Health care organizations must be compliant with the privacy portion of the Health Insurance Portability and Accountability Act (HIPAA) today, and some may be under the impression that the years of anxiety and angst over HIPAA ends today. But the opposite is true.
HIPAA compliance will be an ongoing battle for many health care and insurance providers who fall under the auspices of the regulation.
But as one health care IT manager said, all the government has done is legislated good business practices.
"Health care is a business. You want to protect patient privacy and records," said Bob Mirabito, director of information systems at Glenwood Regional Medical Center in West Monroe, La. "I don't see it as a big deal."
Mirabito has spent a year and a half preparing for this day. In that time, he has hired a privacy officer, done gap analyses for the hospital's 40 departments and developed policies and procedures to bring the institution into compliance.
HIPAA is an initiative to develop standards and requirements for the secure transfer of any health information that could identify individual patients. Health care organizations have to be compliant with three aspects of the act: electronic transaction sets (as of Oct. 15, 2002), privacy (as of today) and security. The security regulations were released Feb. 20, and companies have two years to become compliant.
Mirabito arrived at Glenwood Regional and his first duty was to formalize the word-of-mouth policies governing the medical center.
"We had a number of policies that were common practices and not really put down on paper," Mirabito said. "If someone came in and said, 'Show me your policy,' we couldn't pull out a document. Some would then say we did not have a policy. HIPAA forces health care to, among other things, put its policies down on paper."
Mirabito began by doing gap analyses of every department in the 250-bed medical center. Close to 50 meetings were held with each department. These meetings included department heads, Mirabito, his privacy officer and someone from the hospital administration. Mirabito said the meetings lasted up to two hours, in some cases, depending on how much contact the departments had with patients and, eventually, enough material was collected to formulate hospital-wide privacy policies.
"We came up with 30 to 35 new policies, and now it's a matter of training 1,500 employees," Mirabito said, adding that his department had to contend with many PRNs (physical rehabilitation nurses) and agency nurses who are not full-time fixtures at the hospital, so a cost-efficient training method was needed. "We put together a training manual and will give it everyone. It's their responsibility to read it, acknowledge they've read it and sign it. That's how we're meeting our training requirements."
Mirabito used security policy automation software from PoliVec Inc. to create the medical center's privacy mandates.
"I had basically three options: I could do it, I could hire someone to do it, or I could invest in a software program that allows me to do it and update it often," Mirabito said. "We had a business need."
Mirabito admits his office has not yet tackled the security requirements in depth, but he said that many of the provisions of the privacy regulation also touch on security.
"We have a business continuity plan in place. We're putting in two separate data centers at two facilities connected by fiber, and we're also investing in a broadband relay between those two as a backup," Mirabito said. "We have also purchased a mirrored SAN solution to store our electronic records. The data is duplicated and put in two locations so that we will continue to thrive in the event of a disaster. We've done a lot of planning."
The overlap there is a bonus. But there are cultural issues that no technology can address. West Monroe, La., for example, is a small community where many families have lived for generations. Physicians and patients could be familiar with one another and must now be wary of the privacy regulations, even in casual conversations. Violations could result in fines, and physicians could be subject to civil action from patients who perceive that they were wronged.
"This is an informal community, with a lot of multigenerational families living here since the 1800s," Mirabito said. "It's not unusual to be made aware of someone's medical condition. People have to be trained and have to learn to shut up."
Some common practices may have to change as well, even something as simple as including a cover sheet and a copy of the medical center's privacy regulations with every fax.
"We have to manage ease of use with privacy and security," Mirabito said.
FOR MORE INFORMATION:
- FEEDBACK: What was your biggest challenge in achieving compliance with the HIPAA privacy regulations?
Send your feedback to the SearchSecurity.com news team.