For the past 3 years, a multitude of medical consultants and lawyers have been warning the health care industry of impending millennial doom brought on by the Y2K bug. By a combination of good work and, perhaps, good luck, the disaster was averted. Other than a few sporadic minor glitches, health care information systems continued to operate business-as-usual after the arrival of the dreaded “00.”
Armed with their Y2K experience and looking for the next challenge, many of the same consultants and lawyers have now turned their sights on the Health Insurance Portability and Accountability Act (HIPAA). Due to their efforts, we are now being subjected to ominous warnings that HIPAA compliance is a problem akin to Y2K, but much more complicated and costly. We are also being told that failure to comply within the regulatory time frame will result in dire consequences including fines, loss of accreditation, and even jail for criminal offenders.
All of the doomsayers are missing the mark with regard to HIPAA. The act is not another Y2K, but rather an opportunity to improve the delivery of health care by standardizing how health information is transmitted, stored, and protected. Over the past 2 decades, other industries have moved to embrace the emerging information technologies. These include a wide array of productivity enhancement tools that use the Internet, extranets, intranets, and other enterprise networks. During this same time, health care has been frustrated in its efforts to integrate information systems due to the lack of interoperability and understandability. The administrative simplification provisions of HIPAA were enacted to improve efficiency and reduce health care costs by creating the standards that will allow the health care industry to use electronic means to exchange health data.
The HIPAA requirements will serve as a catalyst to improve many of the business processes that lie within and among health care providers, plans, and clearinghouses. These include new electronic transaction formats, code sets, and unique health identifiers for providers, employers, health plans, and patients. These and other new technological requirements, such as enterprise master patient indexes and digital signatures, will also improve the access to and use of information, both inside and outside of the health care enterprise.
This is not to suggest that compliance with HIPAA will come at no cost or that the process will not be somewhat intrusive. HIPAA will require changes in how health information is managed and protected, and these changes will be accompanied by additional costs. For example, the privacy standard requires that a number of administrative measures be put into place by covered entities, enabling them to protect health information in accordance with the regulations. The HIPAA security standard requires that affected health care entities implement technical, physical, and administrative safeguards and draft written policies and procedures covering them. Clearly, such measures do not come without a price tag.
STRATEGY REQUIRED
Despite the added administrative burdens and their associated costs, the visionary health care chief information officer or hospital administrator knows and understands that HIPAA compliance is only part of the overall movement toward better management of health care data. Once the HIPAA standards are successfully adopted and implemented, the vast array of health care organizations that need to exchange information in the course of treating patients will be far better equipped to communicate with one another.
A strategic approach will be required to accomplish all that HIPAA requires and suggests. Even though release of the final standards is spread out over the next year, compliance will be required 24 months after each of the standards becomes effective. Therefore, affected health organizations should begin now to assess what must be done, not only to comply with HIPAA but also to help advance their e-health and e-business capabilities.
The assessment begins with a review of the health care organization’s e-business and e-health strategies, looking at business-to-business, administrative, financial, and business-to-patient transactions. This may include a review of whether the current technology architecture and applications, such as electronic medical records, picture archiving and communication systems, and clinical laboratory systems, are sufficient to reach the technology goals of the organization.
After the electronic strategies are ascertained, the assessment compares the specific requirements of HIPAA against current operational practices. Though the security regulations are not in final form, health care organizations can begin the process of assessment by creating a baseline using the proposed regulations and industry best practices.
Similarly, organizations can begin now to review their privacy practices, utilizing a two-part process. Since the proposed privacy regulations would not necessarily preempt state law, the first step is to determine whether state law or the proposed regulations will prevail. The second step is to compare the controlling law against current organizational practices.
The assessment should be followed by implementation of the steps necessary to close the gaps between current practices and the HIPAA requirements, bringing the health care organization into compliance.
HIPAA is not to be dreaded or feared. Rather, it presents an opportunity to move health information technology forward and, perhaps, ultimately lower the costs of health care by increasing efficiency. The trick is to begin HIPAA compliance now, not be caught in a last-minute compliance crunch.
M. Peter Adler, JD, is a partner with Oppenheimer, Wolff, Donnelly, Washington, D.C., practicing in HIPAA compliance and information security and privacy.
