Slashdot Log In
Striving for HIPAA Compiance?
Posted by
Cliff
on Mon Oct 21, 2002 05:12 PM
from the forcibly-changing-the-way-you-work dept.
from the forcibly-changing-the-way-you-work dept.
krisguy asks: "As a Oxygen Transfill Technician for a DME (Durable Medical Equipment - wheelchairs, oxygen, and such) company, my only regulatory problems have been with the FDA. Recently, due to good management of FDA regulations, I was appointed HIPAA security officer for my company. I looked at the 'helpful' compliance manual from our buying group, and realized that I have to try to get over twenty people who have 'limited knowledge of computers' (read: don't want to learn) to begin to use stuff like PGP, ANSI X12 codes, and having to write, train, and enforce procedure rules. To top this all off, I only have until April 14, 2003 to get most of this fully functional or forced to have the company shut down. I am wondering if any Slashdot readers in medical fields are feeling the pain of HIPAA like I am right now, and what ways can I get everyone to comply besides "You don't do it, you don't work here."?" Ask Slashdot last touched on HIPAA issues when this article which concerned itself with Windows 2000 and HIPAA issues. For those who have already hopped thru the rings that represent HIPAA compliance on an general basis, what did you have to insure was done?
This discussion has been archived.
No new comments can be posted.
Striving for HIPAA Compiance?
|
Log In/Create an Account
| Top
| 278 comments
(Spill at 50!) | Index Only
| Search Discussion
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
|
2
(1)
|
2
Why not try this? (Score:5, Informative)
Re:Why not try this? (Score:4, Informative)
In general, it is a difficult problem to say "we need to be HIPAA-compliant". It generally needs to break down to finding all of the points where healthcare information flows outside the organization, and then protecting that information.
From the standpoint of email, there was a great amount of effort put into this in 2001. Check out this press release [hipaadvisory.com] which summarizes the effort. Basically, there was a group of email vendors led by the Massachusetts Health Data Consortium (MHDC) that got together and standardized a method of doing server to server encryption of email. This effort is currently an Internet Draft, draft-ramsdell-enc-smime-gateway [ietf.org], and it will actually be moved to the IETF-SMIME working group in time for the next meeting. It is basically a profile of the DOMSEC effort, which is in turn a profile of S/MIME. I participated in this effort on behalf of Tumbleweed, and at the end of it all, the products were all working together, and I am a co-author and editor of the draft.
The bottom line is that there exist commercially available solutions from multiple vendors which satisfy the HIPAA requirements for secure email, which is most likely a large part of your charge. These products are generally usable in a "gateway" configuration where they can be placed next to an existing mail server to automatically encrypt / decrypt mail according to policy. Further, this effort is being discussed and documented in the IETF so that new implementations can be created.
Misleading... (Score:5, Funny)
Don't just tell them... (Score:5, Insightful)
When it is a matter of compliance, they don't have an option. The sooner they understand it, the better. If management isn't behind you, then ask to be reassigned.
--ST
How can you do this job without authority? (Score:3, Insightful)
Until you have THAT authority, you do not really have the job that you think you have.
Re:How can you do this job without authority? (Score:4, Insightful)
If you don't know what that is then go get someone to tell you. (Disclosure: I work for a large company that, amongst a lot of things, does change management).
The project I'm working on has a large change management component and I'm impressed with the sense of the person in charge of it.
Things to do:
Get the users together and explain HIPAA to them. Explain why it is important to the public (i.e. why you need good security). Explain the consequences of failure. People will understand if you actually explain the reasoning to them.
Give them chances to ask question and modify what you do. People are happier to sign on to things if they feel they've got some input into it.
Work on the IT side and get it work pretty well. Create detailed, clear, easy step by step instructions that work. Make sure you've got staff (i.e. you) available to provide quick support when it inevitably doesn't quite work.
Make sure you've got a high level executive sponsor who understands the political issues and is happy to give you the support you need. (i.e. authority to fire if need be.)
I would put in place a monitoring process. If a user isn't doing the right thing then grab them and talk to them.
If there's something you can do to fix their problem then do that. There may be technical things you can do that will get to them to do it right.
If they don't shape up once you've done that then you grab your executive sponsor and have a solemn meeting telling them to do things right. (This meeting has an implicit threat of firing behind it so it tends to work). Make a written record of this meeting.
If all that doesn't work then you start going through the due diligence firing process i.e. written warnings before firing. HR people know how to do this.
For Christ's sake (Score:4, Insightful)
But when the editors spell the regulations "HIPAAA" in big white letters at the top of the article, I can't share this with anyone who I want to respect me.
C'mon Cliff, and whoever (if anyone) is checking your work. It's not HIPPA, HIPPO, HIPAAA, HIPSTER or HIPAAPATAMAS. It's HIPAA, as krisguy manages to note 5 times in his writeup.
Hopefully the headline will be changed soon and this comment will eventually be modded away as offtopic, but basic spelling, grammar and usage are important to the community that makes your website worth reading.
ps- I'm sure someone will point out that the average slashdot post is worse than the Slashdot editorial crew, but to that I can only say that they will be equally culpable when they are paid for posting.
Actual implementation not clear cut. (Score:5, Insightful)
For example, only the people who "need to know" should have access to the data. The catch is that I'm somehow supposed to magically determine who needs to know what. Do I get to tell my directors that they can't see something? How much do I really get to question someone else who knows their job better than I?
Plus there's the catch-22 situations. There's data on which physicians can perform what procedures. I personally think that everyone in our organization should see it, as I don't want any physician performing procedures they're not supposed to. The catch is that not everyone "needs to know", so that increases the chance that the information won't be seen.
HIPAA's goodness (Score:5, Interesting)
the second is a hospital, where I work registration and transfers. Completely different setting, as I'm dealing with the patients face-to-face instead of over the phone, but there are lots of restrictions there, from where the monitors can be located (can't have a non-employee looking over your shoulder...) to how long the screen saver is set for (1 minute, and it's password protected, pain in the ass when you have to type that EVERY time you want to touch the computer)
for the third I work as a programmer for my college, we recently bid on a programming project to develop internet-based training for a very large hospice-based corporation. we'll be designing 20 modules to train volunteers and other very non-technical (i.e. retired, or first time workers) workers how to manage information correctly.
all of my jobs will be having INTENSIVE seminar type classes on what we need to stop doing so we don't get shut down. every one of them has taken a "do it or lose it" attitude about it because of the very short time frame to work with. There are still HIPAA mandates that are being changed, which means that nobody has even started creating the training, much less the training itself, and the compliance checks...
Re:HIPAA's goodness (Score:4, Insightful)
Those things are things you should have already been doing. No sensitive email should ever be sent in plain text, nor should any personal information be given out over insecure phone lines.
I'm against vague government mandates, probably more than most people are, but after seeing how even the most basic security is routienely ignored by users, managers, and administrators alike, fuck em. They have no business with my personal medical data if they can't even use good information security practices.
This sounds like a management problem. (Score:5, Funny)
You could accelerate compliance by filling the office full of acrid smoke from a bad power supply, or making Friday 'Nitrous Oxide Day'.
HIPAA compliance (Score:3, Interesting)
We use ICA protocol with 128 bit encryption and rotating passwords.. but with all of the applications that one employee has to access, it's becoming a major breaking point remembering all of the passwords.
The apps can only be accessed via login, and each app has a separate login and password. It's bordering on the rediculous to get work done for people that's skillsets are RN's or MD's. MD's tend to be more technically adept(aka AOL), but the rest are hapless technoweenies(to quote a cheese movie).
Things are moving toward http browser based access, and temernical serviced applications. These things come in waves, and HIPAA is accelerating that wave towards TS clients.
As this is done, I hope to then be in a position to kill off MS clients and servers one by one. We can then concentrate on getting some real work done, rather than worrying about how W2K SP3/WinZP SP1 is a HIPAA violation or if MS will sue us next week cause they aren't making their stock margins.
And after all of this, we will have some work cut out for us(not much)- but it's OUR work. And we get to reap the benefits of our labor. No more Jakob Fugger and his gateway tariff between east/west. If the government can't do it, then I surely can. And so, there you have it.
BS7799 and ISO9000/1 (Score:3, Insightful)
BS7799 is the British Standard for Data Protection. We had to have a paper free desk and shred everything. Despite having a double sided laser printer, all the damn staff still printed single. Everyone is a lot greener back in Australia.
Anyway, moral from that successful drive is... get in early. Twenty something staff? That's nothing. Push it through now. What came across most was that the accreditations make sure you have 'Systems' in place. New staff come in knowing the system. Old staff, well they're not going to be easy.
Read Peopleware [dorsethouse.com] under the section 'Believers But Questioners' and work towards that. At least then you get to read a darn good book on company time.
A Few Things (Score:5, Informative)
1) File for any and all extensions you can. A lot of this policy is BS and will probably get softened, but filing for extensions is probably the easiest way to stick it back to the man, at least for a little while.
2) There are a few companies that provide HIPAA compliance insurance, especially for software products developed to support medical information systems. MD Online, LLC (no web site but phone at: 703-450-0331) has VPN security products designed for medical users that might be helpful. (No relation to them other than having heard about their products in a
3) Solve the problem with vendor pressure. No software provider in the industry wants to admit they're not HIPAA compliant, so grill them on it. They know it's a priority and should (hopefully) be releasing software that will accomodate the new rules.
4) Solve as much of the problem as you can technically. If you're the vendor of the products you use (in house software), redouble your efforts to make as much of the compliance transparent as possible. As you've outlined, most people in the industry do NOT want to deal with the technical aspect of computers, they just use them to get their jobs done. Putting all of the encryption / security management stuff in plain view is only going to make the learning curve more difficult and allow more room for human error (which equates to HIPAA violations and fines for your employer).
5) (this is very much not to be interpreted as legal advice) Patch the big holes first. If you know you can't meet HIPAA by the deadlines, patch the big problems, and the things that will be obvious violations and noticable by people inside and outside the company. There are zillions of possible violations, but if you show due diligence any fines you do receive will hopefully be tempered by the fact that you've done as much as possible to accomodate the law.
-Dan
In the software end of things (Score:3, Insightful)
HIPAA isn't new news. We've known about HIPAA for a long time, and only now, as the deadline stares us in the face, are we beginning to make our software HIPAA compliant.
This late action comes from a long stem of procrastination. Updating expensive software to be HIPAA compliant is a time consuming task... from the standpoint of a software manager (an incompetent one), why make the software HIPAA compliant today, when today could be used to implement a new requested feature?
After pushing off HIPAA compliancy day after day after day, we're now finally getting around to implementing the mandated changes. This isn't easy for other people in the healthcare industry, namely people working at the practices that need to teach HIPAA to billing clerks.
The delays of software authors cause delays at the practice, which causes healthcare costs to rise.
Don't thank me, thank my managers. Only a few days ago I enlightened my Technical Operations Manager that "HIPAA" isn't spelled "HIPPA". I guess he didn't get the memo yet.
hipaa schmipaa (Score:5, Interesting)
You (as an individual and as an institution) only get jail time and big time fines if you get a proveable financial gain from violating hipaa regs, i.e. you sell a bunch of kidney transplant patient info to a dialysis machine company, and someone can produce records to prove this happened.
Ignorance or other non-compliance (if reported) only gets the institution (not you as a worker) fined $1000 per incident max, and the total fines can only be up to $25,000 a year. So in many cases it's cheaper to be non-hipaa compliant than it is to upgrade everything to be hipaa compliant.
Then there's the extension you can file to get another 6 months on your deadline to be hipaa compliant. If you file that you get until October 2002 or something like that. There will probably be more options to file extensions for even later than that if October is too soon for you.
Don't worry kids. HIPAA, much like 911, is a joke.
Privacy != Security in HIPAA (Score:4, Insightful)
(From an IT perspective, one wonders what good privacy without security? For us, if it ain't secure, it's silly to call it private. But HIPAA was not written from an IT perspective...)
The Privacy portion of the rules take effect next spring, and you will have to deal with that. HOWEVER, the privacy rules deal with how you decide who is allowed to see the data, *not* how you protect the data... that's the Security portion of the HIPAA standard. Privacy is about rules and procedures for intentional data disclosure, and data security is NOT within the scope of the Privacy rules.
(So, for instance, HIPAA considers an e-mail over the public internet *private*, so long as you're sure the person you addressed it to is authorized to see the information it contains. Bonkers, but true.)
The HIPAA Security standard will address how you protect your data. It will address security issues from encrypting e-mail in transit to physical security of your data storage. These rules have not yet been published, although they are due at any moment. Once published, we'll have two years to comply... so not before October 2004 will they be in effect.
I advise you to get in touch with your state's medical association and attend their training seminars on HIPAA right away. Make sure to take along the office manager or medical records guru. It's information you WILL need.
Oh, and don't panic.
Apply For an extenstion (Score:3, Insightful)
IT ISN'T AS HARD AS IT LOOKS! (Score:5, Informative)
If you can read and have a general understanding of the healthcare industry, you can easily understand HIPAA.
First, and foremost, you MUST read the *actual* HIPAA regulations (Privacy and Security) in order to properly understand the HIPAA requirements. They are NOT difficult to read--they just look intimidating, but are actually VERY well written, generally easy to understand, and are accompanied by a ton of background and explanations. Do NOT, under any circumstances, rely on the claims of vendors or any other "HIPAA Analyst" etc. regarding HIPAA compliance issues unless you have read the regs and can validate the claims, and ensure that they are even relevant to your organization. Educate yourself and you will be amazed at how much simpler HIPAA becomes. (If you need to implement HIPAA transactions, there is very little to read--just the transaction specs.)
Second, after you have personally read and understand the requirements, put them in the context of your organization. I believe that you will find that the reality of HIPAA compliance is relatively simple, and consists primarily of policies, procedures, and general best practices. Any time you hear someone saying "You HAVE to do X, Y, and Z" to be compliant, and those steps sound unreasonable or very difficult, you should be skeptical and verify that 1) that interpretation of the requirements is valid, and 2) they actually apply to your organization.
After doing these two things, you will be in control of your HIPAA compliance effort. There may still be some hot items with short deadlines depending on which rules (Transactions, Privacy, and/or Security) apply to you, but it should not be a crisis.
I no longer do HIPAA compliance consulting, but if you want some URLs to start with or general recommendations, feel free to e-mail me at leftism11@yahoo.com.
You can start here by downloading the PDFs of the Privacy and Security HIPAA regs:
http://aspe.hhs.gov/admnsimp/
A site to check for updates and HIPAA news is:
http://www.hipaadvisory.com/
(They have good news updates, but again, use your knowlege of HIPAA and understanding of your organization to filter any opinions you get from their site.)
Uhhhh (Score:4, Informative)
Look, I work for a pharmacy benefits company, and we've been dealing with HIPAA regulations for about 3 years now... the fact your organization chose to wait until 6 months before the mandatory date just says they are ill prepared to be in business. HIPAA is not something that showed up overnight... it's been known about for a few years now, and any decent company would have already arranged for the changes to be put into place.
Also, referring to my first statement, if you are an "officier" of the company, it means you COULD go to jail if you break the law (e.g. like not being HIPAA compliant), so I would be VERY careful about accepting that title. Maybe they made you the fall guy?
The email part of the HIPAA regulations (Score:4, Informative)
1. STARTTLS - Implement it in you mail server or border mail gateway, and you email gets encrypted on the fly without requiring any user intervention. Works great only a couple of things you need to look out for. An informal agreement with the other organization will help iron these out. (a) You need to ensure that the other mail server (the one in the MX record) is the last hop across public networks. You don't want that server forwarding on the message unencrypted after you send it encrypted. (b) You need to enforce the use of TLS for some domains. Postfix allows this and I'm sure others do. (c) Signed SSL certificates by a proper CA (not self-signed) help prevent man in the middle style attacks.
2. S/MIME - Works, but you got to train the users on both ends. Put your S/MIME public keys up on your website so that users can download them.
3. PGP - Works, but same as S/MIME, you got to train the users on both ends. Put your PGP public keys up on your website so that users can download them.
4. A secure web mail contact form - Good for only one-way communication (them sending messages to you), but it works a lot easier than trying to train an AOL User/patient how to use S/MIME. Prevents them from broadcasting to the Internet their SSN, and health problems in clear text.
5. An S/MIME gateway - Most mail servers can act as STARTTLS servers, but most don't have the option of being an S/MIME gateways, so you have to add an additional commercial piece of software, and so do all the other organizations that you are communicating to. Also it only helps the organization to organization level, since AOL is running an S/MIME gateway, and neither is hotmail.
Personally I would like to see the HIPAA regulations jumpstart the use of STARTTLS enabled SMTP servers. S/MIME and PGP are difficult for users, and will probably not end up being used if it isn't easy.
Hypothetical Question, Just Checking (Score:5, Funny)
HIPAA is HUGE (Score:3, Interesting)
The Health Insurance Portability and Accountability Act of 1996 will have extremely large ramificiations with the IT industry. Some have said that it'll be bigger than Y2k compliance.
The reason? HIPAA basically means that every single company out there that deals with the health care industry must meet standards to ensure that information can be transferred readily as well as securely. Think about it. That not only means hospitals and physician groups, but insurers, employers, welfare, Medicare, Medicaid, anybody that has anything to do with the health care industry.
If your company is only starting NOW, I feel sorry for you - the Act was signed back in 1996, and the compliance dates have already been pushed back a few times already. HIPAA-compliance involves programmatic and systematic changes in the way things are done. Ideally, someone would set up the back-end so that features like electronic security and data retrieval are handled without the people on the front-end having to worry about it too much.
My advice: learn how serious HIPAA-compliance is and translate that to the upper-level management. Maybe do a little research on what other entities are doing to achieve HIPAA-compliance. Take a look at HCFA [hcfa.gov], for instance, as a beginning. You need to make those people understand that HIPAA-compliance is a big deal, and their waiting this long to begin to get compliant spells doom. All of the employees are going to have to change their methodology, and a change like that can only come from the top.
Re:Bureaucratic filth (Score:5, Informative)
The unfortunate consequence is that the resulting guidelines are very general, and require a continuous lifecycle process for evaluation, iplementation, audit and compliance. The healthcare industry must now involve itself in a regieme of regulatory overhead analogous to that of Securities or banking.
I don't think this is bad, per se. There is no history here for an emergence of industry best practices, etc. Expect it to be messy for a while.
Re:Bureaucratic filth (Score:4, Insightful)
Fine - let's have EVERY bit of your medical history made poublic please, and given to every insurrer, loan company or employer to whom you apply.
That's a great idea.
2002 (Score:5, Insightful)
Up until then, anything could have changed in the Privacy Rule, otherwise known as a 12000 line set of government regulations [hhs.gov].
The Security and Electronic Signature Rule is still in a proposal state. The Universal ID proposals are not really even being considered at this time and won't be until Democrats are back at the helm. The first proposed privacy rule was promulgated in 1998 and has gone through several substantial iterations. Just because Congress said, "do it," in 1996 doesn't mean this guy had any chance of getting started at that point. Maybe in 2001 he had a fair chance of getting the gist of the Privacy Rule, but he had no way of knowing what, if anything (or everything) would change until this August.
It only takes balls when you know what you're talking about - this isn't a set of tablets with 10 simple rules, Chuck.