How to implement HIPAA without breaking the bank
Lessons learned from one health care organization
Thinking creatively, but not expensively, is the key to meeting HIPAA requirements with a limited budget, according to Maria Woods, vice president for compliance and regulatory affairs at Saint Vincent Catholic Medical Centers (SVCMC) of New York, who spoke at the Ninth Annual HIPAA Summit in September.
Woods said her organization includes eight hospitals, four nursing homes, and home care, hospice, and other units. Implementing HIPAA across such an array of facilities required a core team of two people from the compliance department and two from information systems. Overall coordination of the effort came from joint compliance/information systems leadership, joined by regionally based individuals who were responsible for helping to coordinate awareness, education, data collection, and compliance in the individual remote facilities.
"HIPAA awareness and compliance needed to be integrated into the SVCMC culture so that it became a way of life," Woods said.
SVCMC’s first HIPAA presentation came in December 2000, and the internal organization got its first dedicated budget in the 2003 calendar year. For privacy implementation, she reported, it was important to "triage the patient," determining what needed to be corrected immediately. Important steps included HIPAA awareness, electronic data interchange (EDI), authorization, business associates, policies, and notice of privacy practices.
"Make friends with information systems," Woods told attendees. "Set realistic goals and deadlines, and be honest about your own weaknesses. Review the HIPAA schedule and determine what you can realistically achieve."
Those responsible for HIPAA implementation need to become HIPAA experts, she said, by reading as much about the subject as possible, joining a support group ("misery loves company"), getting involved in Joint Commission activities, bringing in others from within the organization with specialized skills, and determining if outside help is needed. "The best way to increase HIPAA awareness is to make privacy everyone’s responsibility," according to Woods. "Use free labor in your organization. Find out who is already working in things involving privacy."
To put its privacy gap analysis on a fast track, SVCMC made directors and managers responsible for privacy and security questionnaires without a formal interview process and gave the HIPAA office responsibility for drafting needed policies. By April 2003, policies had been established, on-line training for essential personnel was complete, EDI testing had begun, and HIPAA forms such as authorizations had been completed, translated, and implemented.
When the October 2003 deadline hit, all SVCMC personnel had been HIPAA trained, the system was EDI compliant, old policies had been pulled or re-drafted, the business associates process had been completed, and the system privacy office was fully functional.
Moving on to compliance with security requirements, Woods said it is important to "stay focused on the issues and not on the new [technology] toys." Rather than just plugging gaps, she said, facilities should use security goals of confidentiality, integrity, and availability as guides to stay focused.
With a healthy dose of group therapy for all involved, Woods said, SVCMC’s security approach involved leadership support, evaluating what was already available and identifying needs and possible threats, evaluating the system’s score, fixing problems that were found, reevaluating the risk, documenting everything, and staying alert. "Privacy and security can tag team," she said. "Couple your risk analysis with your privacy monitoring and look at instances where security initiatives impact privacy."
Woods listed seven rules for those working on HIPAA implementation on a tight budget: 1) money for education is never wasted; 2) use consultant cash wisely; 3) there is only one captain of any ship, but every captain needs a crew; 4) KISS (keep it simple, stupid); 5) change is good, change is your friend; 6) don’t be afraid to show what you don’t know; and 7) play nicely with others.