Slashdot Mirror
Striving for HIPAA Compiance?
krisguy asks: "As a Oxygen Transfill Technician for a DME (Durable Medical Equipment - wheelchairs, oxygen, and such) company, my only regulatory problems have been with the FDA. Recently, due to good management of FDA regulations, I was appointed HIPAA security officer for my company. I looked at the 'helpful' compliance manual from our buying group, and realized that I have to try to get over twenty people who have 'limited knowledge of computers' (read: don't want to learn) to begin to use stuff like PGP, ANSI X12 codes, and having to write, train, and enforce procedure rules. To top this all off, I only have until April 14, 2003 to get most of this fully functional or forced to have the company shut down. I am wondering if any Slashdot readers in medical fields are feeling the pain of HIPAA like I am right now, and what ways can I get everyone to comply besides "You don't do it, you don't work here."?" Ask Slashdot last touched on HIPAA issues when this article which concerned itself with Windows 2000 and HIPAA issues. For those who have already hopped thru the rings that represent HIPAA compliance on an general basis, what did you have to insure was done?
Although it's another side of health care, why not take a look at the AMA's page on HIPAA? Much of the advice is geared toward small practitioners, and as such would be useful in helping you figure out where to start.
I thought this was about some new car club for cool people.
sig.
Don't just tell them you will fire them, Actually fire a couple. The rest shape up real quick.
When it is a matter of compliance, they don't have an option. The sooner they understand it, the better. If management isn't behind you, then ask to be reassigned.
--ST
http://www.theMediaBunker.com
You need the authority to say "you will follow these procedures, or you will work elsewhere; preferably in another industry."
Until you have THAT authority, you do not really have the job that you think you have.
-fb Everything not expressly forbidden is now mandatory.
I'm a web/database developer in a large healthcare organization, and the phrase "HIPPA compliance" has been thrown around quite a bit lately. Some of this makes quite a bit of sense, like not sending patient information over the Internet via e-mail. Others are much more fuzzy, and seem to do more harm than good.
For example, only the people who "need to know" should have access to the data. The catch is that I'm somehow supposed to magically determine who needs to know what. Do I get to tell my directors that they can't see something? How much do I really get to question someone else who knows their job better than I?
Plus there's the catch-22 situations. There's data on which physicians can perform what procedures. I personally think that everyone in our organization should see it, as I don't want any physician performing procedures they're not supposed to. The catch is that not everyone "needs to know", so that increases the chance that the information won't be seen.
I currently have 3 seperate jobs (I'm a college student), and each one is affected by HIPAA in different ways... one is a branch of an insurance company, where I'm sure eventually all of our inter-company emails will have to be encrypted, reguardless of content, and we'll be very limited on what we can actually talk about on the phone (I'm in the phone cube all day)
the second is a hospital, where I work registration and transfers. Completely different setting, as I'm dealing with the patients face-to-face instead of over the phone, but there are lots of restrictions there, from where the monitors can be located (can't have a non-employee looking over your shoulder...) to how long the screen saver is set for (1 minute, and it's password protected, pain in the ass when you have to type that EVERY time you want to touch the computer)
for the third I work as a programmer for my college, we recently bid on a programming project to develop internet-based training for a very large hospice-based corporation. we'll be designing 20 modules to train volunteers and other very non-technical (i.e. retired, or first time workers) workers how to manage information correctly.
all of my jobs will be having INTENSIVE seminar type classes on what we need to stop doing so we don't get shut down. every one of them has taken a "do it or lose it" attitude about it because of the very short time frame to work with. There are still HIPAA mandates that are being changed, which means that nobody has even started creating the training, much less the training itself, and the compliance checks...
You could accelerate compliance by filling the office full of acrid smoke from a bad power supply, or making Friday 'Nitrous Oxide Day'.
HIPAA is being sorted through at my place of work, which happens to be a hospital. We are basically turning our MS shop into a Citrix shop due to the impossibility of configuring thousands of computers at the user level.
We use ICA protocol with 128 bit encryption and rotating passwords.. but with all of the applications that one employee has to access, it's becoming a major breaking point remembering all of the passwords.
The apps can only be accessed via login, and each app has a separate login and password. It's bordering on the rediculous to get work done for people that's skillsets are RN's or MD's. MD's tend to be more technically adept(aka AOL), but the rest are hapless technoweenies(to quote a cheese movie).
Things are moving toward http browser based access, and temernical serviced applications. These things come in waves, and HIPAA is accelerating that wave towards TS clients.
As this is done, I hope to then be in a position to kill off MS clients and servers one by one. We can then concentrate on getting some real work done, rather than worrying about how W2K SP3/WinZP SP1 is a HIPAA violation or if MS will sue us next week cause they aren't making their stock margins.
And after all of this, we will have some work cut out for us(not much)- but it's OUR work. And we get to reap the benefits of our labor. No more Jakob Fugger and his gateway tariff between east/west. If the government can't do it, then I surely can. And so, there you have it.
The unfortunate consequence is that the resulting guidelines are very general, and require a continuous lifecycle process for evaluation, iplementation, audit and compliance. The healthcare industry must now involve itself in a regieme of regulatory overhead analogous to that of Securities or banking.
I don't think this is bad, per se. There is no history here for an emergence of industry best practices, etc. Expect it to be messy for a while.
"Flyin' in just a sweet place,
Never been known to fail..."
BS7799 is the British Standard for Data Protection. We had to have a paper free desk and shred everything. Despite having a double sided laser printer, all the damn staff still printed single. Everyone is a lot greener back in Australia.
Anyway, moral from that successful drive is... get in early. Twenty something staff? That's nothing. Push it through now. What came across most was that the accreditations make sure you have 'Systems' in place. New staff come in knowing the system. Old staff, well they're not going to be easy.
Read Peopleware under the section 'Believers But Questioners' and work towards that. At least then you get to read a darn good book on company time.
[% slash_sig_val.text %]
Yes, many of us who are in the industry, or in tangentally related ones, such as myself, are feeling the frustration from HIPAA. Here's the survival guide as I've seen it:
.ppt presentation)
1) File for any and all extensions you can. A lot of this policy is BS and will probably get softened, but filing for extensions is probably the easiest way to stick it back to the man, at least for a little while.
2) There are a few companies that provide HIPAA compliance insurance, especially for software products developed to support medical information systems. MD Online, LLC (no web site but phone at: 703-450-0331) has VPN security products designed for medical users that might be helpful. (No relation to them other than having heard about their products in a
3) Solve the problem with vendor pressure. No software provider in the industry wants to admit they're not HIPAA compliant, so grill them on it. They know it's a priority and should (hopefully) be releasing software that will accomodate the new rules.
4) Solve as much of the problem as you can technically. If you're the vendor of the products you use (in house software), redouble your efforts to make as much of the compliance transparent as possible. As you've outlined, most people in the industry do NOT want to deal with the technical aspect of computers, they just use them to get their jobs done. Putting all of the encryption / security management stuff in plain view is only going to make the learning curve more difficult and allow more room for human error (which equates to HIPAA violations and fines for your employer).
5) (this is very much not to be interpreted as legal advice) Patch the big holes first. If you know you can't meet HIPAA by the deadlines, patch the big problems, and the things that will be obvious violations and noticable by people inside and outside the company. There are zillions of possible violations, but if you show due diligence any fines you do receive will hopefully be tempered by the fact that you've done as much as possible to accomodate the law.
-Dan
It's nothing but more government interference in private business that chains capitalism
Fine - let's have EVERY bit of your medical history made poublic please, and given to every insurrer, loan company or employer to whom you apply.
That's a great idea.
"that's not encryption - it's a new perl script that I'm working on..." - from some Matrix parody
I work for a company with 2 medical practice management software packages. These packages each sell for big bucks... a single installation can be $100,000, with annual fees on top of that.
HIPAA isn't new news. We've known about HIPAA for a long time, and only now, as the deadline stares us in the face, are we beginning to make our software HIPAA compliant.
This late action comes from a long stem of procrastination. Updating expensive software to be HIPAA compliant is a time consuming task... from the standpoint of a software manager (an incompetent one), why make the software HIPAA compliant today, when today could be used to implement a new requested feature?
After pushing off HIPAA compliancy day after day after day, we're now finally getting around to implementing the mandated changes. This isn't easy for other people in the healthcare industry, namely people working at the practices that need to teach HIPAA to billing clerks.
The delays of software authors cause delays at the practice, which causes healthcare costs to rise.
Don't thank me, thank my managers. Only a few days ago I enlightened my Technical Operations Manager that "HIPAA" isn't spelled "HIPPA". I guess he didn't get the memo yet.
Skiers and Riders -- http://www.snowjournal.com
It breaks down like this : the regs have been so loosened to be almost ineffectual.
You (as an individual and as an institution) only get jail time and big time fines if you get a proveable financial gain from violating hipaa regs, i.e. you sell a bunch of kidney transplant patient info to a dialysis machine company, and someone can produce records to prove this happened.
Ignorance or other non-compliance (if reported) only gets the institution (not you as a worker) fined $1000 per incident max, and the total fines can only be up to $25,000 a year. So in many cases it's cheaper to be non-hipaa compliant than it is to upgrade everything to be hipaa compliant.
Then there's the extension you can file to get another 6 months on your deadline to be hipaa compliant. If you file that you get until October 2002 or something like that. There will probably be more options to file extensions for even later than that if October is too soon for you.
Don't worry kids. HIPAA, much like 911, is a joke.
I love Slashdot, I read and post here all the time. I am also a database programmer who works in a research hospital. I would love to show some of my co-workers this article and some of the comments in it to get them thinking about HIPAA and free software.
But when the editors spell the regulations "HIPAAA" in big white letters at the top of the article, I can't share this with anyone who I want to respect me.
C'mon Cliff, and whoever (if anyone) is checking your work. It's not HIPPA, HIPPO, HIPAAA, HIPSTER or HIPAAPATAMAS. It's HIPAA, as krisguy manages to note 5 times in his writeup.
Hopefully the headline will be changed soon and this comment will eventually be modded away as offtopic, but basic spelling, grammar and usage are important to the community that makes your website worth reading.
ps- I'm sure someone will point out that the average slashdot post is worse than the Slashdot editorial crew, but to that I can only say that they will be equally culpable when they are paid for posting.
microsoftword.mp3 - it doesn't care that they're not words...
Okay, I know this sounds wierd, but my HIPAA expert tells me that Privacy and Security are totally different things according to HIPAA. You have *much* less to worry about by next spring than it seems like you might.
:)
(From an IT perspective, one wonders what good privacy without security? For us, if it ain't secure, it's silly to call it private. But HIPAA was not written from an IT perspective...)
The Privacy portion of the rules take effect next spring, and you will have to deal with that. HOWEVER, the privacy rules deal with how you decide who is allowed to see the data, *not* how you protect the data... that's the Security portion of the HIPAA standard. Privacy is about rules and procedures for intentional data disclosure, and data security is NOT within the scope of the Privacy rules.
(So, for instance, HIPAA considers an e-mail over the public internet *private*, so long as you're sure the person you addressed it to is authorized to see the information it contains. Bonkers, but true.)
The HIPAA Security standard will address how you protect your data. It will address security issues from encrypting e-mail in transit to physical security of your data storage. These rules have not yet been published, although they are due at any moment. Once published, we'll have two years to comply... so not before October 2004 will they be in effect.
I advise you to get in touch with your state's medical association and attend their training seminars on HIPAA right away. Make sure to take along the office manager or medical records guru. It's information you WILL need.
Oh, and don't panic.
With reasonable men I will reason; with humane men I will plead; but to tyrants I will give no quarter. -- William Lloyd
I work in the healthcare industry too. I believe there are certian circumstances where you can apply for an extension to the April 2003 date. Look more carefully at the law itself and not what your buying group gave you.
I worked as a HIPAA compliance consultant and have contributed a chapter to a CIO-level book to discuss HIPAA compliance.
If you can read and have a general understanding of the healthcare industry, you can easily understand HIPAA.
First, and foremost, you MUST read the *actual* HIPAA regulations (Privacy and Security) in order to properly understand the HIPAA requirements. They are NOT difficult to read--they just look intimidating, but are actually VERY well written, generally easy to understand, and are accompanied by a ton of background and explanations. Do NOT, under any circumstances, rely on the claims of vendors or any other "HIPAA Analyst" etc. regarding HIPAA compliance issues unless you have read the regs and can validate the claims, and ensure that they are even relevant to your organization. Educate yourself and you will be amazed at how much simpler HIPAA becomes. (If you need to implement HIPAA transactions, there is very little to read--just the transaction specs.)
Second, after you have personally read and understand the requirements, put them in the context of your organization. I believe that you will find that the reality of HIPAA compliance is relatively simple, and consists primarily of policies, procedures, and general best practices. Any time you hear someone saying "You HAVE to do X, Y, and Z" to be compliant, and those steps sound unreasonable or very difficult, you should be skeptical and verify that 1) that interpretation of the requirements is valid, and 2) they actually apply to your organization.
After doing these two things, you will be in control of your HIPAA compliance effort. There may still be some hot items with short deadlines depending on which rules (Transactions, Privacy, and/or Security) apply to you, but it should not be a crisis.
I no longer do HIPAA compliance consulting, but if you want some URLs to start with or general recommendations, feel free to e-mail me at leftism11@yahoo.com.
You can start here by downloading the PDFs of the Privacy and Security HIPAA regs:
http://aspe.hhs.gov/admnsimp/
A site to check for updates and HIPAA news is:
http://www.hipaadvisory.com/
(They have good news updates, but again, use your knowlege of HIPAA and understanding of your organization to filter any opinions you get from their site.)
They haven't yet pronounced whether HIPAA prohibits doctors offices from using sign-in sheets, for example. This is a disclosure to each person signing in who the other patients are. After all, you can see them in the office and might recognize them, so how can it be a violation of 'privacy'? But it's exactly the kind of promiscuous disclosure that this act is supposed to prevent. The law is an ass.
First, if you are a 'security officer' means you are a VP level or better. Are you paid for this? As an officer, you have the authority to tell people to do what you want, you also have the authority to hire and fire as needed, etc....
Look, I work for a pharmacy benefits company, and we've been dealing with HIPAA regulations for about 3 years now... the fact your organization chose to wait until 6 months before the mandatory date just says they are ill prepared to be in business. HIPAA is not something that showed up overnight... it's been known about for a few years now, and any decent company would have already arranged for the changes to be put into place.
Also, referring to my first statement, if you are an "officier" of the company, it means you COULD go to jail if you break the law (e.g. like not being HIPAA compliant), so I would be VERY careful about accepting that title. Maybe they made you the fall guy?
I've mainly been dealing with the effect of the HIPAA regulations on email. The organization I work for primarily communications with other health care organizations, not patients directly. We will probably implement a mix of solutions and make the option available to the other organization of what they want to use. You only need to worry about encrypting email that contains PHI (patient health information).
1. STARTTLS - Implement it in you mail server or border mail gateway, and you email gets encrypted on the fly without requiring any user intervention. Works great only a couple of things you need to look out for. An informal agreement with the other organization will help iron these out. (a) You need to ensure that the other mail server (the one in the MX record) is the last hop across public networks. You don't want that server forwarding on the message unencrypted after you send it encrypted. (b) You need to enforce the use of TLS for some domains. Postfix allows this and I'm sure others do. (c) Signed SSL certificates by a proper CA (not self-signed) help prevent man in the middle style attacks.
2. S/MIME - Works, but you got to train the users on both ends. Put your S/MIME public keys up on your website so that users can download them.
3. PGP - Works, but same as S/MIME, you got to train the users on both ends. Put your PGP public keys up on your website so that users can download them.
4. A secure web mail contact form - Good for only one-way communication (them sending messages to you), but it works a lot easier than trying to train an AOL User/patient how to use S/MIME. Prevents them from broadcasting to the Internet their SSN, and health problems in clear text.
5. An S/MIME gateway - Most mail servers can act as STARTTLS servers, but most don't have the option of being an S/MIME gateways, so you have to add an additional commercial piece of software, and so do all the other organizations that you are communicating to. Also it only helps the organization to organization level, since AOL is running an S/MIME gateway, and neither is hotmail.
Personally I would like to see the HIPAA regulations jumpstart the use of STARTTLS enabled SMTP servers. S/MIME and PGP are difficult for users, and will probably not end up being used if it isn't easy.
It takes people like MS to make people like linux, just as it takes people like health insurers to make people like undertakers.
Go ahead and mod this guy down like he asked, he's confused as to what the truth is. The HIPAA legislation was passed in 1996, but the Final Rule version of the Privacy Rule was only promulgated this August, and only went into effect less than a week ago, which means it's definately not going to change again before the implementation date.
Up until then, anything could have changed in the Privacy Rule, otherwise known as a 12000 line set of government regulations.
The Security and Electronic Signature Rule is still in a proposal state. The Universal ID proposals are not really even being considered at this time and won't be until Democrats are back at the helm. The first proposed privacy rule was promulgated in 1998 and has gone through several substantial iterations. Just because Congress said, "do it," in 1996 doesn't mean this guy had any chance of getting started at that point. Maybe in 2001 he had a fair chance of getting the gist of the Privacy Rule, but he had no way of knowing what, if anything (or everything) would change until this August.
It only takes balls when you know what you're talking about - this isn't a set of tablets with 10 simple rules, Chuck.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
If I get a prescription for some of my personal hygiene needs (for tax and insurance purposes), and go to a MegaMegaMart Pharmacy to buy them, and carry them to the cash register, and the checkout clerk gets on the public address and hollers "PRICE CHECK ON _use_your_imagination_here_, GIANT ECONOMY SIZE" again, can I sue?
So what you're saying is that the government is a HIPAAAcrit ?
In Soviet America the banks rob you!
The Health Insurance Portability and Accountability Act of 1996 will have extremely large ramificiations with the IT industry. Some have said that it'll be bigger than Y2k compliance.
The reason? HIPAA basically means that every single company out there that deals with the health care industry must meet standards to ensure that information can be transferred readily as well as securely. Think about it. That not only means hospitals and physician groups, but insurers, employers, welfare, Medicare, Medicaid, anybody that has anything to do with the health care industry.
If your company is only starting NOW, I feel sorry for you - the Act was signed back in 1996, and the compliance dates have already been pushed back a few times already. HIPAA-compliance involves programmatic and systematic changes in the way things are done. Ideally, someone would set up the back-end so that features like electronic security and data retrieval are handled without the people on the front-end having to worry about it too much.
My advice: learn how serious HIPAA-compliance is and translate that to the upper-level management. Maybe do a little research on what other entities are doing to achieve HIPAA-compliance. Take a look at HCFA, for instance, as a beginning. You need to make those people understand that HIPAA-compliance is a big deal, and their waiting this long to begin to get compliant spells doom. All of the employees are going to have to change their methodology, and a change like that can only come from the top.
Where the wind blows, the tumbleweed goes.