Striving for HIPAA Compiance? 278
krisguy asks: "As a Oxygen Transfill Technician for a DME (Durable Medical Equipment - wheelchairs, oxygen, and such) company, my only regulatory problems have been with the FDA. Recently, due to good management of FDA regulations, I was appointed HIPAA security officer for my company. I looked at the 'helpful' compliance manual from our buying group, and realized that I have to try to get over twenty people who have 'limited knowledge of computers' (read: don't want to learn) to begin to use stuff like PGP, ANSI X12 codes, and having to write, train, and enforce procedure rules. To top this all off, I only have until April 14, 2003 to get most of this fully functional or forced to have the company shut down. I am wondering if any Slashdot readers in medical fields are feeling the pain of HIPAA like I am right now, and what ways can I get everyone to comply besides "You don't do it, you don't work here."?" Ask Slashdot last touched on HIPAA issues when this article which concerned itself with Windows 2000 and HIPAA issues. For those who have already hopped thru the rings that represent HIPAA compliance on an general basis, what did you have to insure was done?
HIPAA's goodness (Score:5, Interesting)
the second is a hospital, where I work registration and transfers. Completely different setting, as I'm dealing with the patients face-to-face instead of over the phone, but there are lots of restrictions there, from where the monitors can be located (can't have a non-employee looking over your shoulder...) to how long the screen saver is set for (1 minute, and it's password protected, pain in the ass when you have to type that EVERY time you want to touch the computer)
for the third I work as a programmer for my college, we recently bid on a programming project to develop internet-based training for a very large hospice-based corporation. we'll be designing 20 modules to train volunteers and other very non-technical (i.e. retired, or first time workers) workers how to manage information correctly.
all of my jobs will be having INTENSIVE seminar type classes on what we need to stop doing so we don't get shut down. every one of them has taken a "do it or lose it" attitude about it because of the very short time frame to work with. There are still HIPAA mandates that are being changed, which means that nobody has even started creating the training, much less the training itself, and the compliance checks...
HIPAA compliance (Score:3, Interesting)
We use ICA protocol with 128 bit encryption and rotating passwords.. but with all of the applications that one employee has to access, it's becoming a major breaking point remembering all of the passwords.
The apps can only be accessed via login, and each app has a separate login and password. It's bordering on the rediculous to get work done for people that's skillsets are RN's or MD's. MD's tend to be more technically adept(aka AOL), but the rest are hapless technoweenies(to quote a cheese movie).
Things are moving toward http browser based access, and temernical serviced applications. These things come in waves, and HIPAA is accelerating that wave towards TS clients.
As this is done, I hope to then be in a position to kill off MS clients and servers one by one. We can then concentrate on getting some real work done, rather than worrying about how W2K SP3/WinZP SP1 is a HIPAA violation or if MS will sue us next week cause they aren't making their stock margins.
And after all of this, we will have some work cut out for us(not much)- but it's OUR work. And we get to reap the benefits of our labor. No more Jakob Fugger and his gateway tariff between east/west. If the government can't do it, then I surely can. And so, there you have it.
Move what you can to the server.. (Score:2, Interesting)
Email encryption server:
http://www.tumbleweed.com/en/products/so
Policy enforcement server:
http://www.ciphertrust.com/ironmail/inde
hipaa schmipaa (Score:5, Interesting)
You (as an individual and as an institution) only get jail time and big time fines if you get a proveable financial gain from violating hipaa regs, i.e. you sell a bunch of kidney transplant patient info to a dialysis machine company, and someone can produce records to prove this happened.
Ignorance or other non-compliance (if reported) only gets the institution (not you as a worker) fined $1000 per incident max, and the total fines can only be up to $25,000 a year. So in many cases it's cheaper to be non-hipaa compliant than it is to upgrade everything to be hipaa compliant.
Then there's the extension you can file to get another 6 months on your deadline to be hipaa compliant. If you file that you get until October 2002 or something like that. There will probably be more options to file extensions for even later than that if October is too soon for you.
Don't worry kids. HIPAA, much like 911, is a joke.
Sounds like (mostly) a technical problem. (Score:2, Interesting)
- Make sure email apps do the official encryption automatically to ALL emails
- Put the database servers behind a nice firewall
- Write up some policy on sensitive operations
Granted, the management end isn't so simple, but when people realize that they could face fines or jail time for violations, they'll go along, even if they think it's stupid. The hardest part seems to be training people on a new email app.-- Hamster
My company doesn't care. (Score:2, Interesting)
Re:Tell The Truth (Score:3, Interesting)
They haven't yet pronounced whether HIPAA prohibits doctors offices from using sign-in sheets, for example. This is a disclosure to each person signing in who the other patients are. After all, you can see them in the office and might recognize them, so how can it be a violation of 'privacy'? But it's exactly the kind of promiscuous disclosure that this act is supposed to prevent. The law is an ass.
Re:Bureaucratic filth (Score:2, Interesting)
So it is good to protect EMR's from (e.g.) Pharmaceuticals trying to use sensitive information for marketing, but some of the shackles that HIPAA will put on researchers are not a good thing (TM). There are already many measures in place within academic research to protect the privacy of patients.
Re:A Few Things (Score:3, Interesting)
Our current plan is monthly training sessions from here on out. The idea is for everyone in the company to know as much as possible.
Have seen others recommend immediate firing (for cause!) and will probably take up that discussion at my workplace.
HIPPA from a physician's perspective... (Score:2, Interesting)
1. Someone commented on HIPPA as an "unfunded mandate." That's a very apt characterization. I have seen estimates of the total cost for HIPPA implementation as high as 3 billion dollars. Where is that money going to come from? Basically, it comes from the operating budgets of physician's offices, hospitals, etc. Remember that healthcare deliverers (doctors, hospitals, etc) are essentially the only industry in which costs rise year by year, but revenues decline. If you look at the average physician's office (and mine is no exception), what you see is a shrinking margin between the cost of keeping the office operational and the monies collected. Since that margin represents a) doctor's salaries and b) monies for expansion, program development, etc, what you are seeing is a industry in decline. Adding an additional cost (HIPPA) had darn well be worth the financial (and time and labor) impact. I doubt that will be the case.
2. People often complain about like of privacy in medical records, and with good reason, because your records should be private. However, whatever goes on in your doctor's office, I feel confident that more of your medical information circulates outside the doctors' offices that within. Further, the harder is becomes to share information from your chart, the more your care may suffer. Example: It is routine in my practice (as we are largely consultants to other physicians) for us to get records sent over in advance of a new patient visit. Often, the records we request do not arrive in time, so my staff will call the referring physician's office when the patient arrives and get records faxed. Now, with HIPPA, said "electronic transmission" may not be feasible - meaning that crucial information may not be available, meaning a second visit once that information has been received - less convenient for all involved.
3. Given that HIPPA requires logging of all accesses to the medical record as to date, purpose, person, how can that be done efficiently (and reliably) with a paper chart? It can't. This has let some pundits to postulate that to become fully HIPPA compliant, ALL medical records will have to become electronic. Even assuming that there were available enough good EMR software packages to accomplish this, imagine the time and cost of doing so. (BTW: It is not clear to me from the regs that non-electronic charts MUST be converted to electronic, or that the access logging rules apply to non-electronic data. I've asked a number of "experts" on this and have not gotten any clear answer).
4. It is not unlikely that "HIPPA compliance" in many small practices will amount to little more than a "HIPPA compliance manual" stuff on a shelf, coupled with a bunch of letters from insurance companies, billing clearinghouses, and software vendors attesting to their HIPPA compliance. What a collosal waste of time and money once again.
Don't get me wrong: I fully believe that medical information should (and maybe can) be protected and that people's private and personal information should remain private. In fact, I am very concerned about the overall loss of privacy we all face (and yes, I do have a shredder which I use liberally before throwing things in the garbage). It infuriates me each time I get a letter from an insurance company advising me which of my patients (by name) are on drug A and advising me that I could (?must) switch to "equivalent" drug B which (of course) is cheaper for that company. And so on. I'm just not sure that an increasing paperwork burden on the small practitioner, hospital, or payor is going to do the job here.
HIPAA is HUGE (Score:3, Interesting)
The Health Insurance Portability and Accountability Act of 1996 will have extremely large ramificiations with the IT industry. Some have said that it'll be bigger than Y2k compliance.
The reason? HIPAA basically means that every single company out there that deals with the health care industry must meet standards to ensure that information can be transferred readily as well as securely. Think about it. That not only means hospitals and physician groups, but insurers, employers, welfare, Medicare, Medicaid, anybody that has anything to do with the health care industry.
If your company is only starting NOW, I feel sorry for you - the Act was signed back in 1996, and the compliance dates have already been pushed back a few times already. HIPAA-compliance involves programmatic and systematic changes in the way things are done. Ideally, someone would set up the back-end so that features like electronic security and data retrieval are handled without the people on the front-end having to worry about it too much.
My advice: learn how serious HIPAA-compliance is and translate that to the upper-level management. Maybe do a little research on what other entities are doing to achieve HIPAA-compliance. Take a look at HCFA [hcfa.gov], for instance, as a beginning. You need to make those people understand that HIPAA-compliance is a big deal, and their waiting this long to begin to get compliant spells doom. All of the employees are going to have to change their methodology, and a change like that can only come from the top.