If it seems like federal administrative simplification regulations are stalling and hardly worth a thought for now, think again.
That's the advice of experts looking at the workload of thorny, time-consuming policy development and technical adjustments involved in meeting HHS standards proposed last year as part of the Health Insurance Portability and Accountability Act of 1996.
Standards for electronic transactions, provider identification and security won't be completed until year-end, with 24 months to comply after that. The timeline has slipped severely from the original law, which required final standards to be in place by February 1998 and everyone to be in compliance by February 2000.
Other regulatory mandates, such as standards for patient privacy, are getting so roughed up in congressional debate that they have yet to be roughed out in proposed rules (See related story, this page).
But the proposed rules now receiving public comment aren't likely to change fundamentally, especially in areas like security of patient information, where HHS mainly adopted the work of expert panels in the industry and avoided getting technology-specific, said Sandra Fuller, vice president of practice leadership at the American Health Information Management Association in Chicago.
The regulations speak to an industry mind-set in which access to information is valued by all, but the protection of information is trailing badly in priority, said Fuller. "Someone with malicious intent could get in and alter a lot of healthcare information and a lot of organizations would never know," she said.
Even in systems that can trace who's been where and when, some departments use the same access code for all authorized users or look the other way when everyone uses the same few codes taped to the front of computers, Fuller said. Without a unique code for each person, audit trails are useless for determining whether unauthorized changes or snooping have occurred, she said.
HHS answers by requiring formulation of a policy for taking correction action on information breaches, in which unique access codes are the foundation. It's one of 19 policies in the proposed regulations that force provider organizations to reach consensus on a host of issues, from decisions on variable information access to assessments on whether a key card is better than a personal identification number, Fuller said.
For example, each user's access should be restricted to the information needed to do a job, according to one proposed policy. When it comes to deciding the limitations of that access, there's even a policy for deciding who should decide, she said.
One potential tinderbox is deciding what clinicians and physicians should be able to see, especially in the electronic world where files can be opened in homes and the range of information can be much broader than a doctor would have had access to in the days of paper charts, Fuller said.
An orthopedist, for instance, would need to access a woman's gynecological file for information about hormone replacement therapy, but not the details of her abortion or psychiatric history.
Another existing risk is the prevalence of unlimited access for information systems professionals, carried over from the days when only they could figure out the computers and run reports.
"Even five years ago, most data was financial, demographic and coded," Fuller said. Now much more sensitive clinical data is in systems, which should be sealed off. "They shouldn't have carte blanche if they work in the IS department."