Striving for HIPAA Compiance? 278
krisguy asks: "As a Oxygen Transfill Technician for a DME (Durable Medical Equipment - wheelchairs, oxygen, and such) company, my only regulatory problems have been with the FDA. Recently, due to good management of FDA regulations, I was appointed HIPAA security officer for my company. I looked at the 'helpful' compliance manual from our buying group, and realized that I have to try to get over twenty people who have 'limited knowledge of computers' (read: don't want to learn) to begin to use stuff like PGP, ANSI X12 codes, and having to write, train, and enforce procedure rules. To top this all off, I only have until April 14, 2003 to get most of this fully functional or forced to have the company shut down. I am wondering if any Slashdot readers in medical fields are feeling the pain of HIPAA like I am right now, and what ways can I get everyone to comply besides "You don't do it, you don't work here."?" Ask Slashdot last touched on HIPAA issues when this article which concerned itself with Windows 2000 and HIPAA issues. For those who have already hopped thru the rings that represent HIPAA compliance on an general basis, what did you have to insure was done?
Why not try this? (Score:5, Informative)
Re:Why not try this? (Score:4, Informative)
In general, it is a difficult problem to say "we need to be HIPAA-compliant". It generally needs to break down to finding all of the points where healthcare information flows outside the organization, and then protecting that information.
From the standpoint of email, there was a great amount of effort put into this in 2001. Check out this press release [hipaadvisory.com] which summarizes the effort. Basically, there was a group of email vendors led by the Massachusetts Health Data Consortium (MHDC) that got together and standardized a method of doing server to server encryption of email. This effort is currently an Internet Draft, draft-ramsdell-enc-smime-gateway [ietf.org], and it will actually be moved to the IETF-SMIME working group in time for the next meeting. It is basically a profile of the DOMSEC effort, which is in turn a profile of S/MIME. I participated in this effort on behalf of Tumbleweed, and at the end of it all, the products were all working together, and I am a co-author and editor of the draft.
The bottom line is that there exist commercially available solutions from multiple vendors which satisfy the HIPAA requirements for secure email, which is most likely a large part of your charge. These products are generally usable in a "gateway" configuration where they can be placed next to an existing mail server to automatically encrypt / decrypt mail according to policy. Further, this effort is being discussed and documented in the IETF so that new implementations can be created.
I hate it when this happens. (Score:2, Offtopic)
Wait, it gets worse. Opened it with KWord. The only formats are bolds, centering, ?unicode?, and a few hyperlinks, that differ from normal html by only a few control characters which must only work for word. Why, oh why, would anyone use Word to publish something like that? Nothing different or useful was added by word. All word did was make it a little harder for me to read the thing presented.
I appreciate the effort, but please don't use Word. If you must use Word, save it as text or html. If word won't do that don't use word for things you want to share or cut and paste into another text editor that will do this. Remember that you yourself may not be able to read what you write in Word after the next "upgrade" and that most of your effort making the format just so will be wasted.
Re:I hate it when this happens. (Score:2)
First, because many/most users do not know any other editor than Word (in fact, for many/most Word is the only piece of software they know - you would be surprised how many users never have used the file manager, or even know it exists).
Second, because most Word users don't know that Word can export into other formats than .doc
Re:Oh, no! (Score:3, Funny)
Misleading... (Score:5, Funny)
Don't just tell them... (Score:5, Insightful)
When it is a matter of compliance, they don't have an option. The sooner they understand it, the better. If management isn't behind you, then ask to be reassigned.
--ST
Re:Don't just tell them... (Score:3, Insightful)
Re:Don't just tell them... (Score:3, Informative)
Dilbert's boss posts on Slashdot!
There is no point in threats when people have no idea what to do. And there is simply no point in trying to solve an enterprise security problem with tools designed by geeks for geeks.
PGP is as you point out not an easy concept to explain to an end user. In particular PGP is designed arround an ideology of personal security, and not enforcing an enterprise wide security policy.
First you need someone to write the security policy. 'We don't believe in security' is probably not a starter, might put off the patients. Fortunately the more complex privacy issues have been punted on - for now, expect them to return in due course. For the time being you need your network security measures and application security. But don't buy into a system unless the vendor is likely to be arround in a couple of years to provide privacy management infrastructure as well.
What you need for messaging security is a PKI that enables the encryption features of Outlook, Lotus Notes, Netscape etc. Given your time constraints it would probably be best to look at an outsourced solution so you don't have to worry about building secure infrastructure or write a CPS or anything stupid. This is also much cheaper up front on capital costs.
The other thing you will need to do is to draw up some sort of survey that describes the circumstances under which you report confidential patient information to outside bodies - under HIPPA that includes external medical practices, labs etc. You will need to make sure that their privacy practices align with the ones you communicate to the patients.
Re:Don't just tell them... (Score:2)
Hmm...Lotus Notes and Novell's Groupwise do this right out of the box, and as a bonus, aren't susceptible to OE viruses....
PGP not good for newbies (Score:2)
The good parts of PGP are anonymity and zero cost. Both of these points are much less valueable in a business setting.
The bad: the only good UI I've seen for PGP is mutt+gpg, where unknown keys are automatically fetched, defaults are set, the password is cached for a short period of time, verification is automatically done... Outlook's PGP interface is lame. Also, a lot of users seem to not get the whole "web of trust" concept, and tend to break it by trusting everyone.
Re:Incorrect (Score:2)
Hopefuly you will never be a manager of any kind. Idiotic macho talk like that is exactly the way companies are run into the ground.
How many billion dollar companies have you helped to create? I helped to build one with over a billion dollars in revenues.
Fear is a pretty useless method of motivating staff. The best people know their worth and will either leave or make sure that you fail and take the blame for it.
Believe it or not there are other options besides 'strident language', dismissals pay docking and all the rest of the stupid stuff you suggest. Every time you make a threat you make another enemy.
Don't count on the idiot in the Whitehouse keeing the unemloyment rate high enough to give you a disosable workforce. Not so long ago it could take twelve months to fill a position. Dilbert boss tactics will only mean that your staf will leave en-masse the minute things look up
Re: Incorrect (Score:2)
Al Dunlap? Is that you?
Ahh you have 'talked to experts'.
I have yet to read a management book that does anything other than argue against what you suggest. So much for your 'experts'.
As for 'too many managers' not behaving like tin pot tyrants, nah exactly the opposite.
When I see a company being run like that I consider it a potential short. The Tyco/Enron/Worldcom school of management just went out of fashion.
Re:Don't just tell them... (Score:2)
How can you do this job without authority? (Score:3, Insightful)
Until you have THAT authority, you do not really have the job that you think you have.
Re:How can you do this job without authority? (Score:3, Insightful)
I think the author realizes this, but also realizes that "the carrot is better than the stick" when trying to motivate people for long-term results.
Re:How can you do this job without authority? (Score:3, Insightful)
I own a healthcare company. I will lose my livelihood if the people working for me don't adhere to these regulations. Therefore, anyone who refuses to comply CAN NOT work for me. Just like anybody else, I've got a spouse and kids and a house payment. Unlike most other people, I've got 20 other people working for me, all of whom have a spouse and kids and a house payment. I CAN NOT permit some nimrod to jeopardize the business. The reward for complying is a job. There is no punishment for failure to comply; you simply won't work for me.
Carrots are nice for persuading people to do things that are not essential, but in this kind of a situation, a stick is all that exists. If you disagree, I encourage you to find the carrots in the regulations that mandate compiance.
Re: (Score:2)
Re:How can you do this job without authority? (Score:3, Insightful)
I think the author realizes this, but also realizes that "the carrot is better than the stick" when trying to motivate people for long-term results.
I fully agree. Still, for short-term tangible results, a stick works so much better than waiting for the donkey to get hungry...
Re:How can you do this job without authority? (Score:4, Insightful)
If you don't know what that is then go get someone to tell you. (Disclosure: I work for a large company that, amongst a lot of things, does change management).
The project I'm working on has a large change management component and I'm impressed with the sense of the person in charge of it.
Things to do:
Get the users together and explain HIPAA to them. Explain why it is important to the public (i.e. why you need good security). Explain the consequences of failure. People will understand if you actually explain the reasoning to them.
Give them chances to ask question and modify what you do. People are happier to sign on to things if they feel they've got some input into it.
Work on the IT side and get it work pretty well. Create detailed, clear, easy step by step instructions that work. Make sure you've got staff (i.e. you) available to provide quick support when it inevitably doesn't quite work.
Make sure you've got a high level executive sponsor who understands the political issues and is happy to give you the support you need. (i.e. authority to fire if need be.)
I would put in place a monitoring process. If a user isn't doing the right thing then grab them and talk to them.
If there's something you can do to fix their problem then do that. There may be technical things you can do that will get to them to do it right.
If they don't shape up once you've done that then you grab your executive sponsor and have a solemn meeting telling them to do things right. (This meeting has an implicit threat of firing behind it so it tends to work). Make a written record of this meeting.
If all that doesn't work then you start going through the due diligence firing process i.e. written warnings before firing. HR people know how to do this.
Re:How can you do this job without authority? (Score:2)
Re:How can you do this job without authority? (Score:3, Insightful)
is "...repeat the course, possibly at another institution."
I was paraphrasing that and applying it here. My intention was not to suggest specific strategies, but to point out that, if one is not in a position to enforce policy, then he is merely in an advisory role. Either his employees are empowered to ignore his suggestions or they are not.
I have seen workplaces where the security guards have as much authority as I am suggesting for this *regulatory* role (MANDATED by the Federal Government, mind you!). So why not have teeth? Have everyone agree to the policy, have them understand that the consequences for not supporting the company policy will *begin* with firing and could include *prosecution*, get it in writing. Either do that, or else communicate to them that it really isn't all that important, and they can choose to comply or not, with no real consequences either way.
I understand your message, but, I still say you should approach taking this kind of authority from a position of strength -- one where exceptions are not made, not even for the president or board members. If it were something like air traffic controllers and hard drug use, you'd be able to say "follow this policy or don't work in this industry." What makes this scenario so fundamentally different from that one?
Actual implementation not clear cut. (Score:5, Insightful)
For example, only the people who "need to know" should have access to the data. The catch is that I'm somehow supposed to magically determine who needs to know what. Do I get to tell my directors that they can't see something? How much do I really get to question someone else who knows their job better than I?
Plus there's the catch-22 situations. There's data on which physicians can perform what procedures. I personally think that everyone in our organization should see it, as I don't want any physician performing procedures they're not supposed to. The catch is that not everyone "needs to know", so that increases the chance that the information won't be seen.
Re:Actual implementation not clear cut. (Score:2)
Databases? What about online pharmacies then? (Score:2)
Tell The Truth (Score:2, Insightful)
Re:Tell The Truth (Score:3, Interesting)
They haven't yet pronounced whether HIPAA prohibits doctors offices from using sign-in sheets, for example. This is a disclosure to each person signing in who the other patients are. After all, you can see them in the office and might recognize them, so how can it be a violation of 'privacy'? But it's exactly the kind of promiscuous disclosure that this act is supposed to prevent. The law is an ass.
HIPAA's goodness (Score:5, Interesting)
the second is a hospital, where I work registration and transfers. Completely different setting, as I'm dealing with the patients face-to-face instead of over the phone, but there are lots of restrictions there, from where the monitors can be located (can't have a non-employee looking over your shoulder...) to how long the screen saver is set for (1 minute, and it's password protected, pain in the ass when you have to type that EVERY time you want to touch the computer)
for the third I work as a programmer for my college, we recently bid on a programming project to develop internet-based training for a very large hospice-based corporation. we'll be designing 20 modules to train volunteers and other very non-technical (i.e. retired, or first time workers) workers how to manage information correctly.
all of my jobs will be having INTENSIVE seminar type classes on what we need to stop doing so we don't get shut down. every one of them has taken a "do it or lose it" attitude about it because of the very short time frame to work with. There are still HIPAA mandates that are being changed, which means that nobody has even started creating the training, much less the training itself, and the compliance checks...
Re:HIPAA's goodness (Score:4, Insightful)
Those things are things you should have already been doing. No sensitive email should ever be sent in plain text, nor should any personal information be given out over insecure phone lines.
I'm against vague government mandates, probably more than most people are, but after seeing how even the most basic security is routienely ignored by users, managers, and administrators alike, fuck em. They have no business with my personal medical data if they can't even use good information security practices.
they don't use good information security. (Score:2)
As a patient, the only things I've seen out of this are new outrageous consent forms. Read what you sign the next time you use insurance payments for a doctor's visit. Getting a pair of eyeglasses, I was confronted with "sign this or pay for yourself". The this there included disclosures to unamed partners and was essentially permission to tell anyone. I was told that I could not strike out the offending portion and the doctor herself was conerned. I was a great volunteer there.
I sure hope this set of laws gets more specific and makes such "voluntary" consent requirements to recieve insurance benifits illegal.
Re:HIPAA's goodness (Score:2)
Now suppose you are in a messy marriage, and want to find out what that discharge was that your wife complained of. Simple: you give a guy on the cleaning crew a c-note, and you'll have her chart in minutes.
HIPAA rules are barely one step above security through obscurity.
Re:HIPAA's goodness (Score:2)
Re:HIPAA's goodness (Score:2)
Educational Institutions have had to live with similar things with FERPA, and trying to be honest and get everything hunky dory is a PITA. I imagine that our folks in the Records Area mail stuff back and forth unencrypted as the norm as if you ask any of our Novell Network Admins about encryption and what kind of encryption is used and they are like duh yeah it's encrypted. Funny thing is I think it's real easy to encrypt e-mail in Groupwise, although I never e-mail main critical stuff anyway. My favorite is we are in the middle of implementing a new package system on AIX machines and I have asked time and time again has anyone sniffed the packets that the client sends out to verify it's secure? Anyone checked out how it gets to the server's command line if your an admin on it? Anyone sniffed it's packets? And all I get is blank stares. Really frustrating. All I can do is be sure mystuff is OK (telnet is disabled as well as standard LPD (I run a product called Easyspooler) and quite possibly ftp will be disabled as well soon. The feeling I get from some of the guys in charge of implementing this thing is they feel that since our stuff is in a isolated VLAN, they can be lax with security nevermind that STUDENTS have access to this VLAN at certain points (the desktops that they use are secured, but it would be nothing to plug another device in in place of the normal desktop which then would not be secured). I also recently detected a wireless LAN on campus and noticed it was not running WEP (I know, a basic form of security, but it's at least something...). All I can do is cover my ass and make sure my machines are as secure as I can make them and keep my patches up to date.
Re:HIPAA's goodness (Score:2)
They have no business with my personal medical data if they can't even use good information security practices.
I'm so happy for you. You are aware that if the HIPAA Regulations are taken at their word then your healthcare organisation can't give out ANY information to anyone that says that you MIGHT have received treatment. So, I hope that you can find the Emergency Room when you need it. We're covering all the signs for the Hospital up in case people see your car outside the building. We don't want them jumping to conclusions. After all they might know that you've been to hospital.
I won't mention the stealth ambulances, if I did people might realise when we're parked outside your door that you might have a healthcare issue.
Yes, Security IS a bitch. And you're right that we shouldn't be emailing medical records around in plain text. Oh, Sorry... WE DON'T! Nor do we we give out any personal information whether over insecure phone lines or any other way.
The problem isn't just that "basic security is routinely ignored" but that the "vague government mandates" are so badly written. HIPAA Stands for Health Insurance Portability and Accountability Act... And is intended to reduce costs and administrative overhead of healthcare by standardizing the electronic transmissions of certain administrative and financial transactions while protecting the security and privacy of healthcare information.
The privacy legislation covers all medical record and other individual identifiable information maintained or disclosed in any form, whether electronic, paper or orally. (From a summary I found online). Notice the words in bold. This does mean that if your car is recognised in a hospital parking lot then there is a lack of compliance.
Now, tell me how your healthcare provider is supposed to meet THAT strict a standard...
Z.
HIPAA dictates screen savers? (Score:2)
This sounds like a management problem. (Score:5, Funny)
You could accelerate compliance by filling the office full of acrid smoke from a bad power supply, or making Friday 'Nitrous Oxide Day'.
HIPAA compliance (Score:3, Interesting)
We use ICA protocol with 128 bit encryption and rotating passwords.. but with all of the applications that one employee has to access, it's becoming a major breaking point remembering all of the passwords.
The apps can only be accessed via login, and each app has a separate login and password. It's bordering on the rediculous to get work done for people that's skillsets are RN's or MD's. MD's tend to be more technically adept(aka AOL), but the rest are hapless technoweenies(to quote a cheese movie).
Things are moving toward http browser based access, and temernical serviced applications. These things come in waves, and HIPAA is accelerating that wave towards TS clients.
As this is done, I hope to then be in a position to kill off MS clients and servers one by one. We can then concentrate on getting some real work done, rather than worrying about how W2K SP3/WinZP SP1 is a HIPAA violation or if MS will sue us next week cause they aren't making their stock margins.
And after all of this, we will have some work cut out for us(not much)- but it's OUR work. And we get to reap the benefits of our labor. No more Jakob Fugger and his gateway tariff between east/west. If the government can't do it, then I surely can. And so, there you have it.
MS & HIPAA compliance (Score:3, Insightful)
It takes people like MS to make people like linux, just as it takes people like health insurers to make people like undertakers.
Re:HIPAA compliance (Score:2)
One of our problems is that many EMR 'solutions' are inextricably tied to an Exchange backend.
BS7799 and ISO9000/1 (Score:3, Insightful)
BS7799 is the British Standard for Data Protection. We had to have a paper free desk and shred everything. Despite having a double sided laser printer, all the damn staff still printed single. Everyone is a lot greener back in Australia.
Anyway, moral from that successful drive is... get in early. Twenty something staff? That's nothing. Push it through now. What came across most was that the accreditations make sure you have 'Systems' in place. New staff come in knowing the system. Old staff, well they're not going to be easy.
Read Peopleware [dorsethouse.com] under the section 'Believers But Questioners' and work towards that. At least then you get to read a darn good book on company time.
"You don't do it, you don't work here" is about it (Score:2)
Another point which will help (at least it would help ME in such a position) would be to explain to them in detail why these procedures are a good thing and what bad stuff might happen (besides being shut down) if they aren't followed. People may be less resistant to the changes if they know that said changes aren't just time wasting BS.
I guess that doesn't really help you if the people really don't want to learn, period. Then it's back to the "or else" stuff. But you can try to make them at least willing to do it by making them part of the "in the know" crowd who understand why these changes are made. You might find some of them will even support the improvements! So I guess I'd say try to change them from unwilling to willing, which lord knows is easier said than done.
A Few Things (Score:5, Informative)
1) File for any and all extensions you can. A lot of this policy is BS and will probably get softened, but filing for extensions is probably the easiest way to stick it back to the man, at least for a little while.
2) There are a few companies that provide HIPAA compliance insurance, especially for software products developed to support medical information systems. MD Online, LLC (no web site but phone at: 703-450-0331) has VPN security products designed for medical users that might be helpful. (No relation to them other than having heard about their products in a
3) Solve the problem with vendor pressure. No software provider in the industry wants to admit they're not HIPAA compliant, so grill them on it. They know it's a priority and should (hopefully) be releasing software that will accomodate the new rules.
4) Solve as much of the problem as you can technically. If you're the vendor of the products you use (in house software), redouble your efforts to make as much of the compliance transparent as possible. As you've outlined, most people in the industry do NOT want to deal with the technical aspect of computers, they just use them to get their jobs done. Putting all of the encryption / security management stuff in plain view is only going to make the learning curve more difficult and allow more room for human error (which equates to HIPAA violations and fines for your employer).
5) (this is very much not to be interpreted as legal advice) Patch the big holes first. If you know you can't meet HIPAA by the deadlines, patch the big problems, and the things that will be obvious violations and noticable by people inside and outside the company. There are zillions of possible violations, but if you show due diligence any fines you do receive will hopefully be tempered by the fact that you've done as much as possible to accomodate the law.
-Dan
Re:A Few Things (Score:3, Informative)
Re:A Few Things (Score:3, Interesting)
Our current plan is monthly training sessions from here on out. The idea is for everyone in the company to know as much as possible.
Have seen others recommend immediate firing (for cause!) and will probably take up that discussion at my workplace.
Re:A Few Things (Score:2)
Yeah, like I'm gonna trust my network security to a company that isn't even on the net.
Re:A Few Things (Score:2)
Re:A Few Things (Score:2)
I haven't looked into it, but I suspect that vendors who receive HIPAA compliance certs. (or claim compliance) are much like NT being a C2 operating system: it is, but only if you disable functionality to the point of uselessness.
argh (Score:2)
In the software end of things (Score:3, Insightful)
HIPAA isn't new news. We've known about HIPAA for a long time, and only now, as the deadline stares us in the face, are we beginning to make our software HIPAA compliant.
This late action comes from a long stem of procrastination. Updating expensive software to be HIPAA compliant is a time consuming task... from the standpoint of a software manager (an incompetent one), why make the software HIPAA compliant today, when today could be used to implement a new requested feature?
After pushing off HIPAA compliancy day after day after day, we're now finally getting around to implementing the mandated changes. This isn't easy for other people in the healthcare industry, namely people working at the practices that need to teach HIPAA to billing clerks.
The delays of software authors cause delays at the practice, which causes healthcare costs to rise.
Don't thank me, thank my managers. Only a few days ago I enlightened my Technical Operations Manager that "HIPAA" isn't spelled "HIPPA". I guess he didn't get the memo yet.
Move what you can to the server.. (Score:2, Interesting)
Email encryption server:
http://www.tumbleweed.com/en/products/so
Policy enforcement server:
http://www.ciphertrust.com/ironmail/inde
Re:Move what you can to the server.. (Score:2)
One misconfigured laptop with a wireless card attached to your wired network and suddenly you've got a wireless network! People steal data and blackamil companis with it all the time. The HIPAA may make this thing more lucrative for the thieves. The blackamil is usually of the form "pay me a consultant fee and I'll tell you how I did it. I won't fix anything, just tell you what I found wrong."
hipaa schmipaa (Score:5, Interesting)
You (as an individual and as an institution) only get jail time and big time fines if you get a proveable financial gain from violating hipaa regs, i.e. you sell a bunch of kidney transplant patient info to a dialysis machine company, and someone can produce records to prove this happened.
Ignorance or other non-compliance (if reported) only gets the institution (not you as a worker) fined $1000 per incident max, and the total fines can only be up to $25,000 a year. So in many cases it's cheaper to be non-hipaa compliant than it is to upgrade everything to be hipaa compliant.
Then there's the extension you can file to get another 6 months on your deadline to be hipaa compliant. If you file that you get until October 2002 or something like that. There will probably be more options to file extensions for even later than that if October is too soon for you.
Don't worry kids. HIPAA, much like 911, is a joke.
I bet you laughed while Rome burnt... (Score:2)
Your advice is about as morally reprehensible as the lawyers calculations that the settlement by people killed by having their hearts ripped out because they were impaled on solid steering columns would probably be less than the cost of replacing these with collapsible columns which would save their lives.
It never entered the lawyer's minds that people might rather pay a little extra for riding in a car that wouldn't FUCKIN' KILL EM LIKE BUGS ON PINS!!!
You are one sorry-ass son-of-a-bitch. It must suck to be you and HAVE to use an electric razor'cause you might slit your throat in knee-jerk remorse if you tried scraping the stubble with a straight-edge.
Re:His Approach... (Score:2)
Sure, that would be the case for informed, motivated patients. That probably accounts for, say, 1% of all patients. The rest will either be ignorant or apathetic or both (i.e., willfully ignorant) and won't "defect to a [better] company" unless they are led by the hand.
The typical consumer pays virtually zero attention to how their money (or information) is used once their purchase/transaction is complete. They're just focused on the immediate result. That's why massive corporations just keep on growing while small businesses that try to "compete" struggle until they collapse, and only those small businesses that find a niche unserved by the massive corporations can expect to survive and have a chance to thrive.
The likeliest outcome (Score:2, Insightful)
In the end, the timetable set for HIPAA compliance will be pushed back further and further.
Some of the stuff they're asking for is just unreasonable. I don't remember a lot of it, but I'm just glad to be out of the world of health care.
Don't Panic!!! HIPAAA is BS (Score:2)
Don't sweat this stuff, get a template package or a nifty little book, (e-mail me for my recs, I'm not going to past advertisements for the "consultants") and don't panic! If you use industry standard best practices you should be pretty darn close to compliant anyway, if you don't use best practices, well maybe its time to panic.
Sounds like (mostly) a technical problem. (Score:2, Interesting)
-- Hamster
My company doesn't care. (Score:2, Interesting)
Don't do it by yourself, use the employees... (Score:2)
By involving employees, you will at not only free yourself from a lot of grunt-work, but you will also avoid becoming the nasty HIPAA police everyone ignores and hates. And you will probably also get a bit of enthusiasm from at least some of the co-workers. This is the right approach, because what you are after is mostly a culture-change, not a technical change. Besides, management will love you...
This is a software engineering windfall! (Score:2)
However, under HIPAA, all names that are viewable by any public must be removed. Those names on the binders -- they've got to be replaced with some ID number. The names on the whiteboards of the patients must also be removed. QA is _much_ harder when to confirm that you've got the right chart, you somehow have to verify you're looking at the right ID number, instead of just asking, "Are you Nancy Johnson?"
Federal compliance has been delayed before for some of these same problems, and there is any indication that it will be delayed again. Our director is moving towards HIPAA compliance, but not at the expense of care and safety.
This also has all of the earmarks of a Software Engineering windfall -- all of the medical systems have to be modified to remove names from public places. That's a lot of work!
Privacy != Security in HIPAA (Score:4, Insightful)
(From an IT perspective, one wonders what good privacy without security? For us, if it ain't secure, it's silly to call it private. But HIPAA was not written from an IT perspective...)
The Privacy portion of the rules take effect next spring, and you will have to deal with that. HOWEVER, the privacy rules deal with how you decide who is allowed to see the data, *not* how you protect the data... that's the Security portion of the HIPAA standard. Privacy is about rules and procedures for intentional data disclosure, and data security is NOT within the scope of the Privacy rules.
(So, for instance, HIPAA considers an e-mail over the public internet *private*, so long as you're sure the person you addressed it to is authorized to see the information it contains. Bonkers, but true.)
The HIPAA Security standard will address how you protect your data. It will address security issues from encrypting e-mail in transit to physical security of your data storage. These rules have not yet been published, although they are due at any moment. Once published, we'll have two years to comply... so not before October 2004 will they be in effect.
I advise you to get in touch with your state's medical association and attend their training seminars on HIPAA right away. Make sure to take along the office manager or medical records guru. It's information you WILL need.
Oh, and don't panic.
Apply For an extenstion (Score:3, Insightful)
IT ISN'T AS HARD AS IT LOOKS! (Score:5, Informative)
If you can read and have a general understanding of the healthcare industry, you can easily understand HIPAA.
First, and foremost, you MUST read the *actual* HIPAA regulations (Privacy and Security) in order to properly understand the HIPAA requirements. They are NOT difficult to read--they just look intimidating, but are actually VERY well written, generally easy to understand, and are accompanied by a ton of background and explanations. Do NOT, under any circumstances, rely on the claims of vendors or any other "HIPAA Analyst" etc. regarding HIPAA compliance issues unless you have read the regs and can validate the claims, and ensure that they are even relevant to your organization. Educate yourself and you will be amazed at how much simpler HIPAA becomes. (If you need to implement HIPAA transactions, there is very little to read--just the transaction specs.)
Second, after you have personally read and understand the requirements, put them in the context of your organization. I believe that you will find that the reality of HIPAA compliance is relatively simple, and consists primarily of policies, procedures, and general best practices. Any time you hear someone saying "You HAVE to do X, Y, and Z" to be compliant, and those steps sound unreasonable or very difficult, you should be skeptical and verify that 1) that interpretation of the requirements is valid, and 2) they actually apply to your organization.
After doing these two things, you will be in control of your HIPAA compliance effort. There may still be some hot items with short deadlines depending on which rules (Transactions, Privacy, and/or Security) apply to you, but it should not be a crisis.
I no longer do HIPAA compliance consulting, but if you want some URLs to start with or general recommendations, feel free to e-mail me at leftism11@yahoo.com.
You can start here by downloading the PDFs of the Privacy and Security HIPAA regs:
http://aspe.hhs.gov/admnsimp/
A site to check for updates and HIPAA news is:
http://www.hipaadvisory.com/
(They have good news updates, but again, use your knowlege of HIPAA and understanding of your organization to filter any opinions you get from their site.)
Why did you stop consulting? (Score:2)
When you were in the business, did you hear any talk about doctor-to-patient email (and vice versa)? I'm curious about that area, but I haven't done any research on it aside from a few informal conversations. So far, most physicians seem pretty skeptical that it will catch on, ironically except for my own doctor, who encourages it.
General Security (Score:2)
As far as I'm aware (I do some coding for a small medical company, I've had to deal breifly with HIPAA), there's not actually any set-in-stone rules for what makes up HIPAA compliance. It boils down to you coming up with a HIPAA plan that describes how you will effectively secure patient information and sending it in and having it approved. Your plan might include PGP for email and SSL for web apps if that's where patient information flows at. Or you might devise your own schemes to protect it.
I guess what I'm saying is that all you have to do is treat patient records like you would your root password, follow good security practices, document them, and send them in for approval, and all should be ok.
Email gateway filters? (Score:2)
Uhhhh (Score:4, Informative)
Look, I work for a pharmacy benefits company, and we've been dealing with HIPAA regulations for about 3 years now... the fact your organization chose to wait until 6 months before the mandatory date just says they are ill prepared to be in business. HIPAA is not something that showed up overnight... it's been known about for a few years now, and any decent company would have already arranged for the changes to be put into place.
Also, referring to my first statement, if you are an "officier" of the company, it means you COULD go to jail if you break the law (e.g. like not being HIPAA compliant), so I would be VERY careful about accepting that title. Maybe they made you the fall guy?
Take a deep breath (Score:2, Informative)
The key though is this:
The first step you must take now is build a compliance plan! This is important because you will need it to get an extension. It is also the only way to make HIPAA compliance manageable.
Keep in mind, as well, that HIPAA is mostly about best practices regarding security and privacy. Even if HIPAA didn't exist you should be doing it. Not just you. Everyone out there. HIPAA is just a stick.
So
1. Look at your organization
2. Build a plan
3. Educate your employees why this is important
4. Implement the plan
5. Educate your employees how this will be done
6. Test the plan
7. Educate your employees what needs to be done
I think you get the picture. And don't feel pressured. Just do it right, step by step.
The email part of the HIPAA regulations (Score:4, Informative)
1. STARTTLS - Implement it in you mail server or border mail gateway, and you email gets encrypted on the fly without requiring any user intervention. Works great only a couple of things you need to look out for. An informal agreement with the other organization will help iron these out. (a) You need to ensure that the other mail server (the one in the MX record) is the last hop across public networks. You don't want that server forwarding on the message unencrypted after you send it encrypted. (b) You need to enforce the use of TLS for some domains. Postfix allows this and I'm sure others do. (c) Signed SSL certificates by a proper CA (not self-signed) help prevent man in the middle style attacks.
2. S/MIME - Works, but you got to train the users on both ends. Put your S/MIME public keys up on your website so that users can download them.
3. PGP - Works, but same as S/MIME, you got to train the users on both ends. Put your PGP public keys up on your website so that users can download them.
4. A secure web mail contact form - Good for only one-way communication (them sending messages to you), but it works a lot easier than trying to train an AOL User/patient how to use S/MIME. Prevents them from broadcasting to the Internet their SSN, and health problems in clear text.
5. An S/MIME gateway - Most mail servers can act as STARTTLS servers, but most don't have the option of being an S/MIME gateways, so you have to add an additional commercial piece of software, and so do all the other organizations that you are communicating to. Also it only helps the organization to organization level, since AOL is running an S/MIME gateway, and neither is hotmail.
Personally I would like to see the HIPAA regulations jumpstart the use of STARTTLS enabled SMTP servers. S/MIME and PGP are difficult for users, and will probably not end up being used if it isn't easy.
HIPAA simplified? (Score:2, Informative)
I work in a company where HIPAA compliance has been mandated by our legal counsel for liability reasons. Here's what I've managed to synthesize from the requirements...
1. HIPAA is meant to protect the patient and their medical information from getting leaked out into the public.
2. HIPAA is good, and it requires organizations working with medical data to treat it as sensitive information. Medical data of patients should be kept safe like your own children (not the best example, but you get the point).
3. Protect the association between a paitient and their medical information. There is nothing wrong with having medical information less secure unless it is accompanied by anything traceable to a patient (like SSN, address, name, next-of-kin, etc.).
4. HIPAA demands that any time personal medical information is viewed or used, it needs to be tracked somehow to show the fingerprint trail.
5. Protect all information systems from unauthorized access, including computer systems, physical claims, etc. Your premises should be as secure as your network!
6. Read the HIPAA proposal, AND look for summaries on HIPAA. If the HIPAA proposal is too dense a read, then the summaries will help you get started.
7. Form a HIPAA committee... usually one person from each department or overseeing group to help make implementations possible.
8. Get your company audited for HIPAA compliance after you have implemented your measures. This way, you can have an "objective" 3rd-party evaluate your compliance and suggest remedies before the deadline.
9. Don't get caught up in "If they can't enforce it, why should I bother?" That's lazy... would you want your personal medical information left on the sidewalk for someone to pick up and use against you? These are peoples lives we're talking about!
Well I've said enough. I am NO expert on HIPAA, but I have our CIO's and Security Manager's ear. These few points are what I've managed to make sense of while discussing the topic with them.
Good luck on your own HIPAA compliance efforts.
CokoBWare
Hypothetical Question, Just Checking (Score:5, Funny)
Re:Hypothetical Question, Just Checking (Score:2)
link karma whoring (Score:2)
http://www.vennix.com/hipaalibrary.php
I worked for a medical center IS dept in 1998-1999 (Score:2, Informative)
At the workshop, the topic of jail time for non-compliance came up. We jokingly asked about how the jail time could be divided up, and whether a 90-day sentence could be turned into 45 2-day sentences to be shared among all employees. The response was, basically, that it'd have to be a pretty blatent violation to warrant jail time, and the people charged would probably those most responsible.
It's to your benefit to quickly determine whether management is informed and ready to make this a high priority. Asking them to attend a short workshop is a good way for you both get things started and get a feel for the situation, IMO. After that, you can decide whether to stay on or jump ship.
I work for an HMO (Score:2)
HIPAA is not simple, companies are starting off way too late, like our dear poster here, and I'm sure the very first thing that he will be filling out is the extention form. The HMO that I work for started last year with the privacy questionnaire to all 2500 employees asking what data they released and if it was the min. needed to get the job done.
The fact that you are now just beinging scares the shit out of me, and let's face it, you're going to be closed down.
Compliance (Score:2, Funny)
Worse than you think (Score:2)
Seriously though, trudge through it. There's no easy way. Threats of beatings and sacking is a good place to start (and yes, that's serious).
I read through many comments saying "why haven't you done this already" and "there's nothing to worry about." Bullshit. First, the regulations STILL aren't cast in stone. This is hitting a moving target. Second, there are things to worry about, both from patients, doctors, and affiliated companies (where I would place suppliers of DME). There are going to be a myriad of subtle changes. Our current reading of the regulations is that we can no longer call patients the day before an appointment to remind them. Well, we can call, but if they don't answer, tough shit. Can't leave it on the machine anymore. Similar with callbacks for lab results.
The 'privacy' improvements will be neglible, particularly compared to the extra hassles. Since I won't be able to say it at work, I'll say it here: folks, you asked for it. You begged your congresspeople to do something. Well, they did. And it sucks ass. I'm going to pay for it, and so are you. But when you bitch about all the hoops and extra forms you have to sign, just remember: you asked for it. When we have to raise prices (which won't help, since insurance, medicare, and medicaid won't pay any more) to pay for capital improvements, just remember: you asked for it.
A special note for the people who literally asked for it (HIPAA, that is): I hope you die, painfully, bleeding to death on the street, waiting for some medical info to get to your location, but it can't because of some form you didn't fill out properly.
I'm not a people person. I would have an awful bedside manner. That's why I'm in IT. That's why I get called in when HR has to do something shitty. Because I don't give a damn. I have seen the light, and it is the Scorched Earth Party [armory.com].
Well... (Score:2)
At my companie, we convarted all of the spel-checking staff into compliance ofisers to spede up the work.
HIPPA from a physician's perspective... (Score:2, Interesting)
1. Someone commented on HIPPA as an "unfunded mandate." That's a very apt characterization. I have seen estimates of the total cost for HIPPA implementation as high as 3 billion dollars. Where is that money going to come from? Basically, it comes from the operating budgets of physician's offices, hospitals, etc. Remember that healthcare deliverers (doctors, hospitals, etc) are essentially the only industry in which costs rise year by year, but revenues decline. If you look at the average physician's office (and mine is no exception), what you see is a shrinking margin between the cost of keeping the office operational and the monies collected. Since that margin represents a) doctor's salaries and b) monies for expansion, program development, etc, what you are seeing is a industry in decline. Adding an additional cost (HIPPA) had darn well be worth the financial (and time and labor) impact. I doubt that will be the case.
2. People often complain about like of privacy in medical records, and with good reason, because your records should be private. However, whatever goes on in your doctor's office, I feel confident that more of your medical information circulates outside the doctors' offices that within. Further, the harder is becomes to share information from your chart, the more your care may suffer. Example: It is routine in my practice (as we are largely consultants to other physicians) for us to get records sent over in advance of a new patient visit. Often, the records we request do not arrive in time, so my staff will call the referring physician's office when the patient arrives and get records faxed. Now, with HIPPA, said "electronic transmission" may not be feasible - meaning that crucial information may not be available, meaning a second visit once that information has been received - less convenient for all involved.
3. Given that HIPPA requires logging of all accesses to the medical record as to date, purpose, person, how can that be done efficiently (and reliably) with a paper chart? It can't. This has let some pundits to postulate that to become fully HIPPA compliant, ALL medical records will have to become electronic. Even assuming that there were available enough good EMR software packages to accomplish this, imagine the time and cost of doing so. (BTW: It is not clear to me from the regs that non-electronic charts MUST be converted to electronic, or that the access logging rules apply to non-electronic data. I've asked a number of "experts" on this and have not gotten any clear answer).
4. It is not unlikely that "HIPPA compliance" in many small practices will amount to little more than a "HIPPA compliance manual" stuff on a shelf, coupled with a bunch of letters from insurance companies, billing clearinghouses, and software vendors attesting to their HIPPA compliance. What a collosal waste of time and money once again.
Don't get me wrong: I fully believe that medical information should (and maybe can) be protected and that people's private and personal information should remain private. In fact, I am very concerned about the overall loss of privacy we all face (and yes, I do have a shredder which I use liberally before throwing things in the garbage). It infuriates me each time I get a letter from an insurance company advising me which of my patients (by name) are on drug A and advising me that I could (?must) switch to "equivalent" drug B which (of course) is cheaper for that company. And so on. I'm just not sure that an increasing paperwork burden on the small practitioner, hospital, or payor is going to do the job here.
HIPAA is HUGE (Score:3, Interesting)
The Health Insurance Portability and Accountability Act of 1996 will have extremely large ramificiations with the IT industry. Some have said that it'll be bigger than Y2k compliance.
The reason? HIPAA basically means that every single company out there that deals with the health care industry must meet standards to ensure that information can be transferred readily as well as securely. Think about it. That not only means hospitals and physician groups, but insurers, employers, welfare, Medicare, Medicaid, anybody that has anything to do with the health care industry.
If your company is only starting NOW, I feel sorry for you - the Act was signed back in 1996, and the compliance dates have already been pushed back a few times already. HIPAA-compliance involves programmatic and systematic changes in the way things are done. Ideally, someone would set up the back-end so that features like electronic security and data retrieval are handled without the people on the front-end having to worry about it too much.
My advice: learn how serious HIPAA-compliance is and translate that to the upper-level management. Maybe do a little research on what other entities are doing to achieve HIPAA-compliance. Take a look at HCFA [hcfa.gov], for instance, as a beginning. You need to make those people understand that HIPAA-compliance is a big deal, and their waiting this long to begin to get compliant spells doom. All of the employees are going to have to change their methodology, and a change like that can only come from the top.
watch it, d00d...(I'm serious!) (Score:2)
You're a Oxygen Transfill Technician and you're ALSO the HIPAA Compliance Officer?
Are you being given authority (as the guy said, "FOLLOW THESE RULES OR FIND ANOTHER INDUSTRY TO WORK IN!) and budget for consultants, including legal and software and clerical assistance to help you get your company up to speed on this? Have you gotten a pay raise? Are you now at VP level at your company?
If not, you might as well get used to an unofficial job title of "Company Fall Guy"... they have no intention of getting into compliance until they are forced to. I suggest you document your activities CAREFULLY (start with your initial assignment... names, dates, places) in the likely event that you're going to wind up in court... with the company blaming YOU for incompetence.
And start putting out resumes NOW for another gig in the field of Oxygen Transfill Technician, you need another job a lot closer to your training and experience. The real skill set that fit your assignment are a combination of law and system administration... the minimum set would be a telecommunications lawyer who understands the underlying technology or at least enough of it to work with an IT pro to figure out what this really means to your organization... or IT pro with IMMEDIATE access to HIPAA-qualified legal counsel.
Your immediate responsibility to yourself is to get some legal advice... which I suspect strongly will be along the lines I suggested.
There is some very good advice on compliance and technology here, but if you don't have authority and budget, get your ass out of there... you probably ought to get out of there even if you do, because if anything goes wrong, you will be blamed.
Reality check, please. (Score:2)
1. The HIPAA mandates have been in place for about 3 years. The final date for compliance has been similarly known by all who need to be aware and compliant with HIPAA. There are no excuses.
2. For those who don't know what HIPAA is, it essentially mandates that anyone who handles personal medical information must insure the confidentiality of that personal medical information, ESPECIALLY when it is placed on-line or when it is sent anywhere electronically. As in YOUR RIGHTS ONLINE sort of personal confidentiality. As in securing personal data so it won't be viewed, handled, or sold by unauthorized people. This is not a trivial issue.
3. Just as I have no patience with companies that collect, mishandle, and/or sell my personal data, I have little patience for people or companies who, having known about this for over 3 YEARS, have done nothing to get into compliance with the securing of patient data. Your medical data.
Would you like your medical information passed out around like any old text file or even sold to the highest bidder, like your credit card info has been? It's happening and HIPAA is meant to stop it. I think this is a good thing.
Thank you.
Re:Bureaucratic filth (Score:5, Informative)
The unfortunate consequence is that the resulting guidelines are very general, and require a continuous lifecycle process for evaluation, iplementation, audit and compliance. The healthcare industry must now involve itself in a regieme of regulatory overhead analogous to that of Securities or banking.
I don't think this is bad, per se. There is no history here for an emergence of industry best practices, etc. Expect it to be messy for a while.
Re:Bureaucratic filth (Score:2, Insightful)
Re:Bureaucratic filth (Score:4, Insightful)
Fine - let's have EVERY bit of your medical history made poublic please, and given to every insurrer, loan company or employer to whom you apply.
That's a great idea.
Almost there now anyways (Score:2)
Re:Bureaucratic filth (Score:2, Interesting)
So it is good to protect EMR's from (e.g.) Pharmaceuticals trying to use sensitive information for marketing, but some of the shackles that HIPAA will put on researchers are not a good thing (TM). There are already many measures in place within academic research to protect the privacy of patients.
Re:Bureaucratic filth (Score:2)
Lea
Re:Bureaucratic filth (Score:2)
THe only problem is when health care executives and medical specialists are unable to purchase porches and drink $2,000 bottles of wine, the entire universe will come to a halt.
Re:Bureaucratic filth (Score:2)
My heart goes out to all those poor, unbalconied people...
Re:Bureaucratic filth (Score:2)
Since you don't like government interference in your business, I hope that your health care firm will give up access to funding in the form of Medicare, Medicaid, NIH research funds, etc. It would be terrible if you were to behave hypocritically by taking lots of government money and then turn around and complain about government regulations.
People depend on those services. (Score:2)
Even if they had free Internet, they wouldn't have time to both read public opinion and legislative movements.
The closest they could come would be NPR, and then they'd have their resulting opinions fed to them.
(And it still wouldn't free them from needing medicare and medicaid to get by.)
Re:Bureaucratic filth (Score:2)
Then this will never happen, pure and simple, unless cracktivism is legalized (cracking inscured systems to publically disgrace the company into bolting thiings down).
Re:Bureaucratic filth (Score:2)
Free market means no loans/grants/tariffs etc, bye bye airlines, steel etc.
An investor should be able to see everything about a company, no more Enrons.
Without a common enemy America is finished, let's split up the assets and re-distriubte the wealth.
from the forcibly-changing-the-way-you-work dept. (Score:2)
For Christ's sake (Score:4, Insightful)
But when the editors spell the regulations "HIPAAA" in big white letters at the top of the article, I can't share this with anyone who I want to respect me.
C'mon Cliff, and whoever (if anyone) is checking your work. It's not HIPPA, HIPPO, HIPAAA, HIPSTER or HIPAAPATAMAS. It's HIPAA, as krisguy manages to note 5 times in his writeup.
Hopefully the headline will be changed soon and this comment will eventually be modded away as offtopic, but basic spelling, grammar and usage are important to the community that makes your website worth reading.
ps- I'm sure someone will point out that the average slashdot post is worse than the Slashdot editorial crew, but to that I can only say that they will be equally culpable when they are paid for posting.
2002 (Score:5, Insightful)
Up until then, anything could have changed in the Privacy Rule, otherwise known as a 12000 line set of government regulations [hhs.gov].
The Security and Electronic Signature Rule is still in a proposal state. The Universal ID proposals are not really even being considered at this time and won't be until Democrats are back at the helm. The first proposed privacy rule was promulgated in 1998 and has gone through several substantial iterations. Just because Congress said, "do it," in 1996 doesn't mean this guy had any chance of getting started at that point. Maybe in 2001 he had a fair chance of getting the gist of the Privacy Rule, but he had no way of knowing what, if anything (or everything) would change until this August.
It only takes balls when you know what you're talking about - this isn't a set of tablets with 10 simple rules, Chuck.
Re:2002 (Score:2, Funny)
Wow, now you've made me enthusiastic about voting Democrat, dude.
Re:2002 (Score:2)
Re:Risks of automatic Windows updates, and HIPAA l (Score:2)
If the computer controlling your brain electrodes is networked in any way, other than one way send to a monitoring station, I'd say that they NEED to send more voltage through said nodes.