HIPAA One Step at a Time

[InfoSec News <isn () c4i org>]

http://www.computerworld.com/securitytopics/security/privacy/story/0,10801,81439,00.html

By Jean Consilvio
MAY 26, 2003
Computerworld 

The Health Insurance Portability and Accountability Act of 1996
(HIPAA) is putting a financial strain on most hospitals these days.  
It's forcing them to measure and account for data in ways they never
had to before. At Baptist Health Care Corp., CIO Dave Garrett used
tools from Superior Consultant Co. in Southfield, Mich., to do a gap
assessment and to identify deficiencies in HIPAA compliance. The
company's IT team then made a remediation plan.

One of the first things Garrett did was centralize and coordinate the
destruction of protected health information. Instead of shredding
documents in small batches, Garrett brought in huge locked bins with
small slits just large enough to slide through paper, radiology film
and magnetic tapes. Baptist contracted with a company that's bonded
and insured to empty the bins, either by shredding the bins' contents
under lock and key in the contractor's truck in the parking lot or, if
the volume is too large, back at its plant.

"People love it because they say they don't have to waste time
standing around in front of the shredder anymore," says Garrett.

To comply with HIPAA requirements, the electronic systems at Baptist
are password-protected. Users who forget their passwords are
automatically e-mailed new passwords. One person handles all security
help desk calls.

Another project Garrett's Web team worked on was creating a Web-based
application that tracks all patient information to comply with the
minimum requirements of HIPAA's privacy rules. "Whenever you disclose
information on a patient, it asks you certain information about the
patient and who you're disclosing information to. It keeps track of
the date and time of the request, and it keeps it by medical record
number or Social Security number. There's a couple of different ways
it tracks it, and it's stored in a database on a server," Garret
explains. This is called the disclosure/capture component. At Baptist
Hospital, only the medical records department does the reporting
disclosure.

"One of the things that HIPAA requires is that you're accountable for
seven years to report back, and I've got to be able to produce that
list," Garrett says. Instead of buying an application for what he
estimates would cost $50,000, his application group wrote code in
about two weeks. "We're not in the business of writing applications,
but we can when we need to. And the government tells you what to
track," he says, which made programming doable.

The key to meeting HIPAA requirements is taking reasonable steps,
Garrett says, and in many cases, Baptist has gone beyond the minimum
of what's expected. "We feel very comfortable with our transaction
code sets. We've already started testing them, and we're working on
security," he says. The HIPAA deadline to start testing modifications
to transactions and code-set standards for transferring patient data
was in April. The deadline for compliance is Oct. 16.

The hospital's board and senior management have been supportive of all
HIPAA efforts, but they don't have much choice. The HIPAA budget last
year was $1 million, and it will probably be the same for this year.  
But it's not just the IT expense that's considered a financial drain.  
Beyond that million-dollar budget, Baptist Hospital Chief Operating
Officer Bob Murphy says, doing things the HIPAA way takes up valuable
nursing time. For example, if the hospital has to report child abuse
or a sexually transmitted disease, or provide medical information to a
third party such as law enforcement or a child's parent, then a nurse
has to stop and fill out a two-page paper form before it can be
entered into an electronic database. That way, if the hospital is
asked five years from now whether that information was documented and
protected, it can say yes.

"In the ER alone, we're going to have to fill out about 50 forms per
week, and that's time that nurses aren't going to be able to spend
with patients," Murphy says. The hospital will also have to keep
buying more servers and storage, so it's unlikely that its HIPAA
budget will shrink.

The advantage Baptist does have, says Murphy, is that employees are
providing what Press Ganey Associates Inc., a South Bend, Ind.-based
company that measures health care satisfaction, says is some of the
best service in the entire country to their patients. "And you can
build a lot on that," he adds.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.