RFP Showdown: September 10, 2001

A 10-person psychiatric practice needs to make its medical records HIPAA compliant by April 2003, according to new government mandates (see www.hipaacomply.com).

Download the authoritative guide:

The Problem

A 10-person psychiatric practice needs to make its medical records HIPAA compliant by April 2003, according to new government mandates (see www.hipaacomply.com). The company needs a HIPAA-compliant server that stores medical records and can synchronize with a local hospitals system. Moreover, doctors must be able to access the server from wireless handheld computers and dial-up systems. Please make your recommendations.

My Solution: William Young


As per the RFP, my HIPAA-compliant solution provides flexibility for the maintenance, retrieval and secure transmission of patient-information records between the psychiatric practice and authorized recipients.

Lets start with software. Here, a secure practice management system will retain demographics, insurance and billing information. It also will manage patient scheduling and will integrate with a secure back-end database (in this case, Microsofts SQL Server 2000).

The Electronic Data Interchange (EDI) components should be HIPAA compliant with regard to filing formats and transmission protocols, enabling transmission over evolving methods—including dial-up modem, secure ftp, VPN or encrypted http.

The practice management system should be able to address all required billing formats (such as HCFA, UB92, Workers Comp, EDI direct or through the clearinghouse of the practices choice). It should also have the ability to do custom reporting, as required by state or federally funded agencies to account for subsidies provided to the practice or clinic. The ability to audit Medicare and Medicaid compliance from within the system for the specified practice specialty is also a plus.

The practice management system and its database should be able to integrate using HIPAA-compliant HL7 data interchange techniques (which can also be encrypted) or through a direct interface between the Electronic Medical Records (EMR) software. Other interfaces (such as PDAs or wireless terminals with an encrypted 802.11 communications protocol) could be managed in the same manner.

The system must also be flexible. Many of the HIPAA requirements, which will be effective beginning in 2003, have yet to be codified, and regulations are still being promulgated. The vendors selected should be able to demonstrate their ability to meet those requirements as they are prescribed.

On the operating system front, a single (and secure) platform such as Windows 2000 should run on servers and workstations. That reduces the need for multiple secure gateways, which need to be maintained between disparate operating system platforms. Fault tolerance and redundancy should be built into the data server environment with a managed backup plan in order to assure adequate recovery from a hardware disaster.

Off-site communications should be managed through switches and routers with both inbound and outbound communications being done through hardware firewalls, using a managed VPN with suitable security.

For a suite of systems that satisfy the above criteria, please see my shopping cart on the left.