Ten steps to effective HIPAA implementation
Ten steps to effective HIPAA implementation
Now that the Bush administration has dashed hopes of a further delay in implementing the final privacy regulations, the question for hospitals is what steps they can take to comply with the Health Insurance Portability and Accountability Act (HIPAA) of 1996 in its current form. A team of attorneys from the national firm Davis Wright Tremaine (DWT) suggest a 10-point implementation program.
The DWT attorneys warn that hospitals must view HIPAA in its entirety. Unless the final transaction standards released last summer are modified or delayed, most health care providers will be required to use these standards beginning October 2002. "The transaction standards are at the heart of HIPAA’s administration simplification provisions," says DWT attorney Richard Marks. From a practical viewpoint, these standards can be implemented without the supporting privacy and security regulations, he adds.
The same cannot be said of the security regulations, however. Those regulations originally were expected to be released along with the privacy regulations. If final security regulations do not emerge shortly, that could delay implementation of the privacy standards because the sets of standards are so intertwined, says Marks.
Regardless of that timetable, Marks and his colleagues say hospitals should take the following basic steps to become HIPAA-compliant:
1. Envision what your security systems will be like after the transition to electronic data interchange. DWT attorney Kathy Fritz points out that there already is abundant detail about the security requirement in the statute itself. "Regardless of the implementation date for the regulations, the statute addresses security issues more than it does privacy," she explains.
2. Make policy elections. Fritz says hospitals must decide whether to operate as a single covered entity, organized health care arrangement, or hybrid organization. Conversely, they can establish business associate contracts for certain tasks.
According to Fritz, it is often difficult to determine if certain entities should be considered a health care clearinghouse or a business associate. "In some instances, there are third-party administrators that could potentially fall under both [definitions]," she explains. Business associate agreements may turn out to be more common among smaller hospitals that do not include certain entities as part of their system, such as a billing component, she adds.
3. Begin initial security analyses including "gap analyses," where appropriate. Fritz says a gap analysis basically is an audit of processes and procedures that helps focus the hospital’s overall effort. Some hospitals may perform an analysis and find that it already meets the regulations for security or privacy and confidentiality of medical records. "It may be that you don’t need to change that system," she explains, "but it is a due-diligence process that helps to focus resources."
4. Begin clinical and business process redesign and draft security and privacy policies. According to DWT attorney Rebecca Williams, these legal and operational documents will prominently feature in any litigation concerning security or privacy lapses. While it may be human nature to deal with one portion of HIPAA at a time, she says hospitals must view all of HIPAA as well as state laws and other laws designated by HHS together. "Federal laws with continue to apply," she warns. "When you are drafting your policies, you must look at that full universe."
5. Begin audit trail design. Williams says hospitals should avoid audit trail systems that create too much information for timely review. "Get to know your own organization and start following the information flow," she explains. Williams says some hospitals have found this a very "eye-opening" process because initially they were confident that they understood the information flow. What they often found, she says, is that everything from a doctor’s laptop computer to dictation services and sign-in sheets at physician offices can violate the new rules.
6. Think about training needs. Plan ahead to involve people at the beginning so they can help establish the system and identify training needs, Fritz recommends. Do this in accordance with the size of the organization and the complexity of the structure. Getting buy-in from employees who use the system every day is the key, she argues. While HIPAA allows smaller institutions to have less-formalized programs, some type of structure to document compliance is required.
7. Consider the impact of other laws, such as those concerning electronic signatures and electronic transactions. "Different states have different rules," says DWT attorney Tom Jeffry, noting by way of example that California’s extensive privacy rules are far more stringent than HIPAA. Providers must determine which laws will be pre-empted on a state-by-state basis. "A lot of states have gone on the medical privacy bandwagon," he warns. Several of them, including Texas, recently passed more rigorous laws.
8. Include appropriate HIPAA considerations in vendor negotiations. Jeffry says contracts must go through the appropriate review process to make sure nothing violates existing regulations. Part of that contract review must address appropriate safeguards for receiving or transmitting private health information.
9. Assess the budget impact of HIPAA-mandated changes early. Jeffry warns that only a minority of hospitals have budgeted money for HIPAA compliance. He adds that many hospitals now are working on their budget process for FY 2002. "You must have the attention of the CFO to make certain there is something in that budget to begin implementation," he asserts.
10. Initiate the basic steps to start your organization’s thinking about how it will become HIPAA-compliant. Williams says there are numerous steps that can be taken immediately. "HIPAA is only going to work if it is top-down," she warns. "You have to get management buy-in because it is not only an information systems issue." She says hospitals should develop a HIPAA committee task force that includes representatives from all departments that have access to individually identifiable information.
All of these steps can be accomplished economically, Marks says, and they should remain useful even if some of the HIPAA compliance deadlines are extended or the privacy rules are modified.
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.