HIPAA: Don’t Wait to Be Compliant
Over the past few years, the seriousness of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) has crept into every aspect of the American health care industry. Not only does the industry have to be careful with a patient’s health information and protect it from improper use or disclosure, but it also has to worry about potentially serious civil and criminal penalties for non-compliance. While this far-reaching law is scalable to meet the needs of both the patient and the health care industry, its implementation has been anything but smooth. There have been three predominant methods of achieving HIPAA compliance.
The earliest approach can best be described as “Chicken Little’s The HIPAA Is Falling!” approach. HIPAA would be the death of American health care. A common, early overreaction was, “Lock up the doors and start looking for a new career.” The law was still in the development stage, and lots of FUDD (fear, uncertainty, doubt and disinformation) was spreading like juicy gossip on a slow summer afternoon. Facilities began making plans for major renovations and huge software upgrades. Some of these early HIPAA compliance plans made hospitals look more like minimum-security prisons than places of healing and care. Fortunately, the Department of Health and Human Services went to great lengths to provide an adequate source of reliable information.
The next approach to surface was to more or less “Wait Out the HIPAA Storm.” With rumors and conflicting information showing up almost daily, many providers chose to wait and see what actually got decided and became final. During this time, many in the health care industry began making gradual adjustments to how they did business. They attended seminars and made use of the growing number of HIPAA publications that were beginning to show up online and at their local bookstores. By taking HIPAA one step at a time, many health care providers have been able to adapt to the new requirements without dramatically altering how they do business in one huge leap.
The final approach is frighteningly common. It is born in the idea that the government has no idea what it really wants: “We’ll Do It When They Show Up.” With conflicting information abounding, it is easy to see why many would take this approach. Just wait until all the dust has settled, and when a “HIPAA cop” shows up, fix whatever they say is broken. Needless to say, this is a very dangerous and expensive method of achieving compliance. If you have taken this approach, you need to get busy immediately. The Privacy Act became enforceable on April 14, 2003, and the Transactions and Code Sets on Oct. 16, 2003. The Security Act becomes enforceable on April 21, 2005. Like it or not, HIPAA is here to stay.
There is an old axiom of project management that goes, “Plan Your Work and Work Your Plan.” For HIPAA, add just a few more words: “Write It Down.” While there are numerous generic HIPAA policy and procedure manuals available today, they are designed to fit any condition. Time and thought will be needed to mold the required policy and procedure manual to meet your unique needs. Take advantage of the fact that HIPAA was designed to be scalable. This means that a small private dentist office does not have to meet the same standards a major hospital may wish to enforce. Both must meet the minimum baselines as set by HIPAA; how they do this must be part of their policies and procedures. It is not enough just to have a policies and procedures manual. Your people must understand the “whys” of the policies and what is expected of them.
Right now you are wondering, “What does this have to do with the IT industry?” For those of you still suffering from the lackluster IT economy, there are now numerous opportunities opening up for you in health care if you know HIPAA. It is bringing the computer with all its advantages and drawbacks to an industry that has a long way to go before it achieves computer literacy throughout its ranks.
The health care industry touches each and every one of us in some way. Either you are a patient or will be, or your company does business with the health care industry or wants to. Software development, training, consulting, telecommunications, engineering, project management, risk management, computer supply, repair and more now all have a clearly defined set of regulations that opens the door to business development with the health care industry. Simply put, sooner or later, personally or professionally, you will have to deal with HIPAA.
Allan F. Gilbreath is the author of the books “HIPAA Security Technology Compliance: Developing and Deploying an Action Plan” (McGraw-Hill/Osborne, April 2004) and “HIPAA In Daily Practice” (Kerlak Publishing, April 2003). Allan is a HIPAA compliance officer and technical trainer. He was one of the first to offer training on the federal HIPAA legislation.