Getting a grip on HIPAA

by Amy Helen Johnson

May 7, 2001 —

The IT staff at Loma Linda University Medical Center understands the serious consequences of reading patients' medical records without authorization and otherwise violating patients' privacy. In anticipation of the medical privacy regulations that will be enforced by the Health Information Portability and Accountability Act (HIPAA), Loma Linda is operating under strict new privacy rules, says Alvin Siagian, the center's information security administrator. Some IT staffers at the Loma Linda, Calif.-based hospital have been fired for bypassing audit trails or looking up their friends' and families' records, he says.

"We have to teach our IT staff to keep their curiosity in check," Siagian says.

In the face of an October 2002 compliance deadline for HIPAA's first phase -- standardizing data formats for electronic transactions -- IT leaders at health care organizations have been managing many changes in their departments. They have implemented new policies, like Loma Linda's strict privacy rules, and learned early lessons about best practices, such as when to involve IT personnel on HIPAA projects and how to cost-effectively implement HIPAA compliance projects.

Industry officials say that so far, HIPAA projects haven't been a large burden on IT departments, and their efforts are paying off with the beginnings of a privacy-focused cultural change within their companies. Officials are also confident that IT and the rest of their organizations will be ready when next year's deadline arrives for implementing standards and formats for electronic transactions. But their toughest challenge -- giving patients access to their records -- is yet to come, according to industry analysts.

A HIPAA Primer

Former President Clinton signed HIPAA into law on Aug. 21, 1996. The U.S. Department of Health and Human Services has led a process to define the exact regulations that health care organizations must follow to comply with the new law.

Organizations affected by HIPAA include health insurers, health care clearinghouses and health care providers. Business partners of these organizations that handle individually identifiable patient information must also comply with the law.

HIPAA has the following major provisions:

Electronic Transactions

The law establishes standard data content and formats for submitting electronic claims and other administrative processes. Compliance for most organizations is required by October 2002.

Privacy

Organizations must establish policies on who gets to see individually identifiable patient information and under what circumstances. HIPAA covers electronic and paper patient records and oral communication and gives patients rights and control over their information. The regulations are complete, but the Bush administration has said it will modify some of them. Compliance is required by April 2003, but small self-administered health plans have an extra year.

Security

The law requires organizations to define clear procedures to protect patients' privacy, designate certain individuals to monitor privacy practices, and hear patients' complaints. It also outlines penalties for misuse of patient information. These regulations aren't finalized.

After health care organizations finish their Phase 1 work, they face an April 2003 deadline for implementing privacy and security provisions, although Health and Human Services Secretary Tommy Thompson says the rules will be modified before the deadline. Provisions governing security have yet to be finalized.

Matt Duncan, a research director for health care at Gartner Inc. in Stamford, Conn., says organizations that have yet to conduct Phase 1 risk assessments and hold employee education and awareness sessions risk missing next year's deadline. For the most part, he says, the health care industry needs to put more effort into its compliance projects. A Gartner survey of 225 health care organizations that was conducted in February revealed that 65% have general HIPAA education programs in place and 50% have begun risk assessments. Gartner suggests that organizations should be nearly done with their general awareness campaigns, most of the way through the assessment phase and already working on their return-on-investment analyses.

Yet IT leaders say they're on track for the first phase and they're proceeding cautiously on the privacy and security work until the federal regulations are firm. "We don't want to overreact," says Don Livsey, CIO at Children's Hospital Oakland in Oakland, Calif.

As for the data formats, Livsey says that two years is enough time to do the work and that he's comfortable with the progress his department has made. "We're right where we need to be," he says. The hospital has been examining the regulations for a year, analyzing what it needs to do.

Right now, Livsey says, staffing isn't a big burden. But next year, he'll have to commit funds for the necessary personnel and technology to bring the hospital into compliance. "We'll hit the ground running hard in 2002," he says.

Livsey says he hasn't completed his cost estimates for HIPAA compliance, but he expects them to be less than $10 million. Duncan says that's in line with data from Gartner's survey, in which only 27% of respondents had estimated their compliance costs, with an average of more than $7.5 million. But, he says, that number is far from firm and the average cost could prove to be more than double that amount.

Larger organizations will face higher costs because they have more work to do. For instance, Oakland-based Kaiser Permanente Health Plan Inc., a 101,400-employee nonprofit health maintenance organization with 8.2 million members, owns 35 hospitals and medical centers and 423 medical offices across the country that it must bring into compliance with HIPAA. Mary Henderson, national director of Kaiser's HIPAA program, has been directing a 50-person, full-time HIPAA team since March last year.

Henderson says most of Kaiser's 4,000 IT personnel aren't involved in HIPAA-related work because the new law doesn't yet affect them. Her strategy is to engage site-based IT personnel in compliance efforts when their participation is needed, such as when the systems they work on must be modified. So far, local IT personnel with responsibility for claims, membership and billing systems have gotten involved in Kaiser's first-phase compliance efforts.

At Group Health Cooperative, an HMO in Seattle, planned upgrades to legacy systems play a large part in determining the HIPAA implementation schedule, says Gary R. Gray, Group Health's HIPAA project director. One strategy he's found successful for lowering costs, he says, is to piggyback the changes for HIPAA compliance onto an existing project. Group Health's IT organization bundled Phase 1 requirements onto an upgrade of the HMO's registration system. A second project involving medical records will expand to include work that will meet HIPAA's privacy and security rules, Gray adds.

Although HIPAA has a strong technology component, he says, IT organizations can't rely on technology as the only solution. "HIPAA is about developing a culture in your organization," says Gray. And IT leaders are helping develop that culture through means ranging from holding seminars to rearranging work spaces.

Gray says changing Group Health's culture starts with education. The HMO has a companywide HIPAA oversight committee, of which he is a member. The first step was to teach departmental leaders about HIPAA's rules and ramifications, he says. Now the effort is moving down to departmental personnel through lunchtime brown-bag presentations. "We're trying to get as many audiences as we can," Gray says. "The audience is never too small and never too large."

Abbis Kafi, chief technology officer at Dallas-based Claimsnet.com Inc., a claims-processing clearinghouse, says his department has made so many changes throughout the company that everyone is aware of HIPAA. He's mandated that everyone use a screen saver with a 15-minute timeout so that any potentially private information isn't left on display when people are away from their desks. Not every employee has access to confidential information, but he's not taking any chances, Kafi says. He's even gone so far as to reposition employees' desktop computers so visitors can't see the screens.

Although such changes have placed an extra burden on Kafi's staff - someone had to go around to every workstation and install the screen-saver utility, for example -- it has helped make his colleagues realize that everyone at the company is responsible for compliance with HIPAA. "We're actually helping to improve company communication," he says.

Although IT leaders are putting time and resources into HIPAA today, Gartner's Duncan says the largest headache will come in the future, when health care organizations implement the patients' rights portion under the privacy phase. This section gives patients the right to see their medical records and correct any mistakes in them. "It's not just a technology challenge," he says. "It's a process challenge." IT leaders must not only figure out a secure way to allow access for individuals who aren't employees or regular users of their computer systems, but they must also implement a process that notes errors and then reviews and corrects them.

Ultimately, says Duncan, HIPAA will be good for the health care industry. The law marks an opportunity to transform an organization's business processes, he says, which will save companies money and offer new opportunities for delivering health care.

IT leaders say they see the benefit of that transformation. Loma Linda's Siagian says the industry needs the efficiency and cost savings brought about by HIPAA. "Our modus has been to save patients, period," he says. "But if we continue doing that without actually helping our business side, someday we will have problems."

Computerworld