First Posted at Institute for Health Technology Transformation on 5/29/2013
As the Associate Vice President for Medical Affairs and Chief Legal Officer for the University of Florida’s College of Medicine, Jeanette Schreiber, JD, MSW, is responsible for coordinating government relations and overseeing legal and regulatory matters. Ms. Schreiber has extensive experience in health care planning and regulation; reimbursement and payment; health care affiliations, joint ventures, and networks; implementing new programs and services; government relations and legislative counsel; medical staff and peer review; compliance; patient care issues; and other health care corporate and operational issues.
A distinguished faculty member at the Institute’s Health IT Summit in Fort Lauderdale, taking place June 12-13, 2013, Ms. Schreiber recently shared some of her insights into best practices for healthcare compliance and HIPAA, clinical program implementation, and privacy & security issues.
Institute: As the Associate Vice President and Chief Legal Officer for UCF College of Medicine, you are responsible for leading the department of legal affairs and special projects to support planning, development, and implementation of business and clinical initiatives. Can you share 2 or 3 of your top priorities right now?
Schrieber: The University of Central Florida, College of Medicine is a new medical school, is graduating our first class of medical students on May 17 and working to build out all of the medical school missions, including education, research, clinical and community service. We opened a small, multispecialty clinical practice last year in Orlando, UCF Pegasus Health, where our clinical faculty provide multispecialty medical services to the community. The College has launched a Learning Collaborative with Geisinger Health System and through this partnership we will develop and model new approaches to high quality, cost effective patient centered care and clinical education.
The College also has developed a federally funded Regional Extension Center for Health IT (REC). Launched with an $8.6 million collaborative agreement from the HHS Office of the National Coordinator for Health IT, this program is enabling the UCF College of Medicine to assist over 2000 physicians from across greater Central Florida with acquiring electronic health records and achieving meaningful use. The REC’s services are expanding now to assist both primary care and specialists with a broad range of services such as obtaining accreditation as a patient centered medical home (PCMH) and providing online CME services to members. In addition, the UCF REC is partnering with the Central Florida RHIO to broaden and advance the area’s community health information exchange and develop a community health information resource.
Institute: What advice do you have for best practices concerning healthcare compliance and HIPAA?
Schrieber: The best approach for addressing both health care compliance and HIPAA is to be proactive in establishing a compliance program, laying out the organization’s approach to meeting critical legal requirements such as HIPAA, Stark and other anti-fraud laws, and billing requirements. The HHS Office of Inspector General and other governmental and private organizations have models for compliance programs, which are scalable to very small or very large organizations. Essential elements include adopting an organizational code of conduct, implementing compliance and practice standards, conducting appropriate training and education, designating a compliance officer, conducting internal monitoring and auditing, maintaining open lines of communication, and responding to suspected and known infractions through investigation, enforcement and appropriate disciplinary actions. Making people aware of the requirements and where to go with questions or concerns helps ensure compliance, and being open to hearing and then addressing concerns discourages “whistleblowers” . In the event that an error or violation occurs, the existence of an active compliance program demonstrates the organization’s best efforts to maintain compliance and often will decrease the penalties applied by enforcing authorities.
Institute: Given your background in planning and executing clinical programs, what strategies would you recommend providers consider when exploring a new clinical program at their facilities?
Schreiber: It is important to step back and look at how the proposed new initiative serves the larger mission of the organization and advances its business objectives. Allowing sufficient time for planning enables checking in with key institutional experts and stakeholders. Being sure of the cost/reimbursement structure and payment rates is critical and addressing both clinical and business perspectives helps achieve full support and avoid unnecessary surprises. Establishing and communicating clear lines of operational responsibility and authority is very important. Coordinating the team with a timeline helps a lot for larger initiatives. These seem obvious but you would be surprised how often both large and small organizations skip too many of these steps. Also, once the initiative is opened, closely monitoring it against the initial expectations and pro formas and making adjustments as needed will keep the effort on track and catch problems early.
Institute: You will be participating on the panel “Moving the U.S. Health System Forward with HIE” during iHT2 Health IT Summit in Fort Lauderdale, June 12-13, 2013. What are some of the legal concerns associated with privacy and security of patient information that providers should be aware of? What recommendations do you have to minimize those concerns?
Schreiber: Electronic health records and health information exchange are the essential backbone for transforming health care and achieving the “triple aim” of improved quality, lower per capita cost and improved population health. Privacy and security can be both perceived and actual challenges. These need to be addressed both locally and nationally to build the trust needed for full HIE participation by patients and providers and to minimize the burden and paralysis of unclear or inflexible regulations.
HIPAA security rules are drawn from industry standards and address technical issues – so both technology and legal or administrative expertise are needed to fully understand and address HIPAA security for an organization. The Security Officer needs to be someone with strong technical knowledge who knows these rules and industry standards or has quick access to address such questions. In areas where there is confusion remaining, the industry should collaborate to define some best practice standards; this can add clarity in the absence of government rules or interpretations and ultimately can lead to change in the regulations where needed.
HIEs are generally HIPAA “business associates” of covered providers or payers, and under the new HITECH regulations HIEs will need to develop a full set of HIPAA policies and procedures. HIPAA requirements are scalable and most HIPAA rules and policies are straightforward.
In emerging areas, which may include patient consents to use of data for community level outcomes studies or agreement to participate in a health information exchange or clinical database, reliable best practice standards could be very helpful. I urge that both technical and legal experts in these areas collaborate at local and national levels to bring needed clarity and streamline requirements. This will also help us provide the clear information needed for consumers/patients concerning the handling and protection of their data.