HIPAA If you�ve been to

by francine Hardaway on August 6, 2003

If you�ve been to the doctor since April, you have encountered HIPAA, the biggest thing to hit businesses since Y2K. The doctor�s office probably gave you a form to sign, and neither you nor the office person understood what was in it or why you were getting it.

Originally enacted as legislation to allow patients who change jobs to carry their health insurance with them, HIPAA has come a long way from its original intent, and now serves as a little-understood burden to both doctor and patient. In a system as broken as the US health care system, HIPAA is just another ill-fitting part.

What does it mean to the IT Professional? To the Health Care Provider? Well, to the IT professional it is the only place there is still dependable work, because putting insurance portability in action means making records electronic, securing them, and standardizing them. That�s a big job, and if you think it�s done, you�re an optimist.

HIPAA security rules, which are supposed to prevent unauthorized access, alteration, and destruction of data, don�t even take effect until 2005. There are three general areas of rules:
1)administrative safeguards for managers, such as workforce training, appointment of a security manager, and contingency plans in case something happens to the data;
2)physical security, workstation security and rules for disposing of old equipment; and
3)technical safeguards
The reason security rules haven�t taken effect is that privacy rules were tough enough to implement, and the national code of minimum standards for confidentiality for payers and providers Went into effect April 14, 2003. These rules, which consumed all the mindshare, involved such things as what happens when you are subpoenaed?
How much of a patient�s information do you communicate with payors? How do we figure out whether a state�s (typically) more stringent privacy rules take precedence over federal HIPAA privacy rules.

There are major opportunities for the software industry in these regulations: the software industry could be helpful by building an application to sort through these rules, with algorithms and decision trees for people confronted by search warrants and subpoenas. It could also help build security solutions that scale and are affordable for to both a small practice and the largest providers.

The third major set of rules deals with standardized transaction and code sets, which is how the doctors and hospitals get paid electronically by insurance companies and Medicare. These codes change every year, and thus have been offloaded by many medical practices to medical data clearinghouses, which take non-standard data and translate it into language a claims processor will pay from.

But in the long run, offloading to a clearing house is not a cost effective solution for most providers, who will be looking for a magic pill from a vendor for a process they don�t fully understand and don�t *want* to understand. But there is no magic pill, only websites from standards bodies (WEDISNIP.org, SAN.org) for guidance and white papers.

E-health care transaction set rules are all standardized now. There are ten standard transaction sets, and by 10/16/2003 every medical practice has to have software with those transaction sets. That software has to be created, and has to be affordable. If anyone is wondering why doctors aren�t trying out new workflow software, it�s because all the loose cash is going for this stuff. Providers are terrified that they won�t get paid if they don�t have the right software.

For all health care organizations, HIPAA is an enterprise-level problem, beginning with the questions where does my information reside and who needs access? Once the data is classified (sensitive, strategic, public, protected), organizations can be empowered later to practice good security, like giving staff only minimal access to private information, and only when they need it. HIPAA also requires training and education � understanding about what is and isn�t private health information.

All this somehow has to key into all the other trends hitting the public, like electronic medical records, wi-fi, handhelds and tablet PCs, and so on. It has to include provisioning and de-provisioning people who come and go in medical offices, as well as the �extended organization.� No longer can the password to the computer in the nursing station be �nurse,� or �guest� so the doctor can get on it.

In all of this, whatever happened to the patient? Well, the patient got certain inalienable rights(that he thought he had all along): the right to have access to his own record; the right, in certain cases, to amend his own record; and the right to receive an accounting in writing of disclosures.

By the way, no software does this yet, and there�s a real need for a product that tracks automatic disclosures and integrates them with subpoenas. Are we having fun yet?

Leave a Comment

Previous post:

Next post: