E-commerce efforts are best HIPAA payback 

Start with enterprisewide team 

Health care organizations that have not yet developed a strategy for complying with the Health Insurance Portability and Accountability Act (HIPAA) of 1996 should start by establishing a HIPAA task force with an enterprisewide focus, suggests Julie J. Welch, MBA, RHIA, a Chicago-based consultant with Cap Gemini Ernst & Young. Keeping in mind the areas of e-commerce, technology, processes, and policy, Welch says, consider taking these steps: 

Perform an assessment of readiness. This means reviewing existing policies and procedures and technology and comparing them to the HIPAA requirements to see where the gaps are and what you need to do to bridge them. Some organizations are engaging consulting firms or hiring a HIPAA expert to help in this process. 

Develop and deliver a HIPAA awareness program. Bring staff up to speed. Raise their level of understanding by educating them on what HIPAA is and what areas it touches within the organization. Distribute a HIPAA overview, facts on its history, and provide an educational session. 

Establish budgeted resources and dollars. The Wall Street Journal has estimated that HIPAA compliance could cost the nation’s hospitals two or three times the $8 billion that Y2K preparations set them back, Welch points out. The Aug. 17, 2000, Federal Register (65:160) estimates that the average cost per hospital just for upgrading software to translate and communicate standardized claims forms will be $250,000 for 2002, she adds. That doesn’t include costs associated with privacy and security. Health care providers pondering their huge investment, Welch suggests, might want to look at the e-commerce aspects of HIPAA implementation as a way to get a tangible return on that investment. With the privacy regulations, for example, there’s no benefit for going beyond basic compliance, she notes. But the electronic data interchange part of HIPAA, Welch says, offers opportunities for progressing to electronic medical records, and for implementing billing methods heretofore used only by the banking and credit card industries. Consider having patients pay their bills through a web site, for instance, or step into a paperless environment for patient accounting. 

Develop a plan for action including infrastructure changes and resource needs. This includes, among other things, the technology involved in sending claims information out into the world while meeting HIPAA requirements — items such as firewalls for computer systems. It also covers physical changes that might be needed to ensure privacy while registrations are conducted, and ensuring that information systems and data are safeguarded from unauthorized access. It might be necessary, for example, to not only institute electronic signatures for computer access, she notes, but to run an audit to see who’s accessing what. 

Look it up 

For individuals interested in educating themselves about HIPAA, Welch recommends these resources: 

• A web site where you can obtain copies of the final rules from the Federal Register: aspe.os.dhhs.gov/admnsimp. It contains the posting of laws, processes, regulations, and comments. 

• A listserv from which you can receive e-mail notification when new regulations are released. To subscribe, send an e-mail to listserv@list.nih.gov. Include your name and the phrase "subscribe HIPAA regs" in the body of the message.