Slashdot Mirror
Striving for HIPAA Compiance?
krisguy asks: "As a Oxygen Transfill Technician for a DME (Durable Medical Equipment - wheelchairs, oxygen, and such) company, my only regulatory problems have been with the FDA. Recently, due to good management of FDA regulations, I was appointed HIPAA security officer for my company. I looked at the 'helpful' compliance manual from our buying group, and realized that I have to try to get over twenty people who have 'limited knowledge of computers' (read: don't want to learn) to begin to use stuff like PGP, ANSI X12 codes, and having to write, train, and enforce procedure rules. To top this all off, I only have until April 14, 2003 to get most of this fully functional or forced to have the company shut down. I am wondering if any Slashdot readers in medical fields are feeling the pain of HIPAA like I am right now, and what ways can I get everyone to comply besides "You don't do it, you don't work here."?" Ask Slashdot last touched on HIPAA issues when this article which concerned itself with Windows 2000 and HIPAA issues. For those who have already hopped thru the rings that represent HIPAA compliance on an general basis, what did you have to insure was done?
Although it's another side of health care, why not take a look at the AMA's page on HIPAA? Much of the advice is geared toward small practitioners, and as such would be useful in helping you figure out where to start.
I thought this was about some new car club for cool people.
sig.
Don't just tell them you will fire them, Actually fire a couple. The rest shape up real quick.
When it is a matter of compliance, they don't have an option. The sooner they understand it, the better. If management isn't behind you, then ask to be reassigned.
--ST
http://www.theMediaBunker.com
I'm a web/database developer in a large healthcare organization, and the phrase "HIPPA compliance" has been thrown around quite a bit lately. Some of this makes quite a bit of sense, like not sending patient information over the Internet via e-mail. Others are much more fuzzy, and seem to do more harm than good.
For example, only the people who "need to know" should have access to the data. The catch is that I'm somehow supposed to magically determine who needs to know what. Do I get to tell my directors that they can't see something? How much do I really get to question someone else who knows their job better than I?
Plus there's the catch-22 situations. There's data on which physicians can perform what procedures. I personally think that everyone in our organization should see it, as I don't want any physician performing procedures they're not supposed to. The catch is that not everyone "needs to know", so that increases the chance that the information won't be seen.
I currently have 3 seperate jobs (I'm a college student), and each one is affected by HIPAA in different ways... one is a branch of an insurance company, where I'm sure eventually all of our inter-company emails will have to be encrypted, reguardless of content, and we'll be very limited on what we can actually talk about on the phone (I'm in the phone cube all day)
the second is a hospital, where I work registration and transfers. Completely different setting, as I'm dealing with the patients face-to-face instead of over the phone, but there are lots of restrictions there, from where the monitors can be located (can't have a non-employee looking over your shoulder...) to how long the screen saver is set for (1 minute, and it's password protected, pain in the ass when you have to type that EVERY time you want to touch the computer)
for the third I work as a programmer for my college, we recently bid on a programming project to develop internet-based training for a very large hospice-based corporation. we'll be designing 20 modules to train volunteers and other very non-technical (i.e. retired, or first time workers) workers how to manage information correctly.
all of my jobs will be having INTENSIVE seminar type classes on what we need to stop doing so we don't get shut down. every one of them has taken a "do it or lose it" attitude about it because of the very short time frame to work with. There are still HIPAA mandates that are being changed, which means that nobody has even started creating the training, much less the training itself, and the compliance checks...
You could accelerate compliance by filling the office full of acrid smoke from a bad power supply, or making Friday 'Nitrous Oxide Day'.
The unfortunate consequence is that the resulting guidelines are very general, and require a continuous lifecycle process for evaluation, iplementation, audit and compliance. The healthcare industry must now involve itself in a regieme of regulatory overhead analogous to that of Securities or banking.
I don't think this is bad, per se. There is no history here for an emergence of industry best practices, etc. Expect it to be messy for a while.
"Flyin' in just a sweet place,
Never been known to fail..."
Yes, many of us who are in the industry, or in tangentally related ones, such as myself, are feeling the frustration from HIPAA. Here's the survival guide as I've seen it:
.ppt presentation)
1) File for any and all extensions you can. A lot of this policy is BS and will probably get softened, but filing for extensions is probably the easiest way to stick it back to the man, at least for a little while.
2) There are a few companies that provide HIPAA compliance insurance, especially for software products developed to support medical information systems. MD Online, LLC (no web site but phone at: 703-450-0331) has VPN security products designed for medical users that might be helpful. (No relation to them other than having heard about their products in a
3) Solve the problem with vendor pressure. No software provider in the industry wants to admit they're not HIPAA compliant, so grill them on it. They know it's a priority and should (hopefully) be releasing software that will accomodate the new rules.
4) Solve as much of the problem as you can technically. If you're the vendor of the products you use (in house software), redouble your efforts to make as much of the compliance transparent as possible. As you've outlined, most people in the industry do NOT want to deal with the technical aspect of computers, they just use them to get their jobs done. Putting all of the encryption / security management stuff in plain view is only going to make the learning curve more difficult and allow more room for human error (which equates to HIPAA violations and fines for your employer).
5) (this is very much not to be interpreted as legal advice) Patch the big holes first. If you know you can't meet HIPAA by the deadlines, patch the big problems, and the things that will be obvious violations and noticable by people inside and outside the company. There are zillions of possible violations, but if you show due diligence any fines you do receive will hopefully be tempered by the fact that you've done as much as possible to accomodate the law.
-Dan
It breaks down like this : the regs have been so loosened to be almost ineffectual.
You (as an individual and as an institution) only get jail time and big time fines if you get a proveable financial gain from violating hipaa regs, i.e. you sell a bunch of kidney transplant patient info to a dialysis machine company, and someone can produce records to prove this happened.
Ignorance or other non-compliance (if reported) only gets the institution (not you as a worker) fined $1000 per incident max, and the total fines can only be up to $25,000 a year. So in many cases it's cheaper to be non-hipaa compliant than it is to upgrade everything to be hipaa compliant.
Then there's the extension you can file to get another 6 months on your deadline to be hipaa compliant. If you file that you get until October 2002 or something like that. There will probably be more options to file extensions for even later than that if October is too soon for you.
Don't worry kids. HIPAA, much like 911, is a joke.
I worked as a HIPAA compliance consultant and have contributed a chapter to a CIO-level book to discuss HIPAA compliance.
If you can read and have a general understanding of the healthcare industry, you can easily understand HIPAA.
First, and foremost, you MUST read the *actual* HIPAA regulations (Privacy and Security) in order to properly understand the HIPAA requirements. They are NOT difficult to read--they just look intimidating, but are actually VERY well written, generally easy to understand, and are accompanied by a ton of background and explanations. Do NOT, under any circumstances, rely on the claims of vendors or any other "HIPAA Analyst" etc. regarding HIPAA compliance issues unless you have read the regs and can validate the claims, and ensure that they are even relevant to your organization. Educate yourself and you will be amazed at how much simpler HIPAA becomes. (If you need to implement HIPAA transactions, there is very little to read--just the transaction specs.)
Second, after you have personally read and understand the requirements, put them in the context of your organization. I believe that you will find that the reality of HIPAA compliance is relatively simple, and consists primarily of policies, procedures, and general best practices. Any time you hear someone saying "You HAVE to do X, Y, and Z" to be compliant, and those steps sound unreasonable or very difficult, you should be skeptical and verify that 1) that interpretation of the requirements is valid, and 2) they actually apply to your organization.
After doing these two things, you will be in control of your HIPAA compliance effort. There may still be some hot items with short deadlines depending on which rules (Transactions, Privacy, and/or Security) apply to you, but it should not be a crisis.
I no longer do HIPAA compliance consulting, but if you want some URLs to start with or general recommendations, feel free to e-mail me at leftism11@yahoo.com.
You can start here by downloading the PDFs of the Privacy and Security HIPAA regs:
http://aspe.hhs.gov/admnsimp/
A site to check for updates and HIPAA news is:
http://www.hipaadvisory.com/
(They have good news updates, but again, use your knowlege of HIPAA and understanding of your organization to filter any opinions you get from their site.)
Go ahead and mod this guy down like he asked, he's confused as to what the truth is. The HIPAA legislation was passed in 1996, but the Final Rule version of the Privacy Rule was only promulgated this August, and only went into effect less than a week ago, which means it's definately not going to change again before the implementation date.
Up until then, anything could have changed in the Privacy Rule, otherwise known as a 12000 line set of government regulations.
The Security and Electronic Signature Rule is still in a proposal state. The Universal ID proposals are not really even being considered at this time and won't be until Democrats are back at the helm. The first proposed privacy rule was promulgated in 1998 and has gone through several substantial iterations. Just because Congress said, "do it," in 1996 doesn't mean this guy had any chance of getting started at that point. Maybe in 2001 he had a fair chance of getting the gist of the Privacy Rule, but he had no way of knowing what, if anything (or everything) would change until this August.
It only takes balls when you know what you're talking about - this isn't a set of tablets with 10 simple rules, Chuck.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
If I get a prescription for some of my personal hygiene needs (for tax and insurance purposes), and go to a MegaMegaMart Pharmacy to buy them, and carry them to the cash register, and the checkout clerk gets on the public address and hollers "PRICE CHECK ON _use_your_imagination_here_, GIANT ECONOMY SIZE" again, can I sue?