From the July 2000 Issue

Making the Worst of a Bad Situation

Weighing the Costs

Authentication: Security in a New Era

Outsourcing on a Grand Scale

Telemedicine in the Wild

Four Tips for Selecting Outsourcing Firms

 

 

HIPAA Watch for July 2000

Ten Deadly Sins 
By Jack Walker, vice president of HIPAA Programs; and Josef Spencer, HIPAA project director. Both work for MC Informatics.

The following is a list of 10 misconceptions healthcare organizations may have about the Health Insurance Portability and Accountability Act (HIPAA)—and these are the tip of the iceberg. Addressing these does not mean an organization will be HIPAA compliant.

HIPAA is really just a technical and vendor issue.
The Administrative Simplification provisions of HIPAA address technical/vendor issues and administrative/organizational issues. It is important to recognize that HIPAA affects the entire entity. HIPAA affects all areas, including, but not limited to, business processes and procedures, operations and information technology methods. 

HIPAA is not a big deal. We will wait until all regulations are published. After all, Y2K was just a big hype.
HIPAA is the largest governmental action in healthcare since Medicare. HIPAA has two objectives:

  • To improve the efficiency of healthcare delivery by standardizing the electronic exchange of certain administrative and financial data;

  • To project the security and privacy of healthcare information. Substantial fines and imprisonment can be levied if patient information is compromised. All health organizations should become knowledgeable about HIPAA and consider HIPAA requirements in their planning, management, procurement, and implementation efforts. After the regulations are final, healthcare organizations have two years and two months to be in compliance. 

HIPAA doesn’t apply to my small organization.
HIPAA regulations apply to all healthcare organizations, regardless of size, involved with electronically storing or transmitting health information pertaining to an individual. Small organizations will have up to three years to comply with the regulations.

It doesn’t matter how clinical or financial information is disposed of or stored.
Under HIPAA, protection and privacy of patient information is paramount. HIPAA doesn’t specifically state how an organization should protect this information, but it does state that organizations and individuals are liable for non-compliance.

Any kind of clinical and/or financial information is OK to put on reports, including admitting diagnosis and insurance information.
Under HIPAA, healthcare organizations will need to internally justify if the information on reports is appropriate.

Dial-up modems are fine for connecting to clinical and financial systems.
These applications and others are not HIPAA compliant. It is necessary to find out how many dial-up modems are attached to departmental systems and workstations that give a manager or technician access from home.

It’s OK to leave a patient’s chart in public areas—in patient’s room, on top of counters in nursing areas, etc.
Patient charts, handwritten vitals, EKG strips, etc., left in public areas can expose your organization to fines ranging from $50,000 to $250,000 and add up to one to 10 years in prison.

There’s no need to worry about passwords.
It is important to change passwords often, especially if you hire temporary employees, fire an employee or if a physician leaves the practice. Also, make sure there is a formal agreement that states 
the vendor will contact your healthcare organization if an employee of theirs who has access to your system has been terminated. 

It’s OK to give clinical and financial information over voice lines. 
A healthcare organization must understand the impact as well as likelihood—or probability—that an adverse outcome will occur. Make sure verification standards are in place before releasing patient information.

Leaving a computer work station—even for a minute—with a patient’s clinical or financial information displayed is no cause for concern.
Most healthcare organizations have policies that outlaw this action; make sure your policies are enforced. Report all incidences and document disciplinary actions. Regularly conduct a security audit.

July 2000