Slashdot Mirror

← Back to Stories (view on slashdot.org)

Striving for HIPAA Compiance?

Posted by Cliff on from the forcibly-changing-the-way-you-work dept.

krisguy asks: "As a Oxygen Transfill Technician for a DME (Durable Medical Equipment - wheelchairs, oxygen, and such) company, my only regulatory problems have been with the FDA. Recently, due to good management of FDA regulations, I was appointed HIPAA security officer for my company. I looked at the 'helpful' compliance manual from our buying group, and realized that I have to try to get over twenty people who have 'limited knowledge of computers' (read: don't want to learn) to begin to use stuff like PGP, ANSI X12 codes, and having to write, train, and enforce procedure rules. To top this all off, I only have until April 14, 2003 to get most of this fully functional or forced to have the company shut down. I am wondering if any Slashdot readers in medical fields are feeling the pain of HIPAA like I am right now, and what ways can I get everyone to comply besides "You don't do it, you don't work here."?" Ask Slashdot last touched on HIPAA issues when this article which concerned itself with Windows 2000 and HIPAA issues. For those who have already hopped thru the rings that represent HIPAA compliance on an general basis, what did you have to insure was done?

8 of 277 comments (clear)

  1. Don't just tell them... by SaturnTim · · Score: 5, Insightful

    Don't just tell them you will fire them, Actually fire a couple. The rest shape up real quick.

    When it is a matter of compliance, they don't have an option. The sooner they understand it, the better. If management isn't behind you, then ask to be reassigned.

    --ST

    --
    http://www.theMediaBunker.com
  2. Actual implementation not clear cut. by PIPBoy3000 · · Score: 5, Insightful

    I'm a web/database developer in a large healthcare organization, and the phrase "HIPPA compliance" has been thrown around quite a bit lately. Some of this makes quite a bit of sense, like not sending patient information over the Internet via e-mail. Others are much more fuzzy, and seem to do more harm than good.

    For example, only the people who "need to know" should have access to the data. The catch is that I'm somehow supposed to magically determine who needs to know what. Do I get to tell my directors that they can't see something? How much do I really get to question someone else who knows their job better than I?

    Plus there's the catch-22 situations. There's data on which physicians can perform what procedures. I personally think that everyone in our organization should see it, as I don't want any physician performing procedures they're not supposed to. The catch is that not everyone "needs to know", so that increases the chance that the information won't be seen.

  3. Re:Bureaucratic filth by fanatic · · Score: 4, Insightful

    It's nothing but more government interference in private business that chains capitalism

    Fine - let's have EVERY bit of your medical history made poublic please, and given to every insurrer, loan company or employer to whom you apply.

    That's a great idea.

    --
    "that's not encryption - it's a new perl script that I'm working on..." - from some Matrix parody
  4. Re:HIPAA's goodness by GigsVT · · Score: 4, Insightful

    Security's a bitch, get over it.

    Those things are things you should have already been doing. No sensitive email should ever be sent in plain text, nor should any personal information be given out over insecure phone lines.

    I'm against vague government mandates, probably more than most people are, but after seeing how even the most basic security is routienely ignored by users, managers, and administrators alike, fuck em. They have no business with my personal medical data if they can't even use good information security practices.

    --
    I've had enough abrasive sigs. Kittens are cute and fuzzy.
  5. For Christ's sake by abe+ferlman · · Score: 4, Insightful

    I love Slashdot, I read and post here all the time. I am also a database programmer who works in a research hospital. I would love to show some of my co-workers this article and some of the comments in it to get them thinking about HIPAA and free software.

    But when the editors spell the regulations "HIPAAA" in big white letters at the top of the article, I can't share this with anyone who I want to respect me.

    C'mon Cliff, and whoever (if anyone) is checking your work. It's not HIPPA, HIPPO, HIPAAA, HIPSTER or HIPAAPATAMAS. It's HIPAA, as krisguy manages to note 5 times in his writeup.

    Hopefully the headline will be changed soon and this comment will eventually be modded away as offtopic, but basic spelling, grammar and usage are important to the community that makes your website worth reading.

    ps- I'm sure someone will point out that the average slashdot post is worse than the Slashdot editorial crew, but to that I can only say that they will be equally culpable when they are paid for posting.

    --
    microsoftword.mp3 - it doesn't care that they're not words...
  6. Re:How can you do this job without authority? by ESarge · · Score: 4, Insightful

    Apply standard change management advice.
    If you don't know what that is then go get someone to tell you. (Disclosure: I work for a large company that, amongst a lot of things, does change management).

    The project I'm working on has a large change management component and I'm impressed with the sense of the person in charge of it.

    Things to do:
    Get the users together and explain HIPAA to them. Explain why it is important to the public (i.e. why you need good security). Explain the consequences of failure. People will understand if you actually explain the reasoning to them.
    Give them chances to ask question and modify what you do. People are happier to sign on to things if they feel they've got some input into it.

    Work on the IT side and get it work pretty well. Create detailed, clear, easy step by step instructions that work. Make sure you've got staff (i.e. you) available to provide quick support when it inevitably doesn't quite work.

    Make sure you've got a high level executive sponsor who understands the political issues and is happy to give you the support you need. (i.e. authority to fire if need be.)

    I would put in place a monitoring process. If a user isn't doing the right thing then grab them and talk to them.
    If there's something you can do to fix their problem then do that. There may be technical things you can do that will get to them to do it right.
    If they don't shape up once you've done that then you grab your executive sponsor and have a solemn meeting telling them to do things right. (This meeting has an implicit threat of firing behind it so it tends to work). Make a written record of this meeting.
    If all that doesn't work then you start going through the due diligence firing process i.e. written warnings before firing. HR people know how to do this.

  7. Privacy != Security in HIPAA by peacefinder · · Score: 4, Insightful

    Okay, I know this sounds wierd, but my HIPAA expert tells me that Privacy and Security are totally different things according to HIPAA. You have *much* less to worry about by next spring than it seems like you might.

    (From an IT perspective, one wonders what good privacy without security? For us, if it ain't secure, it's silly to call it private. But HIPAA was not written from an IT perspective...)

    The Privacy portion of the rules take effect next spring, and you will have to deal with that. HOWEVER, the privacy rules deal with how you decide who is allowed to see the data, *not* how you protect the data... that's the Security portion of the HIPAA standard. Privacy is about rules and procedures for intentional data disclosure, and data security is NOT within the scope of the Privacy rules.

    (So, for instance, HIPAA considers an e-mail over the public internet *private*, so long as you're sure the person you addressed it to is authorized to see the information it contains. Bonkers, but true.)

    The HIPAA Security standard will address how you protect your data. It will address security issues from encrypting e-mail in transit to physical security of your data storage. These rules have not yet been published, although they are due at any moment. Once published, we'll have two years to comply... so not before October 2004 will they be in effect.

    I advise you to get in touch with your state's medical association and attend their training seminars on HIPAA right away. Make sure to take along the office manager or medical records guru. It's information you WILL need.

    Oh, and don't panic. :)

    --
    With reasonable men I will reason; with humane men I will plead; but to tyrants I will give no quarter. -- William Lloyd
  8. 2002 by bill_mcgonigle · · Score: 5, Insightful

    Go ahead and mod this guy down like he asked, he's confused as to what the truth is. The HIPAA legislation was passed in 1996, but the Final Rule version of the Privacy Rule was only promulgated this August, and only went into effect less than a week ago, which means it's definately not going to change again before the implementation date.

    Up until then, anything could have changed in the Privacy Rule, otherwise known as a 12000 line set of government regulations.

    The Security and Electronic Signature Rule is still in a proposal state. The Universal ID proposals are not really even being considered at this time and won't be until Democrats are back at the helm. The first proposed privacy rule was promulgated in 1998 and has gone through several substantial iterations. Just because Congress said, "do it," in 1996 doesn't mean this guy had any chance of getting started at that point. Maybe in 2001 he had a fair chance of getting the gist of the Privacy Rule, but he had no way of knowing what, if anything (or everything) would change until this August.

    It only takes balls when you know what you're talking about - this isn't a set of tablets with 10 simple rules, Chuck.

    --
    My God, it's Full of Source!
    OUTSIDE_IP=$(dig +short my.ip @outsideip.net)