Now that the Bush Administration has decided
to move forward with the Health Insurance Portability and Accountability
Act (HIPAA) Security and Privacy Standards, issued by the Clinton
Administration, I wanted to present a summary on the technology
issues associated with the HIPAA standards.
Many practices have experienced “sticker shock” from the investments that are needed to comply with HIPAA. Hardware and software security, user tracking, and system features needed under HIPAA, may require significant changes to practice computer facilities.
HIPAA directly affects two significant computing issues: 1) The storage of information in computers, and 2) The transmission of electronic medical information with outside parties. For example, the storing of patient word processing files may pose a number of HIPAA problems, while exchanging emails on care issues is another problematic area. In both cases, practices will need encryption, a way to verify the recipient or user of the information, and an effective security mechanism. Thereby, HIPAA affects almost every aspect of practice computer infrastructures.
Hardware - HIPAA mandates the use of certain storage and transmission techniques that may require investments in hardware. For example, many practices still use communication devices that do not encrypt transmissions. In addition, the storing of HIPAA access records, audit trails, and other information may require more computing power and storage space than their current system. As a result, vendors may require investments in more powerful systems for their HIPAA applications.
- HIPAA requires certain features that older systems do not support. For example, HIPAA regulations require the control of access to information, as well as tracking who accesses the information. Computer systems should have an audit log of the changes and additions made to the system by user, plus a log of which users accessed a patient record. Additionally, HIPAA will require more effective security and management tools which are not found on older products. Finally, HIPAA includes electronic transactions, such as electronic prescriptions and electronic referral authorizations, that many software products do not support. If a practice is using an older system that is no longer being supported, they should expect to move to a new software product, and in many cases, a new hardware configuration to support HIPAA requirements. For example, users of software products that have been acquired by other vendors will be faced with a decision to acquire a new product. If a practice’s current software is supported, they may encounter significant changes to their current software and hardware.
- Many practices lack a formal computer support structure. However, HIPAA mandates providing information on a “need to know” basis plus monitoring and managing security. Regardless of the money spent on technology, practices will have to more actively manage and monitor their systems and their use under HIPAA. For example, HIPAA requires the training of staff on privacy and security issues, and having a designated computer security officer.
- HIPAA not only focuses on the technology purchased, but how computers are used and controlled. Even if hardware and software comply with HIPAA Security and Privacy Standards, practices will have to insure compliance with specific policies and procedures. For example, a practice could be noncompliant if any employee inappropriately stores patient information on an unsecured computer.
Depending on the viewpoint, HIPAA regulations may be a bothersome intrusion to a practice, or a significant step in allowing practices to take advantage of computers to improve services to patients. Either way, you will need to insure that you are compliant with various HIPAA standards to protect your practice from government penalties, sanctions by your business partners, and/or complaints from patients.
IMPLICATIONS OF HIPAA
The actual effort of complying with HIPAA will be a challenge for most practices. The scope of the requirements and the affects they will have on practices, should be seriously reviewed and considered as you move forward in your practice and computer planning.
We recommend the following actions.
- Practices should inventory their current computer systems to assist in specifying and defining the scope of their HIPAA needs. Beyond practice management systems, practices should also be careful to identify any systems where identifiable patient information may be stored. Examples include transcription documents stored in word processing directories and patient information stored in contact management software (i.e., ACT, or Goldmine).
- Once the systems have been inventoried, the practice should perform the following tasks.
Evaluate HIPAA Readiness of Current Systems – You may contact the vendor, and/or obtain the opinion of an independent party. Be careful to determine the ability of the current system, and the vendor’s intent to support HIPAA requirements. Vendors’ intent should be evaluated based on what changes they make to the product as well as what they are proposing they will do. Be especially careful of products that probably cannot be upgraded to HIPAA compliance, such as products with old technology bases, companies that have been acquired, and products with declining user bases.
- Make sure that you get written representations of the intent of the vendor. In the event that your vendor has not upgraded their product to deal with HIPAA issues, a written document may provide some relief to any challenges from your business partners or regulators should the practice end up in a last minute scramble to meet standards. For example, some practices have encountered serious problems with medical record storage issues and have gotten relief by demonstrating their good faith efforts.
- The practice should monitor the effort of the vendor along with the implications for the practice. Be especially careful with products based on older technologies that need to be upgraded, but as a practical matter will not be changed. In other cases, changes may require a change in hardware and software, as well as a complete data conversion effort and retraining program. Such a project may rival the acquisition cost and effort of a new system.
- HIPAA includes a variety of procedural and policy issues that must be addressed regardless of the sophistication and expense of the computer system. Contingency plans, access policies, security management, training, etc. are all components of a HIPAA plan. On the positive side, HIPAA does establish a standard that the practice can rely on to insure that they are adequately protecting and administering their computer-based information. The practice should evaluate the operational, procedural, and policy issues in light of HIPAA standards.
- Since HIPAA not only involves the computers used, but also the procedures and policies the practice uses to manage computers, practices should complete and maintain the following steps to meet HIPAA compliance requirements:
- HIPAA requires that practices have a security officer to manage the information on computers. Since few practices have a designated staff person with adequate training, the practice could develop such skills through training employees, or by modifying the next position they fill, in order to hire someone who could serve as the security officer.
- HIPAA requires a written procedure, and the training of employees on those procedures. Many practices have outdated written procedures, while others totally lack any written procedures. Practices should develop document procedures including workflow in the office based on the computer systems, and practice policies to empower and enforce the workflow.
- HIPAA requires staff training on HIPAA compliance and procedures. The practice should establish a staged approach that addresses continual training of current employees as well as a standard program for new employees.
There is no question that HIPAA impacts on the way practices use and maintain computers. Therefore, practices should carefully consider how they can maintain their systems, procedures and operations to comply with these industry standards. Otherwise, a practice could end up in a situation where they are risking sanctions from the other health care organizations that they depend on for their own success.