HIPAA Ethnography-

From 2002 through 2004, members of the GoHIT project team observed HIPAA assessment and implementation meetings in a 500-bed university-affiliated teaching hospital. The purpose of these observations was to develop a grounded, qualitative understanding of how a particular healthcare organization underwent the process of “becoming HIPAA compliant.”

Although the field site was a state-of-the-art tertiary-care medical center, its HIT operations were well within the range of normal variation for US hospitals. During the observation period, the facility employed a fairly extensive electronic health record (EHR) system, but had yet to deploy computerized provider order entry (CPOE). Moreover, when the field observations began in mid-2002, the hospital's HIPAA implementation efforts were still largely in the planning stage, with full compliance not expected (and not achieved) until shortly before the federal government’s 2003 enforcement deadlines.

The qualitative fieldwork was open-ended and ethnographic in nature, involving extensive observations of hospital activities and numerous conversations with hospital staff. In all, the research team conducted over 100 hours of non-participant observation in privacy and security policy-planning meetings and training sessions, as well as several “walk-alongs” with the hospital Privacy Officer, as she toured various wards and clinics. These passive observations were supplemented by open-endedinterviews with most of the relevant decision-makers in the hospital, as well as by a more limited number of interviews with front-line doctors and nurses. To facilitate comparisons across researchers, across field settings, and over time, all fieldnotes and interviews were fully transcribed. The transcripts are currently being indexed and coded for analysis in nVivo.

*****