News Stay informed about the latest enterprise technology news and product updates.

Commentary: HIPAA compliance doesn't come in a box

In this column, contributor Kevin Beaver urges health care organizations not to rely on vendor enticements that try to sell HIPAA compliance in a box.

Surely you know by now whether your organization is affected by the Health Insurance Portability and Accountability Act (HIPAA).

FOR MORE INFORMATION: news exclusive: "Nailing down the basics on HIPAA" news exclusive: "Analyst: HIPAA is a strategic enabler" news exclusive: "Provider's HIPAA implementation points out policy strengths, areas of need" news exclusive: "HIPAA privacy changes trickle down to IT"

Feedback on this story? Send your comments and questions to HIPAA expert Kevin Beaver

For those who have been living in a cave for the past six years, HIPAA -- at least the administrative simplification component of the act, which I'm talking about here -- mandates electronic transaction and code set standards, as well as privacy and security controls for confidential transfers of health care information.

With the April 2003 deadline for the HIPAA privacy rule less than six months away, and the HIPAA security rule expected to be finalized any day now, what was once not taken very seriously has finally become a vivid reality for the health care industry.

HIPAA, in large part, was a sleeping giant until this year. The organizations that must comply with HIPAA are now realizing that something must be done about this beast. The problem is that the majority of these covered entities -– the smaller health care practices and their business associates -– don't have a clue about how to get started with their compliance efforts.

Vendors have seen a great opportunity to capitalize on this general lack of awareness and know-how, and have begun offering canned HIPAA solutions. These solutions range from practice management systems to firewalls and data encryption products to electronic transaction clearinghouse services. Regardless of the solution, there seems to be a common sales pitch, and even worse, a common misconception on the customer's part that these solutions will, in one motion, make an organization "compliant." This belief is a misnomer at best, and those who buy into it could be making a critical mistake.

HIPAA compliance cannot be bought.

Sure, covered entities will have to buy products and services, and they will have to search out expertise to assist with their compliance efforts. It's just that HIPAA readiness and ongoing compliance is not about technical solutions or IT in general. Some of the products on the market are valuable and can be integrated into an overall compliance plan. However, health care organizations cannot simply throw money at their HIPAA initiatives, buy a few products, and think that the result will be HIPAA compliance.

Technology only provides a way to enforce policies and assist with procedures. A firm's HIPAA efforts should be focused on integrating policies and procedures with business processes.

HIPAA involves most, if not all, health care business processes. More specifically, HIPAA is a business problem that involves people. As with anything, when people are introduced into the equation, things become vastly more complicated. HIPAA requires policies, procedures, training and more. It also requires strategic planning, project management, maintenance, auditing, risk management, customer relations, legal issues and financial considerations -- practically everything that comes with running a business.

HIPAA compliance is not a one-time deal. It will require ongoing efforts that have to be managed wisely. If you or someone you know is affected by HIPAA, do yourself and your customers a favor and make sure that you find out for yourself what you have to do to prepare for and maintain HIPAA compliance. Concern for the privacy and security of patient information is, after all, a major factor in the HIPAA legislation. These concerns should be seen as part of a basic business strategy and not just something health care organizations are forced to do because of government regulations.

To get the HIPAA ball rolling, assign a person or persons in your organization to take a leadership role in your HIPAA efforts. Do some research and learn what exactly it is going to take to reach and maintain compliance, so you'll be educated and prepared when the vendors come knocking. In other words, trust what you know yourself, not what someone else tells you. Remember, no matter what anyone says, HIPAA compliance does not come in a box.

Kevin Beaver is president of Atlanta-based information security consulting firm Principle Logic LLC. He is a contributing author and editor of the soon-to-be-released book "Healthcare Information Systems, second edition." A CISSP, Beaver frequently speaks about information security and HIPAA security readiness at security conferences. He serves as secretary of InfraGard Atlanta.

Dig Deeper on HIPAA

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.