “Privacy Rule”) and the Federal Security Standards for the Protection of Electronic Protected Health Information (45 C.F.R. Part 160 and Subparts A and C of Part 164, the “Security Rule”). The Policies and Procedures shall include the minimum content set forth in section V.C. below. The Policies and Procedures required under this CAP may be in addition to, and may be incorporated into, any other policies and procedures required by the Privacy and Security Rules.
2. The Covered Entity shall provide the Policies and Procedures to OCR within sixty (60) calendar days of the Effective Date for review and approval. Upon receiving any recommended changes to such Policies and Procedures from OCR, the Covered Entity shall have thirty (30) calendar days to revise such Policies and Procedures accordingly and provide the revised Policies and Procedures to OCR for review and approval.
3. The Covered Entity shall implement the Policies and Procedures within thirty (30) calendar days of OCR’s approval.
B. Distribution and Updating of Policies and Procedures
1. Within thirty (30) calendar days of OCR’s approval of the Policies and Procedures, the Covered Entity shall distribute such Policies and Procedures to all members of the workforce who use or disclose protected health information (PHI). The Covered Entity shall distribute the Policies and Procedures to any new member of the workforce who uses or discloses PHI within fifteen (15) calendar days of the workforce member’s beginning service.
2.    The Covered Entity shall require, at the time of distribution of such Policies and Procedures, a signed written or electronic initial compliance certification from all members of the workforce who use or disclose PHI. Such compliance certification shall state that the workforce member has read, understands, and shall abide by such Policies and Procedures.
3. The Covered Entity shall assess, update, and revise, as necessary, the Policies and Procedures at least annually (and more frequently if appropriate)...
Policies and Procedures

A set of policies are principles, rules, and guidelines formulated or adopted by an organization to reach its long-term goals and typically published in a booklet or other form that is widely accessible.

(The "what" and the "why." - BG)

Procedures are the specific methods employed to express policies in action in day-to-day operations of the organization. Together, policies and procedures ensure that a point of view held by the governing body of an organization is translated into steps that result in an outcome compatible with that view.

(The "how" (which tools/methods/tasks/documentation), the "who," and the "when." - BG)

From (annotated)
Visual analogies.

Policies enable us to steer (the "what") safely (the "why").
Procedures are the operative gears in the Policy drive train (the "methods," the "who," the "when")
Are we clear?

Update: from "6 things to know about an OCR/HIPAA audit," points 5 and 6:
5. It's all about clean, clear documentation. "One of the things about auditors that makes them happy is good, complete documentation upfront," said Apgar. Having good documentation, he said, will also make them less likely to want to "look under the rug … If you don't have that, they'll get suspicious and turn a little nastier." From a bottom line perspective, said Apgar, organizations should expect a letter from OCR, requesting information within 10 business days. "And that's 10 days since the letter was sent, not 10 days since you receive it," he said. "If you're the CEO, it takes a while for the letter to percolate down, so now you're way behind the 8 ball." Therefore, it's key to have documentation prepared ahead of time, paying attention to programs, policies, procedures, incident response plans and risk analysis. "That all needs to be centralized, so you can quickly grab it and make it available to the auditors," said Apgar.

6. Know auditors can look at anything and everything. The last thing that's important to know, said Apgar, is whether the auditor can look or review patient information. "And the answer is yes, they can because they're working on behalf of the OCR and are in contract with them," he said. "Under the HIPAA regulation, if the secretary, meaning OCR, is investigating or auditing, then they have the right to see anything and everything." In the end, said Apgar, if you're information is up-to-date and in-line with HIPAA rules, you're good to go. "It needs to be current, accurate, complete and not only implemented, but enforceable," he said.
Point #5. It is customary in any regulated field that once you have been notified that you are to be examined, auditors will request copies of your policies and procedures for review prior to the onsite visit.

OK, what would you think were you to run across something like this in a P&P document?

It is the policy of XYZ to require that all Participants in the Health Information Exchange (HIE) comply with state and federal laws and regulations related to the use and disclosure of Protected Health Information (“PHI”), as well as with the privacy & information security policies of.

Each Participant shall, at all times, comply with all applicable federal and state laws and regulations that protect the confidentiality and security of PHI and establish certain individual privacy rights, including but not limited to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and its accompanying regulations, 45 C.F.R. Parts 160 and 164; and Subtitle D of the Health Information Technology for Economic and Clinical Health (“HITECH”) Act provisions of the American Recovery and Reinvestment Act of 2009 (“ARRA”), 42 U.S.C. §§ 17921-17954.

It is the policy of XYZ to ensure that appropriate operational, physical, and technical safeguards exist to prevent the unauthorized use or disclosure of PHI. In the same way the Covered Entities (CEs) and providers currently have the responsibility to safeguard PHI contained in records and systems within their facilities, they shall have the responsibility not to inappropriately use or disclose PHI obtained through XYZ.

The Board of Directors XYZ of shall have primary responsibility for overseeing the execution and revision of privacy and information security policies, ensuring that audits occur, and that results and corrective actions are reported to the Board.

The Board shall oversee the activities of XYZ to evaluate compliance by Participants with this policy and enforce its terms.

This policy applies to all Participants that have entered into Participation Agreements with XYZ that may provide, make available, or access PHI through XYZ.  Participants shall have responsibility for ensuring compliance with this policy at their sites.

1. Each Participant shall use reasonable efforts to stay abreast of any changes or updates to, and interpretations of, such laws and regulations to ensure compliance.

2. Each Participant shall, at all times, comply with all applicable policies.

3. XYZ policies may be revised and updated from time to time upon at least 45 days prior written notice to Participants. Each Participant is responsible for ensuring it has, and is in compliance with, the most recent version of the policies.

4. Each Participant is responsible for ensuring that it has the requisite and appropriate internal policies for compliance with applicable laws and policies.

5. In the event of a conflict between policies and a Participant’s policies, the Participant shall comply with the policy that is more protective of patient confidentiality and security.
"Procedures?" Seriously?

1 - 5 are policy statements (#2 is particularly, redundantly rich) . None of them tell me who does what, how and when. An audit here would not get off to a good start.


Click to enlarge."BA's'" beware. You are now to be accorded the same level of OCR scrutiny and face the same liabilities as CE's. The Final Rule comprising the procedural and focal regulatory details will soon be released, but, as of Feb 17th, 2009, it's clearly been the Law.


Ober|Kaler Launches

[PR Newswire] Health Information Technology Blog covers privacy and security of medical information along with health care information technology issues

BALTIMORE, April 30, 2012 /PRNewswire/ -- The law firm of Ober|Kaler announced today the launch of its Health Information Technology and Privacy blog, The blog provides guidance to health care providers and facilities as they move into a new electronic era of privacy and security concerns under HIPAA and the HITECH Act. Ober|Kaler lawyers Jim Wieland, Sarah Swank, Paul Kim and Josh Freemire are the blog's authors...
 I met Jim Wieland at HIMSS12 while covering the HIPAA/OCR session.

Added to my blogroll


My copy arrived at the office Friday. I'm about halfway through it. I will be citing some excerpts shortly. A great read, structured in a way that you can flip back and forth to topics of priority interest. He makes some claims and proffers that give me pause. They've not yet published a Kindle version, or I'd already be citing passages. Their pdf "Exec Summary" can be viewed here. A summation screen snip of mine:

(Click to enlarge)

Much more to come.

BTW, I heard last week via back channels that I have an "entertaining and sometimes outspoken" blog. Well, I'm glad [1] someone is reading it (though it's not why I write it), and, [2] that it's found to be "entertaining."

Read perhaps "radioactively irreverent and otherwise too often off the reservation"?

The comment was from one of the people involved in attempting to establish a "REC Trade Association" (which I mentioned in my prior post). I understand that they are "now up and running."

I reached out to the identified principals (one of whom is a former ONC Project Officer) via email to voice my support of the initiative.

Nada. Nein. Nyet. Zilch. Zero. Silencio.

I then Googled six ways to Sunday to see what might pop up on the web. Uh,

OK, well, that was unfortunate for a first result. Sort of an unintentional Santorum.
(I know what they're calling the new venture, inclusive of the acronym and logo, btw, which only makes the nil search results all the more puzzling. Pretty short REC lobbying leash here.)
We'll see what happens. I will not divulge what I've been told.


Source article by the author. Also, listen to this interview.

From the Salon piece:
Approximately 15 percent of all healthcare workers and 25 percent of all physicians in the United States were born and educated elsewhere. This means that 1.5 million healthcare jobs are “insourced,” occupied by foreign-born, foreign-trained workers brought into the United States on special visas earmarked for healthcare jobs. This number is 50 percent greater than the total number of jobs in the U.S. auto-manufacturing industry. It’s amazing to consider that in 2008 and 2009, the auto industry, which makes up just 3.6 percent of the U.S. economy, received a $97 billion bailout. If we estimate that each of these 1.5 million insourced healthcare jobs has an average wage of $60,000, that’s $90 billion a year in wages going to people brought into the United States to work rather than training Americans to do the same jobs.

The healthcare industry makes up 16 percent of our economy. Yet even in these days of close to 10 percent unemployment, we do not invest enough money in our young people to train them for jobs in healthcare — an already understaffed industry that will have to serve an additional 32 million people once the provisions of the 2010 health-reform law take full effect. Instead, when faced with pressure from hospitals and nursing homes for more healthcare workers, the federal government grants visas to import nurses, physicians, pharmacists, physical therapists, and many other types of healthcare workers from countries that can ill afford to lose them...
Part of our REC work is that of HIT workflow development liaison with the domestic institutions involved with healthcare education. I will certainly apprise my contacts of this.


I searched out Dr. Tulenko's email address and reached out to her. She responded forthwith and offered to call me to discuss some of these healthcare workforce issues. We did so today, and had the most delightful conversation. I will be reviewing her new book when it comes out.

From the blurb:
For years, opponents of outsourcing have argued that offshoring American jobs destroys our local industries, lays waste to American job creation, and gives foreigners the good jobs and income that would otherwise remain on our shores. Yet few Americans realize that a parallel dynamic is occurring in the healthcare sector--previously one of the most consistent sources of stable, dependable living-wage jobs in the entire nation.

Instead of outsourcing high-paying jobs overseas--as the manufacturing and service sectors do--hospitals and other healthcare companies insource healthcare labor from developing countries, giving the jobs to people who are willing to accept lower pay and worse working conditions than U.S. healthcare workers. As Dr. Tulenko shows, insourcing has caused tens of thousands of high-paying local jobs in the healthcare sector to effectively vanish from the reach of U.S. citizens, weakened the healthcare systems of developing nations, and constricted the U.S. health professional education system...
What a Sheet she has.

Kate Tulenko, MD, MPH, MPhil

I look forward to adding this one to my increasing reading list.


My cube mate Kevin Jones.

We hired Kevin out of the CSN HIT program. He's a retired US Navy nuke sub "Corpsman" -- basically the medical officer on a Boomer. The following came across my inbox today at work.
From: Bill Berliner
Sent: Monday, April 30, 2012 1:06 PM
To: Kevin Jones
Cc: Erick Maddox; Keith Parker; Kevin Kennedy
Subject: EMR - meaningful use kudos

At the Nevada State Medical Association state convention this weekend I was approached by Dr Fathie. She sang the praises of Kevin, as a wonderful help in getting to Meaningful Use. She said Kevin was a calming influence in a sometimes stormy situation. Well done Kevin. BILL
Bill Berliner is one of our Medical Directors, a man I hold in the highest regard. I personally know this characterization to be the case. My response to Bill's and Dr. Fathie's kudos was simply
To: Keith Parker‎; NV HIT Forum‎; Bill Berliner
Cc: Deborah Huber‎; Sharon Donnelly
I am not surprised.
Nice to see acumen and effort recognized. Very nice.

From Medscape Internal Medicine
Why Doctors Keep Doing Treatments That Don't Work
Joseph M. Smith, PhD, MD; Gary Wolf

Editor's Note:

Joseph Smith, MD, PhD, Chief Medical and Science Officer for West Wireless Health Institute in La Jolla, California, was interviewed by Gary Wolf, a contributing editor at Wired magazine, at a panel discussion in San Diego called "Quantified Self and the Future of Personal Health." The panel also included Eric J. Topol, MD,Director of the Scripps Translational Science Institute and Chief Academic Officer for Scripps Health, and Larry Smarr, founding Director of the California Institute for Telecommunications and Information Technology. The following is a transcript of the discussion with Dr. Smith.
Gary Wolf: Joe, of the panel here, you are the most directly engaged in how healthcare is managed today, because when you talk about lowering costs, you talk about lowering the cost of the healthcare system that we have today. For instance, to lower costs you have to address people who are patients or potential patients and see people as consumers or participants in the healthcare system.

What do you see as the big wins in lowering costs, in terms of new knowledge? We can lower costs by making the paper move faster in the system and such, but what new knowledge is available to us through these systems? What diseases or treatments or systems in the body do you think will produce the biggest payoff in the next few years?

Joseph M. Smith, PhD, MD: It's a tough question. People smarter than myself have previously said that prediction is difficult, particularly when it involves the future. I wouldn't want to definitively predict specific events, but there are some obvious opportunities and what seems like an unavoidable trajectory toward them.

You have talked rather generously about evidence-based medicine. Most of medicine isn't evidence-based. The overwhelming majority is more "eminence-based," to steal from my colleague to the right [Eric Topol]. We do things because we have always done them. That is going to be less tenable, and you will be put under more and more scrutiny about "Why is that? Why is this happening to me?" or "Why, doctor, are you doing that as opposed to this?" You peel back the level that says, "Well, actually, there isn't any evidence to support that. That was merely my historical preference as opposed to my data-driven wisdom and decision-making." That will put pressure on what we do and will ask us to answer some of the questions about dominant practices that are founded largely by history.

Gary Wolf: I am going to put you on the spot: What dominant practices? Name a couple.

Dr. Smith: If you go to your doctor at the moment with lower back pain, there is a pretty good likelihood that you will get some imaging for that, and there are pretty good data that say that no subsequent decisions hinge on the observations made in that imaging, or that those decisions will happen at some incredibly low likelihood. But it goes much deeper than the instances of known waste. We do a lot of things, as Eric [Topol] pointed out, that are population-based when we fully know that 30%-40% of the people to whom we provide such therapies derive no benefit but experience all the costs and all the adverse consequences. All it takes is understanding the genetic determinants, the historical determinants, or the epigenetic determinants that say, "In you, this therapy won't work, so skip it." The opportunity to take potentially life-saving therapies and give them only to the 30%-50% of a cohort that deserves them, by virtue of having some positive impact, saves half of the expense.

Estimates of known waste are $700-$800 billion a year. The things we don't yet know are larger because we are doing things that are in the guidelines. But when you peel back a layer, those guidelines are derived largely from apocryphal suggestions in remote history, right? So, there is a tremendous opportunity, as we put pressure on the system, to justify why we do what we do.

Importantly, we have a system with a bandwidth limitation living at the doctor. We can't keep up with the onslaught of information. We can't keep up with the patients we have to see. We are not really good at even figuring out which of the patients we are responsible for need to be seen at a particular time. We realize that "maybe I shouldn't be making those decisions because I can't comprehend all the diseases that my patients have. They are presenting information I don't yet know how to interpret." Maybe we need to offload that to smart systems.

Every other technologically sophisticated endeavor in which humans have participated has had the opportunity to use massive information technology and smart algorithms. You can take your car in and the mechanic no longer says, "Let me see what's wrong with your car." No -- they plug in a chip and say, "Look at that. It turns out that one cylinder is off by a little bit. Let me fix that for you." Why can't we do that with ourselves? We have to do it to ourselves because we are bandwidth-limited at the moment, and so we have to move to that type of system. It offers a great opportunity for saving.
 Interesting. "Estimates of known waste are $700-$800 billion a year." Yeah. See "Potent Medicine." Also, "[i]mportantly, we have a system with a bandwidth limitation living at the doctor. We can't keep up with the onslaught of information."

See "Medicine in Denial."

e.g., from my other Medical Director today, Dr. Jerry Reeves:
I bet you will enjoy this interview with Larry Weed as well.

He was a major influence on me early in my career. The Air Force Medical Corps has been using his problem knowledge couplers for years.

Indeed, doc. I am all over all things Weeds'.

(Hmmm... that could be misconstrued...)


I have precisely no idea what this signifies.


COMPLETELY OFF-TOPIC ('cause it's my blog)

My grandson signs with St. Olaf today.

He's been courted by the gamut of colleges and universities across the country. 3.8 GPA, a mow-down machine on the field. Former nationally-ranked in the USTA in his tennis age division.

His grandmother and I are very happy with this decision. We were not real high on the Div I meatgrinder. St. Olaf coughed up, big-time. We are quite grateful.

Some really good stuff here. Added this blog to my blogroll.

to wit:
Thursday, February 3, 2011

Charting Requirements Interfere with Patient Care
Yesterday’s column on the burden of nurse documentation in the New York Times by Theresa Brown, RN was spot on. She details many of the rather onerous charting requirements mandated by myriad regulatory agencies and insurance companies. She laments the fact that the documentation is so time consuming that it takes away from her mission to care for the patient. She says that nursing has always been guided by the dictum “If it isn’t charted, it isn’t done,” and points out that charting everything a nurse does during a shift is impossible in reality.

The problem has been compounded by the electronic medical record which makes it easy to insert pop-ups and drop-downs so that anything some bureaucrat fancies can be added to the chart. Of course, the nurse still has to login and get past a number of screens before she finally reaches the section she wants. Here’s the bad news. Other than the bureaucrats and operatives from the Quality Assurance Improvement department, NO ONE READS THIS USELESS INFORMATION. It simply clutters up an already very “busy” electronic chart...
More to come...


  1. My goodness you write lengthy posts. I feel smarter having read them though, kudos for that.

  2. Thank you, N.N.

    I enjoy your blog as well. I will be citing your work and linking you in.

    - BobbyG