|
From the January 2003 Issue 11th-Hour HIPAA: How Can You Meet the Deadlines? |
Ready as Ready Can Be Many healthcare IT departments are already prepared for HIPAA. By Richard R. Rogoski With the clock still ticking, many healthcare organizations are confident they will meet deadlines for HIPAA compliance. Some are ready now, while others work feverishly to finish system upgrades, complete last-minute testing and bring onboard relevant partners. Although providers must comply with the data privacy standards of the Health Insurance Portability and Accountability Act (HIPAA) by April 2003, the compliance date for the transactions and code set standards has been extended to October 2003 for those who filed an extension request. Today, both providers and payers are combing through the regulations to make sure no provision is overlooked and that all possible solutions are considered in advance of each deadline. Business as Usual
Davis contends that trends in the healthcare industry were moving toward the kinds of regulations mandated by HIPAA long before HIPAA was signed into law. She believes that safeguarding patient information, securing the organization and standardizing the language in transaction and code sets should have been components of any IT department’s long-range strategy. “For a quality IT organization, these factors are expected considerations in an effective planning process.” Davis created a strategic IT plan shortly after she was hired in June 1998. “There were business needs not being met,” she recalls, and little had been done to prepare for Y2K. “We identified that the systems were old, but there was not enough time to replace all the systems,” so the organization developed a plan first to become Y2K-compliant and subsequently to replace all core systems. Bromenn Healthcare runs a 225-bed regional hospital and a 25-bed community hospital as well as physician practices, a hospice, a community healthcare clinic and a home healthcare service. It had relied on a best-of-breed IT strategy that resulted in hundreds of individual systems and little integration among them. After Y2K, with HIPAA looming on the horizon, Bromenn Healthcare chose MEDITECH as a single vendor to replace its core information systems. The rollout was completed in July 2002. Davis’ preparations for HIPAA began three years ago in January 2000, when she presented an overview to her board of directors and began board training. In April 2001, after reviewing her return-on-investment study showing that a single-vendor solution would cost less than continuing to support multiple best-of-breed vendors, the board approved a long-term, five-phase IT strategy. Davis has filed for a transaction and code set standards extension, but because Bromenn Healthcare uses a clearinghouse, she notes, “Ninety percent of our transactions are going out electronically now.” One Hundred Percent Done
Also ahead of the curve is David Slabodnick, chief information officer at Mercy Health Partners-Western Ohio (a member of Catholic Healthcare Partners based in Cincinnati, OH), a regional healthcare system headquartered in Springfield, OH. “We were looking for a consultant in 2000, but we did not find anyone who could do it all.” As a result, Mercy Health Partners divided its gap assessment into technical and nontechnical parts and called in consultants for each. “We completed the first assessments in the first quarter of 2001,” he says. “At one time, we had 12 consultants working together, six on tech and six on non-tech issues.” One of the first things Slabodnick did when he came to Mercy Health Partners in 2000 was to develop an IT strategy. Originally, he wanted a baseline for IT security, disaster recovery, software and hardware maintenance, and upgrades. When HIPAA became an overriding issue, Mercy Health Partners agreed to budget in not only those expenses needed to achieve expected IT goals, but also what was necessary to make systems HIPAA-compliant. “They earmarked part of the IT budget for HIPAA assessments, but upgrades came out of the regular IT operating budget,” he says. Slabodnick also believes that if an IT department has been using standard practices for managing IT systems, HIPAA should not pose a major problem. “HIPAA is not a technology opportunity,” he says. “Rather, it’s an opportunity for the whole organization to step to the plate and be accountable—not only for systems, but for educating everybody in terms of their role in the privacy, confidentiality, safety and security of our most precious resource: information about our patients.” The Path to Compliance
The non-tech side of the assessment included the physical location of monitors and PCs; agreements with business associates related to transactions and code sets; policies and procedures; and employee training programs. In all, eight areas of concern were identified through the gap assessment, resulting in 48 individual projects. While the organization’s corporate compliance officer is ultimately responsible for HIPAA, Mercy Health Partners brought onboard a HIPAA coordinator and set up five separate task forces to deal with security, privacy, transaction and code set issues, business associates, and education and communications, he says. With $700 million in annual revenues and 775 employees, Capital District Physicians’ Health Plan Inc. retained the Chicago-based firm of Tillinghast-Towers Perrin to do its gap analysis. “They came in and looked at the HIPAA regs and matched them to what we were doing,” Marzano recalls. As for security, he says there are two different issues: “What are your security risks?” and “Do you have good security controls?” Each can have different solutions, he notes. Plus, becoming HIPAA-compliant requires penetration testing and formalized procedures and processes. “But isn’t that a part of good business practices?” he asks. Marzano admits that the hardest job his organization faced was getting the transaction and code sets standardized before the deadline. “It doesn’t make any difference whether someone wants to send us these transactions,” he says. “We have to be ready.” Not every vendor had made the necessary upgrades to its products, Marzano notes. “A lot of healthcare organizations were asking, ‘Can we wait for our vendors to be ready?’ Our organization couldn’t wait. We didn’t change vendors, but we built some stand-alone systems outside of our core processing system and purchased a translator,” he says. “It would have been nice if our vendors had been ready two years ago.” This created resource constraints within the organization and led them to partner with Legacy Consulting Services in Plano, TX, to map the HIPAA-required transactions. “Without their help, the internal programming resource would have never been able to accomplish what is required,” he adds. Marzano says his HMO is currently working with providers on a series of tests to ensure that all required electronic transactions are transmitted and processed correctly. Yet, he says, “A lot of hospitals and providers are not yet ready to test.” As a major payer in northeastern New York State, Capital District Physicians’ Health Plan has been instrumental in bringing together healthcare organizations as a way to coordinate HIPAA compliance efforts. Working with Albany Medical Center, Marzano says a regional consortium was formed that includes NY Health Plan Association, which represents about 60 healthcare plans, and Iroquois Healthcare Alliance, which has about 100 member hospitals. Covering a 100-mile radius, the consortium holds regular meetings to air concerns and discuss solutions with 50 to 100 people participating. Besides being home to a medical school, Albany Medical Center operates a 600-plus-bed hospital with a faculty practice of 250 physicians and a research component of 80 researchers. It has filed for its transaction and code sets extension, says Sarah Witbeck, vice president for information services. Ready for Transactions
Witbeck’s organization is focusing on both EDI and transaction and code set standards, and has been working on the EDI portion for more than a year. But changes affecting transactions and code sets that were made after the original regs were published raise a concern that other changes may be waiting in the wings. One problem, Witbeck contends, is that the original code sets were formatted to a 4010 standard that was fairly strict. As a result, a revised, more relaxed set of standards (4010A) is expected to be adopted in January 2003. Now, she says, there’s talk of yet another new format, designated “4050”. “We haven’t started talking to Siemens (Albany Med’s primary vendor) about 4050. Siemens’ software is compatible with both 4010 and 4010A. Most likely, we’ll go live with 4010A, but it will depend on the payers.” Adding to the confusion is the way the law is written, she adds, which makes it “very difficult to interpret and difficult to come to a consensus.” No one can be certain whether more changes will be made on the security side of HIPAA, since a final version of those regs has not yet been published.
Witbeck, however, remains concerned about the “ambiguity” of the privacy regs and questions the extent to which these regs can be standardly adhered to in a hospital setting. “The regulations give guidelines, but not specifics on how to implement,” she says. “For example, what data is necessary for people to do their jobs, and how far does an organization go to ensure that information discussed with a patient is not overheard by someone?” She says there are numerous such examples that need to be resolved on a case-by-case basis. Slabodnick agrees and points to the minimum necessary rule regarding accidental disclosure of information as an example. “If you’re speaking with a patient in the patient’s room, you pull the curtains; you must respect patients’ privacy. Does that mean you have to move to a private room? No, it doesn’t.” Slabodnick’s Mercy Health Partners is ready for the compliance challenge, but he admits that for an HCO to be fully compliant, “It’s going to take everyone to do a little to get a lot done.” Well said, and right on target. Richard R. Rogoski is a free-lance writer and a contributing editor to HMT. Contact him at rogoski@aol.com. © 2003 Nelson Publishing, Inc |
For some CIOs, the road to HIPAA compliance was paved a long time ago. “HIPAA is, essentially, a nonevent,” says Kathy Davis, chief information officer and corporate integrity officer at Bromenn Healthcare in Normal, IL.
Jim Marzano, executive vice president of information technology at Capital District Physicians’ Health Plan Inc., an HMO in Albany, NY, says his organization started its gap analysis in March 2000. “We had all our plans written in 2000. On the privacy side, we’re 100 percent done. We have made great progress with the proposed security and approved transaction regulations.”
Mercy Health Partners had finished both the technical and nontechnical parts of its gap assessment by May 2001, Slabodnick says. As part of the technical assessment, network security was a priority. “We paid a consulting firm and told them to break in—and it didn’t take them long,” says Slabodnick. But it also didn’t take long for Mercy Health Partners to make major changes, including removing modems attached to servers and installing virtual private networks, he says.
“Our software is ready to go,” Witbeck says. “We have completed all internal testing. Now we’re waiting for the payers to get ready.” Albany Med has about 13 primary payers and uses a clearinghouse for three or four of them, according to Witbeck. However, she notes that only 60 percent to 70 percent of her payers are ready.
But Albany Med’s Dennis DeLisle, vice president for information technology and Witbeck’s counterpart, says that based on seeing the last draft, his organization “has covered a significant portion of the security regs.” DeLisle notes that security and privacy were already top priorities at Albany Med even before HIPAA compliance dates were announced, and that many concerns raised during a gap analysis have been addressed. Together, Witbeck and DeLisle substantiate the premise that forward-thinking healthcare IT departments have already incorporated privacy and security issues into their long-term planning.