The trusted source for
healthcare information and
Quality managers wondering what effect the extended comment period on the final privacy regulations will have on their planning should not take any false comfort. Tommy Thompson, Department of Health and Human Services (HHS) secretary, told hospital executives last month that while HHS wants a thorough review to examine the potential for unintended consequences, it remains committed to implementing the rule as mandated by the Health Insurance Portability and Accountability Act (HIPAA) of 1996.
Senior HHS officials responsible for crafting the mammoth privacy regulation currently are restricted from answering any questions about what effect a 30-day public comment period might have on the final shape of the regulation, much less speculating on what specific changes may be in store. In the meantime, experts say quality managers should continue their planning to comply with the new law. One way to prepare for the sweeping new mandates is to apply the lessons of Y2K to HIPAA, according to Alton Brantley, vice president and chief information officer for MedStar Health, an integrated health care system based in Baltimore.
Brantley reports that it took five years for MedStar to develop its plan for dealing with the Y2K challenge. But even though hospitals have far less time to get ready for HIPAA, he advises them to apply the following lessons of Y2K to the coming HIPAA challenge:
• Be neither first nor last. Brantley warns that hospitals that aim to be the first to become HIPAA-compliant will either do too much or too little and sometimes will wander into blind alleys. In the case of Y2K, those who started last benefited from the experience of others, but not without significant stress. Meanwhile, those who tried to lead the pack sometimes expended wasted energy, he says.
• The "hard stuff" is not out-tasked. In preparing for Y2K, Brantley reports that consultants often claimed they could effectively manage the most difficult tasks. But as those consultants began to realize they had legal liability for the work they performed, they began to temper those claims. "Ultimately, consultants ended up doing mostly well-defined, well-focused activities," he says.
• Best practices are moving targets. Brantley says the initial work plan for Y2K called for replacing entire systems. "But most of us found that we could not afford to do that," he reports. "We could not afford the time, and our people could not tolerate the pain."
• Consultants and lawyers saw opportunities that did not materialize. Brantley says he typically received three to five phone calls per day from vendors, consultants, and legal firms offering to help solve the Y2K problem. "I listened to all of them, but I also took it all with a grain of salt," he says. "There was a very aggressive approach, but we realized that it didn’t pan out."
• Don’t build the plan around the consultants. According to Brantley, consultants can be very important and can offer valuable external advice, including benchmarking perspectives. "But ultimately, consultants are not accountable," he cautions. "You have full accountability, and you are going to have to manage consultants and other outside resources."
• It’s not over until it’s over. Brantley reports that MedStar was still working on Y2K well after January 2000. "With regard to HIPAA, you have to realize that it’s not over until it’s over," he asserts. "New regulations are going to continue to come out, and new issues are going to continue to surface, and we are going to be at this for a considerable period of time."
• If you do it right, it looks easy. According to Brantley, most of MedStar’s staff now believe that Y2K was not an enormous effort because it was accomplished successfully. "Only those of us who worked in the trenches and behind the lines down in the boiler rooms making Y2K work know the endless energy we expended on it," he remarks.
Brantley says the biggest challenge presented by HIPAA is the process of continuous change. "Change management is not a technology, and it is not regulatory; it is cultural." Human beings can absorb only so much new information, he warns. "They can only change so fast without being error-prone themselves."