HIPAA May Make Business
Sense, but New Tech Challenges Rules"> Nachimsons group has responded to about 400 complaints on issues such as which clearinghouses or middlemen could participate in a particular transaction, what protocols or standards should be used in a particular situation, and whether a business partners evaluation of "compliant" security was good enough. "A little more than half of those were dismissed as not really being in violation, 100 or so were settled before final determination and about 100 are still open," Nachimson said.The privacy, security and data standard rules were not the primary focus of the 1996 HIPAA law, which was designed to guarantee Americans the ability to change jobs without losing their health insurance. The technical rules fell under a set of provisions titled Administrative Simplification, which didnt so much define as require standardized electronic transmission of administrative and financial transactions, and unique numbers to make it easier to identify patients, employers, and health plans and providers. The Act didnt define most of the standards, however, leaving HHS to fill in the details. In its turn, HHS left most of the standard setting to industry groups and health care organizations on the assumption that they knew more about the requirements and technical challenges than HHS staffers would, Nachimson said. Unlike financial compliance regulations like Sarbanes-Oxley, which were rolled out to the public as a complete set of regulations and instructions for how to avoid violating those regulations, HIPAA has been evolving sedately over the last 10 years. HHS laid out a series of deadlines by which time industry groups would have to work out data-interchange standards among themselves, define file formats and transaction protocols, and help define the rules governing the role claims clearinghouses and other transaction middlemen were allowed to play. The hardest part of the compliance process, WellSpan Healths Gillespie said, was setting up an EDI (electronic data interchange) network, which large health care companies had agreed to standardize on as a way to satisfy the requirement that transactions be conducted electronically in a secure way. By contrast, the privacy and security requirements were simple, more of an extension of what any good IT organization does to protect its data than anything a HIPAA-compliant medical company would do to satisfy industry-specific requirements, Gillespie said. The biggest ongoing question is how to stay compliant while adapting to new storage technology, such as flash drives and other easily portable storage media, and how to fulfill criteria such as the requirement that patient data be easily available even during downtimes or other minor technical disasters, Gillespie said. To answer that specific need, WellSpan is developing hot-site disaster recovery systems so its able to continue operating electronically even in the face of a "Katrina-like situation," Gillespie said. "Weve achieved a reasonable level of compliance, as good as any health care company in the country can expect to achieve," he said. "Compliance will be an ongoing expense; things change. We grow as an organization; we have more users, newer tools [with which] to detect intrusion into the Net. The firewall has to expand and grow. "Its not that we dont have the desire to be totally HIPAA-compliant," Gillespie said. "It will continue to be on our radar screen; it will be something we will have to monitor on an ongoing basis. Every health care organization has to provide the proper level of privacy and security. We think were in pretty good shape." HIPAA procedures checkup Like other regulations that focus on the control and disclosure of specific information, HIPAA requires far more process than product. The rules that require technical implementation include:
That all medical records be stored in electronic format
That the electronic format be standardized
That each health care provider (hospitals, physician offices, clinics) and each payer (insurance companies, employers) be issued a unique identification number it can use on all the medical forms it touches
That standards for exchanging records be established and all records adhere to them
That each organization provide security and a file-auditing capability that will prevent outsiders from accessing files and that it give regulators a record of who has had access to each file and what each person added to it
Organizational challenges include:
Educating both medical and clerical employees about the existence and requirements of HIPAA
Assessing and documenting an organizations privacy policies and practices
Developing new policies and procedures to ensure privacy and enforce security
Building agreements with business partners to be sure file and financial exchanges comply with HIPAA stipulations
Developing and maintaining internal enforcement officers, including employees with the power to enforce policy acting as privacy and security directors
Source: HIPAAdvisory.com, Phoenix Health Systems
Check out eWEEK.coms for the latest news, views and analysis of technologys impact on health care.
"We think a lot of the standards make a lot of business sense, so the entities will develop them voluntarily. Weve worked with the industry to develop the standards, after lots of debate, relying on industry standards organizations for the standards on transactions and electronic records," Nachimson said.