Slashdot Mirror

← Back to Stories (view on slashdot.org)

Striving for HIPAA Compiance?

Posted by Cliff on from the forcibly-changing-the-way-you-work dept.

krisguy asks: "As a Oxygen Transfill Technician for a DME (Durable Medical Equipment - wheelchairs, oxygen, and such) company, my only regulatory problems have been with the FDA. Recently, due to good management of FDA regulations, I was appointed HIPAA security officer for my company. I looked at the 'helpful' compliance manual from our buying group, and realized that I have to try to get over twenty people who have 'limited knowledge of computers' (read: don't want to learn) to begin to use stuff like PGP, ANSI X12 codes, and having to write, train, and enforce procedure rules. To top this all off, I only have until April 14, 2003 to get most of this fully functional or forced to have the company shut down. I am wondering if any Slashdot readers in medical fields are feeling the pain of HIPAA like I am right now, and what ways can I get everyone to comply besides "You don't do it, you don't work here."?" Ask Slashdot last touched on HIPAA issues when this article which concerned itself with Windows 2000 and HIPAA issues. For those who have already hopped thru the rings that represent HIPAA compliance on an general basis, what did you have to insure was done?

4 of 277 comments (clear)

  1. Why not try this? by demonlapin · · Score: 5, Informative

    Although it's another side of health care, why not take a look at the AMA's page on HIPAA? Much of the advice is geared toward small practitioners, and as such would be useful in helping you figure out where to start.

  2. Re:Bureaucratic filth by Jeremiah+Cornelius · · Score: 5, Informative
    Part of the problem with HIPAA is the earnest attempt to create a standard for Information Security controls, without a requirement for implementation specifics on individual security controls. The aim is admirable - do not specify technologies which could be tied to a vendor, or rendered obsolete within the decade. Also, do not make assumptions about the specific sensitivity of individual data elements in the custody of various regulated entities.

    The unfortunate consequence is that the resulting guidelines are very general, and require a continuous lifecycle process for evaluation, iplementation, audit and compliance. The healthcare industry must now involve itself in a regieme of regulatory overhead analogous to that of Securities or banking.

    I don't think this is bad, per se. There is no history here for an emergence of industry best practices, etc. Expect it to be messy for a while.

    --
    "Flyin' in just a sweet place,
    Never been known to fail..."
  3. A Few Things by danielgast · · Score: 5, Informative

    Yes, many of us who are in the industry, or in tangentally related ones, such as myself, are feeling the frustration from HIPAA. Here's the survival guide as I've seen it:

    1) File for any and all extensions you can. A lot of this policy is BS and will probably get softened, but filing for extensions is probably the easiest way to stick it back to the man, at least for a little while.

    2) There are a few companies that provide HIPAA compliance insurance, especially for software products developed to support medical information systems. MD Online, LLC (no web site but phone at: 703-450-0331) has VPN security products designed for medical users that might be helpful. (No relation to them other than having heard about their products in a .ppt presentation)

    3) Solve the problem with vendor pressure. No software provider in the industry wants to admit they're not HIPAA compliant, so grill them on it. They know it's a priority and should (hopefully) be releasing software that will accomodate the new rules.

    4) Solve as much of the problem as you can technically. If you're the vendor of the products you use (in house software), redouble your efforts to make as much of the compliance transparent as possible. As you've outlined, most people in the industry do NOT want to deal with the technical aspect of computers, they just use them to get their jobs done. Putting all of the encryption / security management stuff in plain view is only going to make the learning curve more difficult and allow more room for human error (which equates to HIPAA violations and fines for your employer).

    5) (this is very much not to be interpreted as legal advice) Patch the big holes first. If you know you can't meet HIPAA by the deadlines, patch the big problems, and the things that will be obvious violations and noticable by people inside and outside the company. There are zillions of possible violations, but if you show due diligence any fines you do receive will hopefully be tempered by the fact that you've done as much as possible to accomodate the law.

    -Dan

  4. IT ISN'T AS HARD AS IT LOOKS! by leftism11 · · Score: 5, Informative

    I worked as a HIPAA compliance consultant and have contributed a chapter to a CIO-level book to discuss HIPAA compliance.

    If you can read and have a general understanding of the healthcare industry, you can easily understand HIPAA.

    First, and foremost, you MUST read the *actual* HIPAA regulations (Privacy and Security) in order to properly understand the HIPAA requirements. They are NOT difficult to read--they just look intimidating, but are actually VERY well written, generally easy to understand, and are accompanied by a ton of background and explanations. Do NOT, under any circumstances, rely on the claims of vendors or any other "HIPAA Analyst" etc. regarding HIPAA compliance issues unless you have read the regs and can validate the claims, and ensure that they are even relevant to your organization. Educate yourself and you will be amazed at how much simpler HIPAA becomes. (If you need to implement HIPAA transactions, there is very little to read--just the transaction specs.)

    Second, after you have personally read and understand the requirements, put them in the context of your organization. I believe that you will find that the reality of HIPAA compliance is relatively simple, and consists primarily of policies, procedures, and general best practices. Any time you hear someone saying "You HAVE to do X, Y, and Z" to be compliant, and those steps sound unreasonable or very difficult, you should be skeptical and verify that 1) that interpretation of the requirements is valid, and 2) they actually apply to your organization.

    After doing these two things, you will be in control of your HIPAA compliance effort. There may still be some hot items with short deadlines depending on which rules (Transactions, Privacy, and/or Security) apply to you, but it should not be a crisis.

    I no longer do HIPAA compliance consulting, but if you want some URLs to start with or general recommendations, feel free to e-mail me at leftism11@yahoo.com.

    You can start here by downloading the PDFs of the Privacy and Security HIPAA regs:

    http://aspe.hhs.gov/admnsimp/

    A site to check for updates and HIPAA news is:

    http://www.hipaadvisory.com/

    (They have good news updates, but again, use your knowlege of HIPAA and understanding of your organization to filter any opinions you get from their site.)