A1. Teaching HIPPA Rules and Regulations
Planning: We have implemented HIPPA training into our new hire program. This program educates and emphasizes the hospitals culture, policies, rules, and regulations. We also mandate annual training that includes HIPPA for our current employees.
Organizing: The Human Resources department overseas documentation for all employees. This includes training, annual workshops, and current or upcoming expired licenses. The Human Resources department sends a bullet point email to employees that identifies items they must complete and a deadline for completion. The Human Resources department also organizes, prepares, and groups employees into classes for training.
Directing: Our training program helps employees learn specific knowledge and/or skills to improve performance in their current roles. Employee development is expansive and focuses on employee growth and future performance. In our training workshops, employees receive flyers, handouts, and PowerPoint presentations. They also engage in role-playing and scenario-based videos with instructor assistance. Subject Matter Experts instruct and facilitate our training workshops.
Controlling: After our training workshops, employees complete mandatory Computer Based Training modules in the online portal. The online portal reviews topics, offers short videos, and gives self-check tests at the end of each topic. The Human Resources department automatically receives the results of self-check tests and files them in the employees file. If necessary, a representative from Human Resources and the department manager will meet with the employee to clarify any issues or address substandard performance.
A1a. Appropriate types of PHI
Information used for patient treatment, i.e. relevant medical records and test results.
Information used for payment, i.e. insurance information for billing purposes.
Information used for healthcare operations, i.e. use of name and diagnosis/treatment to assign patients to the appropriate room.
Sharing medical information is on a “need to know” basis. Employees, clinics, hospitals, etc. should only have access to data if they have a demonstrated need. Employees that have a demonstrated need should only have the access necessary to perform their jobs.
A1ai. Sharing in the Organization
Sharing information between healthcare employees is a common and necessary practice in the delivery of healthcare. The sharing of information needs to be in a secure and designed area. Examples of designated areas include: employee only areas, in-patient rooms with the door closed, and patient consultation rooms. We have woven patient privacy and confidentiality into the fabric of our culture and take every opportunity to remind our healthcare employees to act responsibility by only providing patient information on a “need to know basis”.
A1aii. Exchanging and Receiving Information
It is necessary for healthcare workers to share information for the treatment of the patient. Charge nurses may need to share pre-operation lab work with the surgery department before a procedure. Labs must distribute test results to the healthcare team for appropriate care. Certified nursing aids may need to share critical blood pressure readings with the nurse assigned.
A1b. Penalties for Breaching Information
The hospital may take disciplinary actions if there is a HIPPA violation. Disciplinary actions may include, but not limited to, probation, remedial training workshops, and possible termination. Also, failure to comply with HIPAA can result in:
Civil penalties – The “American Recovery and Reinvestment Act of 2009” (ARRA), signed into law in 2009, establishes a tiered civil penalty for HIPAA violations. As determined by the Secretary of Health and Human Services, penalties depend on the nature and extent of the violation and the nature and extent of the harm resulting from the violation.
Criminal penalties – The Department of Justice may file criminal charges against an individual(s) responsible for a breach. Criminal penalties for HIPAA violations fall into three tiers. Depending on tier level, fines and possible jail time accrue to a maximum of $250,000 fine and up to 10 years in prison.
A1c. Secure Data
The IT security program informs and educates healthcare employees through training on HIPPA violations, choosing a secure password, and appropriate log-on/off procedures. The IT department equips all desktop computers with privacy screens to ensure PHI is not viewable to walking bystanders. IT ensures that employees encrypt all emails containing PHI according to policy. The IT department gives all employees a controlled access badge with two-factor authentication. Employees cannot access any computer without a badge and employees must remove the badge anytime they leave the computer.
The department that will oversee the internal audit will be the Health Management Information Systems team.
A2b. Security Practices to be reviewed
HIPAA Security Audits help ensure that technology systems used are meeting HIPAA
Security Standards. They review the policies and procedures to ensure compliance with the specifications of the Privacy, Security, and Breach Notification Rules.
HIPAA Privacy Audits ensure clinical locations are compliant with HIPAA Privacy requirements. For example: checking for papers with PHI that are visible to bystanders, ensuring patient boards have limited information, ensuring shred bins are in use, and are in appropriate locations.
Facility/Billing Compliance Audits determine compliance with the Centers for
Medicare and Medicaid Services (CMS) rules and regulations for coding and billing.
A2c. Changes to the Organization
Collaboration with management to develop appropriate corrective action plans that is specific, measurable, and has a timeline.
Present the results and discuss relevant information with each department staff.
Create and implement a training plan to address problem areas, enhance employee knowledge, reorient, and reengage employee efforts in HIPAA compliance.
A2d. Risk Assessment Plan
See attached file
A2di. Frequency of Assessment
We will conduct and properly document a full Risk Assessment annually. In the event of new technology, added applications, or a security breach, we will conduct a Risk Assessment on specific components of the system.A2dii. Assessment Completion
The risk manager and his/her committee administer the Risk Management Program. The risk manager interacts with administration, staff, and medical providers. The committee meets regularly and includes representatives from key clinical providers.
B1. Risks versus Benefits Summary
Electronic health records (EHRs) will help our organization build a sustainable medical practice. While EHRs require a hefty investment in technology and training, a fully functioning EHR system will lead to long-term savings.
Privacy of data and worry about access control
EHR system unavailable due to downtime, updates, technical issues.
Legal issues arise from HIPPA regulations
Reduced transcription costs
Increased productivity and efficiency
Improved medical management between departments for patient benefit
B1a. Key Decision Makers
We will include key decision makers for the institution in outlining and purchasing of an EHR system. These Key Decision Makers include the Chief Technology Officer, Chief Information Officer, Chief Operations Officer, and the supervising physician.
B1b. CMS Requirements
CMS requirements include guiding policies and procedures with standard business practices.
Resource sharing will help elimination of redundancies within the system.
B2. Hardware requirements
All employees should have a basic understanding of the devices and technology that they use and depend on. It is necessary to have a working knowledge of the various hardware and software.
The Workstation is a subsystem of an organization’s HMIS and is the primary interface that employees use to interact with the system. It consists of a computer, monitor, keyboard, and mouse and connects to the rest of the network by a dedicated line that connects to the HMIS Server.
The HMIS Server provides the bulk of information processing in the system. It takes inputs from various workstations and runs the appropriate software before returning an output to the workstation.
The Network Attached Storage holds all the data for the HMIS so that the server may access it when needed. Built-in redundancy and a centralized location allow any workstation on the network to reliably access data.
The Network Routers and Switches connect all the various parts of the HMIS together and keep information flowing to its intended destination.
B2a. Potential Investment
The approximate cost for an EHR system is $5.5 million produced by Cerner. This is a Tier 2 that includes full training and support of all staff, ongoing technical advisory team, and integration with other hospital systems.
B2b. EHR System Comparison
As a healthcare administrator for a small critical access hospital, I would make an argument for the Cerner’s EHR system. When comparing all three systems, it comes down to cost and usability.
Cerner’s EHR system supports multiple types of clinical information, such as coordinating patient care and documentation in both acute inpatient and outpatient settings. It gives providers access to the right information at the right time, within the clinical workflow, to make the best possible decisions. The system’s powerful decision support uses predictive algorithms to feed rules and alerts to inform physicians about patient safety.
Cerner’s EHR provides a portal that integrates the patient’s longitudinal record to empower patients to be proactive in their health and care management. The portal allows members to communicate with providers through secure messaging to book or change appointments, view clinical information, request refills, update information, and send files.
Cerner’s EHR provides physicians with accredited, evidence-based data supplemented by best practice guidelines and standards of care from leading medical associations, for more than 3,000 topics. The physician may then provide this information to his/her patient.
With Cerner’s EHR we can minimize costs, maximize quality outcomes, and manage the health and care of our population because clinical, financial and operational data will work together.
B3. Needed Components
Data and information component – The specification of an organization and its interrelationship among data, information, and knowledge elements required in an integrated HMIS.
Hardware and software – We will integrate the physical components and the programs that run on them into the hospital. The hardware of the HMIS will be married to the infrastructure of the hospital and we will integrate the use of the software into the day to day routine of the staff.
User component – Healthcare providers and administrators within the organization must be able to use the equipment provided to the best of their ability. Usage of the data, information, and knowledge across the organization benefits all stakeholders.
B3a. Security and Privacy Components
Cerner offers malware protection, along with firewalls with their product to secure against outside threats. Cerner offers a security workshop that is a one to two-day on-site workshop with optional remote workshop that educates on a wide variety of topics. The security workshop covers a broad range of security related items to help our organization gain a better view of our own security processes. “By leveraging Intel’s Breach Security Assessment tool with existing Cerner capabilities, we can help provide a holistic view of your current security posture and provide analysis on potential risk areas.”
Cerner offers “PatientSecure”, which uses a variety of biometric options so healthcare workers can access correct medical records. This biometric solution works by capturing a patient’s unique biometric scan. The scan produces an encrypted digital representation of the biometric pattern that ties to the unique medical record of the patient.
C1. Estimated Time for Each Group
It is vital that clinical staff including physicians, nurses, medical assistants and other personal know how to use the EHR system. We estimate that clinical staff will require eight hours of interactive training. Non-clinical staff will need six hours of interactive training. All staff will need an additional 12 hours of interactive training during the first 60 days post-implementation.
C2a. Training Sessions on Day Shift
For our 150 day-shift employees, we will conduct eight training sessions in a two-week time span. There will be four training days per week, two hours in length. There will be various times slots available to ensure we provide adequate patient care.
C2b. Training Sessions on Night Shift
For our 50 night-shift employees, we will also conduct eight training sessions in a two-week time span. There will be four training days per week, two hours in length. There will be various times slots available to ensure we provide adequate patient care.
C2c. Cost of Training
Assuming an average of $21 per hour the total cost of training will be between $25,200 and $42,000 for 200 employees for 6 – 10 hours.
C2d. Training Plan for Physicians
We will provide eight hours of training on the new EHR system for 75 physicians. We will hold the trainings for two weeks for two hours per session. We will accommodate physicians who work weekends and night shift by having training slots every day.
Physicians Sunday Monday Tuesday Wednesday Thursday Friday Saturday
Week 1: Physicians 1-15 8am-10am 8am-10am 8am-10am 8am-10am
Physicians 16-31 3pm-5pm 3pm-5pm 3pm-5pm 3pm-5pm Physicians 32-47 1pm-3pm 1pm-3pm 1pm-3pm 1pm-3pm
Week 2: Physicians 48-63 8am-10am 3pm-5pm 8am-10am 1pm-3pm
Physicians 64-75 8am-10am 3pm-5pm 8am-10am 3pm-5pm C3. Train-the-Trainer Program
The Cerner EHR system includes a full training and support staff with its cost. We plan to send team members from our human resources and some department managers to the workshop Cerner offers. Those selected will form an EHR training committee. We will consider the members of the committee to be Subject Matter Experts and will utilize them as instructors to train the rest of our staff. They will participate in remote workshops, on topics that they need more assistance in. Cerner offers ongoing technical staff as we implement our system and our training committee members will use the help as necessary. As turnover occurs, the committee will recruit new members from the staff to maintain a core cadre of trainers.
C4. Transition Plan
Since we are a smaller hospital, we plan to launch the new EHR system on a previously set date. Our goal is to have 90% of users finish the workshop by launch day. This allows all users to access and gain proficiency all at the same time. It is in the best interest of healthcare employees and the hospital that 90% of the training is complete before launch day, to provide the best patient care. The hospital will be working rigorously to install all hardware and perform system checks to be ready for launch. The actual swap will occur overnight on a day of the week with a historically low patient load. We will ensure that Cerner representatives are on hand to address any issues that may arise and we will request that they be readily available for the week following the swap as well.
C4a. Measure Competency
The team members who participate in the Cerner EHR training workshops will help train, supervise, observe, and engage other staff with the new system. Users will be able to ask questions and give feedback. The EHR committee will conduct periodic audits ensure employees meet data entry, data accuracy, and data integrity standards. The EHR committee will present performance benchmarks to the board of directors in the form of reports, analysis, and graphs. The benchmarks will help determine employee competency when using the EHR system.
C4b. Appropriate Time
We have decided to transition on a Thursday on the night shift. The Cerner’s EHR system will launch Friday morning on the morning shift. The end of the week is when the hospital slows down, which will give employees a chance to review any videos, or PowerPoints offered on the online portal.
C4bi. On-site for Transition Period
The Chief Technology Officer
Chief Information Officer
Chief Operations Officer
Cb4ii. Justification of On- Site Leaders
Chief Technology Officer – Executive-level position in the hospital whose occupation is focused on scientific and technological issues within the hospital. CTO examines the short and long-term needs of an organization. CTOs help the organization reach its objectives.
Chief Information Officer – Senior executive in the hospital responsible for the traditional information technology and computer systems that support hospital goals. CIO key part of any business utilizes technology and data.
Chief Operations Officer – Responsible for the daily operation of the hospital.
These leaders along with the EHR committee will be available and have staggered schedules to accommodate any questions or concerns during the transition period and launch of the new system.
C5. Rewards for Staff
Following the launch day and after the first week of transition period, the hospital will provide a meal for the staff to show appreciation and patience during this time.
C5a. Collaboration with Administration Team
The board of directors would need to approve a budget. We would have to plan a day and time, offering different menu options to accommodate our staff. The event is to recognize and show appreciation to all staff and thank them for their patience and persistence during this time.