RFP Showdown: September 10, 2001

By eweek  |  Posted 2001-09-10

RFP Showdown: September 10, 2001

The Problem

A 10-person psychiatric practice needs to make its medical records HIPAA compliant by April 2003, according to new government mandates (see www.hipaacomply.com). The company needs a HIPAA-compliant server that stores medical records and can synchronize with a local hospitals system. Moreover, doctors must be able to access the server from wireless handheld computers and dial-up systems. Please make your recommendations.

My Solution: William Young


As per the RFP, my HIPAA-compliant solution provides flexibility for the maintenance, retrieval and secure transmission of patient-information records between the psychiatric practice and authorized recipients.

Lets start with software. Here, a secure practice management system will retain demographics, insurance and billing information. It also will manage patient scheduling and will integrate with a secure back-end database (in this case, Microsofts SQL Server 2000).

The Electronic Data Interchange (EDI) components should be HIPAA compliant with regard to filing formats and transmission protocols, enabling transmission over evolving methods—including dial-up modem, secure ftp, VPN or encrypted http.

The practice management system should be able to address all required billing formats (such as HCFA, UB92, Workers Comp, EDI direct or through the clearinghouse of the practices choice). It should also have the ability to do custom reporting, as required by state or federally funded agencies to account for subsidies provided to the practice or clinic. The ability to audit Medicare and Medicaid compliance from within the system for the specified practice specialty is also a plus.

The practice management system and its database should be able to integrate using HIPAA-compliant HL7 data interchange techniques (which can also be encrypted) or through a direct interface between the Electronic Medical Records (EMR) software. Other interfaces (such as PDAs or wireless terminals with an encrypted 802.11 communications protocol) could be managed in the same manner.

The system must also be flexible. Many of the HIPAA requirements, which will be effective beginning in 2003, have yet to be codified, and regulations are still being promulgated. The vendors selected should be able to demonstrate their ability to meet those requirements as they are prescribed.

On the operating system front, a single (and secure) platform such as Windows 2000 should run on servers and workstations. That reduces the need for multiple secure gateways, which need to be maintained between disparate operating system platforms. Fault tolerance and redundancy should be built into the data server environment with a managed backup plan in order to assure adequate recovery from a hardware disaster.

Off-site communications should be managed through switches and routers with both inbound and outbound communications being done through hardware firewalls, using a managed VPN with suitable security.

For a suite of systems that satisfy the above criteria, please see my shopping cart on the left.

My Solution

: Cecelia J. Hickel">

My Solution: Cecelia J. Hickel

Kiona Scientific

Before you discuss hardware and software options for this solution, you need to analyze every piece of information that needs to be stored—securely—on the system.

That includes basic office appointment schedules, record filing system and file storage, transcription services, tape recordings, medical prescriptions, and so forth. Billing and office administration is not a direct part of this process.

As a first step, identify every piece of media (papers, folders, disk drives, etc.) that you use to record patient information. That can be done by randomly pulling 10 patients records. Make this analysis as complete as possible. Be sure to estimate the amount of storage each record requires, the retention period that is legally required, and any special storage requirements, such as fireproofing. Also estimate or determine the current record management, duplication, patient release and storage costs incurred by the medical practice.

A good second step would be to begin reengineering the patient-record system. First create a test set of patient records, which reflects all of your current record types and processes, for development purposes. Then begin creating and designing the "ideal" records process. This process will include patient survey forms, patient history, therapy sessions, and doctors treatments, among other records. Then assess your current process to see how it measures up against the ideal process. That should give you a place to start for defining design changes and IT developments. Appoint or hire a person to be the technical lead and the security officer (even a small office should have a gatekeeper).

At this point, you are ready to contract a solutions provider to design and build your new system.

Setting budget constraints from the beginning is the best approach. Calculate your budget by considering your current records management expenses and implementing goals to reduce those expenses with the new system; the ultimate goal should be a 10-year ROI.

Based on your budget and the document and process statistics you have compiled in a report, you can begin seeking an RFQ.

If you dont know where to find such expertise, visit guru.com. You can also stay abreast of HIPAA developments by visiting www. hipaacomply.com. And be sure your partners work with open standards like XML.

Any real cost estimates for such a proposal cannot be determined from so little information. A gross estimate would be based on a two-year, three-person team effort for completion through testing.

Rocket Fuel