Striving for HIPAA Compiance?

krisguy asks: "As a Oxygen Transfill Technician for a DME (Durable Medical Equipment - wheelchairs, oxygen, and such) company, my only regulatory problems have been with the FDA. Recently, due to good management of FDA regulations, I was appointed HIPAA security officer for my company. I looked at the 'helpful' compliance manual from our buying group, and realized that I have to try to get over twenty people who have 'limited knowledge of computers' (read: don't want to learn) to begin to use stuff like PGP, ANSI X12 codes, and having to write, train, and enforce procedure rules. To top this all off, I only have until April 14, 2003 to get most of this fully functional or forced to have the company shut down. I am wondering if any Slashdot readers in medical fields are feeling the pain of HIPAA like I am right now, and what ways can I get everyone to comply besides "You don't do it, you don't work here."?" Ask Slashdot last touched on HIPAA issues when this article which concerned itself with Windows 2000 and HIPAA issues. For those who have already hopped thru the rings that represent HIPAA compliance on an general basis, what did you have to insure was done?

Don't just tell them...

[SaturnTim]

Don't just tell them you will fire them, Actually fire a couple. The rest shape up real quick.

When it is a matter of compliance, they don't have an option. The sooner they understand it, the better. If management isn't behind you, then ask to be reassigned.

--ST

Re:Don't just tell them...

[FreeLinux]

If management isn't behind you, then get another job. Because, if that is the case with management the company will be shut down in short order. Then everyone will be out of work.

How can you do this job without authority?

[fishbowl]

You need the authority to say "you will follow these procedures, or you will work elsewhere; preferably in another industry."

Until you have THAT authority, you do not really have the job that you think you have.

Re:How can you do this job without authority?

[karlm]

Until you have THAT authority, you do not really have the job that you think you have.

I think the author realizes this, but also realizes that "the carrot is better than the stick" when trying to motivate people for long-term results.

Re:How can you do this job without authority?

[ESarge]

Apply standard change management advice.
If you don't know what that is then go get someone to tell you. (Disclosure: I work for a large company that, amongst a lot of things, does change management).

The project I'm working on has a large change management component and I'm impressed with the sense of the person in charge of it.

Things to do:
Get the users together and explain HIPAA to them. Explain why it is important to the public (i.e. why you need good security). Explain the consequences of failure. People will understand if you actually explain the reasoning to them.
Give them chances to ask question and modify what you do. People are happier to sign on to things if they feel they've got some input into it.

Work on the IT side and get it work pretty well. Create detailed, clear, easy step by step instructions that work. Make sure you've got staff (i.e. you) available to provide quick support when it inevitably doesn't quite work.

Make sure you've got a high level executive sponsor who understands the political issues and is happy to give you the support you need. (i.e. authority to fire if need be.)

I would put in place a monitoring process. If a user isn't doing the right thing then grab them and talk to them.
If there's something you can do to fix their problem then do that. There may be technical things you can do that will get to them to do it right.
If they don't shape up once you've done that then you grab your executive sponsor and have a solemn meeting telling them to do things right. (This meeting has an implicit threat of firing behind it so it tends to work). Make a written record of this meeting.
If all that doesn't work then you start going through the due diligence firing process i.e. written warnings before firing. HR people know how to do this.

Re:How can you do this job without authority?

[dillon_rinker]

The stick is the only thing you have. Look at it from the owner's perspective:

I own a healthcare company. I will lose my livelihood if the people working for me don't adhere to these regulations. Therefore, anyone who refuses to comply CAN NOT work for me. Just like anybody else, I've got a spouse and kids and a house payment. Unlike most other people, I've got 20 other people working for me, all of whom have a spouse and kids and a house payment. I CAN NOT permit some nimrod to jeopardize the business. The reward for complying is a job. There is no punishment for failure to comply; you simply won't work for me.

Carrots are nice for persuading people to do things that are not essential, but in this kind of a situation, a stick is all that exists. If you disagree, I encourage you to find the carrots in the regulations that mandate compiance.

Re:How can you do this job without authority?

[juliao]

Until you have THAT authority, you do not really have the job that you think you have.

I think the author realizes this, but also realizes that "the carrot is better than the stick" when trying to motivate people for long-term results.

I fully agree. Still, for short-term tangible results, a stick works so much better than waiting for the donkey to get hungry...

Re:How can you do this job without authority?

[fishbowl]

The languange universities use regarding cheating,
is "...repeat the course, possibly at another institution."

I was paraphrasing that and applying it here. My intention was not to suggest specific strategies, but to point out that, if one is not in a position to enforce policy, then he is merely in an advisory role. Either his employees are empowered to ignore his suggestions or they are not.

I have seen workplaces where the security guards have as much authority as I am suggesting for this *regulatory* role (MANDATED by the Federal Government, mind you!). So why not have teeth? Have everyone agree to the policy, have them understand that the consequences for not supporting the company policy will *begin* with firing and could include *prosecution*, get it in writing. Either do that, or else communicate to them that it really isn't all that important, and they can choose to comply or not, with no real consequences either way.

I understand your message, but, I still say you should approach taking this kind of authority from a position of strength -- one where exceptions are not made, not even for the president or board members. If it were something like air traffic controllers and hard drug use, you'd be able to say "follow this policy or don't work in this industry." What makes this scenario so fundamentally different from that one?

Actual implementation not clear cut.

[PIPBoy3000]

I'm a web/database developer in a large healthcare organization, and the phrase "HIPPA compliance" has been thrown around quite a bit lately. Some of this makes quite a bit of sense, like not sending patient information over the Internet via e-mail. Others are much more fuzzy, and seem to do more harm than good.

For example, only the people who "need to know" should have access to the data. The catch is that I'm somehow supposed to magically determine who needs to know what. Do I get to tell my directors that they can't see something? How much do I really get to question someone else who knows their job better than I?

Plus there's the catch-22 situations. There's data on which physicians can perform what procedures. I personally think that everyone in our organization should see it, as I don't want any physician performing procedures they're not supposed to. The catch is that not everyone "needs to know", so that increases the chance that the information won't be seen.

Tell The Truth

From my work with HIPPA compliance, there are two important things to remember. One, there are no HIPPA police out there that will kill you and eat your children if your compliance comes into questions. Second, all they really want you to do is tell the thruth about the measures you have taken to secure patient or other sensitive data. For example, if you say your data is in a data safe, make sure it does. The problem you will have with lawsuits can only be brought up if you have not truly done what your compliance form says you did.

BS7799 and ISO9000/1

[tezza]

I was a developer at a Medical IT firm in London. We went through the process of BS7799 and ISO 9000/1.

BS7799 is the British Standard for Data Protection. We had to have a paper free desk and shred everything. Despite having a double sided laser printer, all the damn staff still printed single. Everyone is a lot greener back in Australia.

Anyway, moral from that successful drive is... get in early. Twenty something staff? That's nothing. Push it through now. What came across most was that the accreditations make sure you have 'Systems' in place. New staff come in knowing the system. Old staff, well they're not going to be easy.

Read Peopleware under the section 'Believers But Questioners' and work towards that. At least then you get to read a darn good book on company time.

Re:Bureaucratic filth

[Mr.+Slippery]

Simple -- don't implement it if it hinders you and ignore it, and go on with business as usual.

...and wait to get your ass sued into oblivion when the first privacy violation occurs. Brilliant.

Re:Bureaucratic filth

[fanatic]

It's nothing but more government interference in private business that chains capitalism

Fine - let's have EVERY bit of your medical history made poublic please, and given to every insurrer, loan company or employer to whom you apply.

That's a great idea.

In the software end of things

[cr@ckwhore]

I work for a company with 2 medical practice management software packages. These packages each sell for big bucks... a single installation can be $100,000, with annual fees on top of that.

HIPAA isn't new news. We've known about HIPAA for a long time, and only now, as the deadline stares us in the face, are we beginning to make our software HIPAA compliant.

This late action comes from a long stem of procrastination. Updating expensive software to be HIPAA compliant is a time consuming task... from the standpoint of a software manager (an incompetent one), why make the software HIPAA compliant today, when today could be used to implement a new requested feature?

After pushing off HIPAA compliancy day after day after day, we're now finally getting around to implementing the mandated changes. This isn't easy for other people in the healthcare industry, namely people working at the practices that need to teach HIPAA to billing clerks.

The delays of software authors cause delays at the practice, which causes healthcare costs to rise.

Don't thank me, thank my managers. Only a few days ago I enlightened my Technical Operations Manager that "HIPAA" isn't spelled "HIPPA". I guess he didn't get the memo yet.

Re:HIPAA's goodness

[GigsVT]

Security's a bitch, get over it.

Those things are things you should have already been doing. No sensitive email should ever be sent in plain text, nor should any personal information be given out over insecure phone lines.

I'm against vague government mandates, probably more than most people are, but after seeing how even the most basic security is routienely ignored by users, managers, and administrators alike, fuck em. They have no business with my personal medical data if they can't even use good information security practices.

1996

[Charlton+Heston]

The act was passed in 1996. And just now you are getting around to complying with it. Seems like you have advance notice, so there's no excuse.

Don't bother firing anyone who doesn't comply. It's too late to comply, and too late to save your sorry company.

Go ahead and mod me down, but someone has to have the balls to speak the truth.

Re:1996

Yoh, big mouth. The act passed in 1996 merely instructed the bureacrats to make up 2 sets of regulations. Within a couple of years they got the portability reg finished. But the first draft of the privacy reg wasn't published until 2000-12-28; they were last modified on 2002-08-14, and the revised final text incorporating the modifications was published on 2002-10-10.

So software vendors have had somewhat less time to prepare than the 7 years you imply. Granted, we've all known for some time some of the general issues to be addressed. But it wasn't until early 2001 that anybody got a peek of actual proposed regulations, and not until late 2002 that anybody knew what the real regulations would be.

The likeliest outcome

[SPiKe]

It's been said before, but ...

In the end, the timetable set for HIPAA compliance will be pushed back further and further.

Some of the stuff they're asking for is just unreasonable. I don't remember a lot of it, but I'm just glad to be out of the world of health care.

For Christ's sake

[abe+ferlman]

I love Slashdot, I read and post here all the time. I am also a database programmer who works in a research hospital. I would love to show some of my co-workers this article and some of the comments in it to get them thinking about HIPAA and free software.

But when the editors spell the regulations "HIPAAA" in big white letters at the top of the article, I can't share this with anyone who I want to respect me.

C'mon Cliff, and whoever (if anyone) is checking your work. It's not HIPPA, HIPPO, HIPAAA, HIPSTER or HIPAAPATAMAS. It's HIPAA, as krisguy manages to note 5 times in his writeup.

Hopefully the headline will be changed soon and this comment will eventually be modded away as offtopic, but basic spelling, grammar and usage are important to the community that makes your website worth reading.

ps- I'm sure someone will point out that the average slashdot post is worse than the Slashdot editorial crew, but to that I can only say that they will be equally culpable when they are paid for posting.

Privacy != Security in HIPAA

[peacefinder]

Okay, I know this sounds wierd, but my HIPAA expert tells me that Privacy and Security are totally different things according to HIPAA. You have *much* less to worry about by next spring than it seems like you might.

(From an IT perspective, one wonders what good privacy without security? For us, if it ain't secure, it's silly to call it private. But HIPAA was not written from an IT perspective...)

The Privacy portion of the rules take effect next spring, and you will have to deal with that. HOWEVER, the privacy rules deal with how you decide who is allowed to see the data, *not* how you protect the data... that's the Security portion of the HIPAA standard. Privacy is about rules and procedures for intentional data disclosure, and data security is NOT within the scope of the Privacy rules.

(So, for instance, HIPAA considers an e-mail over the public internet *private*, so long as you're sure the person you addressed it to is authorized to see the information it contains. Bonkers, but true.)

The HIPAA Security standard will address how you protect your data. It will address security issues from encrypting e-mail in transit to physical security of your data storage. These rules have not yet been published, although they are due at any moment. Once published, we'll have two years to comply... so not before October 2004 will they be in effect.

I advise you to get in touch with your state's medical association and attend their training seminars on HIPAA right away. Make sure to take along the office manager or medical records guru. It's information you WILL need.

Oh, and don't panic. :)

Apply For an extenstion

[LowellPorter]

I work in the healthcare industry too. I believe there are certian circumstances where you can apply for an extension to the April 2003 date. Look more carefully at the law itself and not what your buying group gave you.

MS & HIPAA compliance

[Lucas+Membrane]

Unfortunately, MS sees HIPAA as a big marketing opportunity. If you've got to replace or upgrade everything to comply, why not go with the firm with the biggest market share? The responsible authorities are not going to shoot everyone who buys from MS, no matter how badly MS might mung it up. But they might shoot everyone who buys from some small operator, just to show that enforcement exists, given that compliance is impossible. MS is investing much in offering some ways to attempt HIPAA compliance via it's .NET smokeandmirrorsware, so this isn't going to hurt them much.

It takes people like MS to make people like linux, just as it takes people like health insurers to make people like undertakers.

2002

[bill_mcgonigle]

Go ahead and mod this guy down like he asked, he's confused as to what the truth is. The HIPAA legislation was passed in 1996, but the Final Rule version of the Privacy Rule was only promulgated this August, and only went into effect less than a week ago, which means it's definately not going to change again before the implementation date.

Up until then, anything could have changed in the Privacy Rule, otherwise known as a 12000 line set of government regulations.

The Security and Electronic Signature Rule is still in a proposal state. The Universal ID proposals are not really even being considered at this time and won't be until Democrats are back at the helm. The first proposed privacy rule was promulgated in 1998 and has gone through several substantial iterations. Just because Congress said, "do it," in 1996 doesn't mean this guy had any chance of getting started at that point. Maybe in 2001 he had a fair chance of getting the gist of the Privacy Rule, but he had no way of knowing what, if anything (or everything) would change until this August.

It only takes balls when you know what you're talking about - this isn't a set of tablets with 10 simple rules, Chuck.

Prove It

Prove to users that unencrypted emails are easily accessible. Sit down at a terminal, run ethereal and have two people exchange an email over your network. Demonstrate how easy it is to get ahold of other people's data and then everyone will understand why it is important not to send personally identifiable information over email.

The truth is, most people, even people who use a computer a lot, do not understand the basics of networking. If they understood a little bit of how it works, they would know what is secure and what is not.

HIPAA Comliance..

I'm a dentist and only have to deal with a small staff of 3 people. There are a bunch of silly new rules that don't involve IT. The Biggest problem we are facing is that the companies that do electronic insurance claims are not up to HIPAA standard and are not going to make the deadline. So no matter what we do we are not going be in compliance. The only redeeming grace is that I filed for my extension. I really don't think that enforcement is going to be that strict for a while because no one(including the government) really knows what needs to be done. I really don't think enforecement will initially be as draconian as the law spells out, because it is going to take some time for every one to figure out what exactly what needs to be done.