Rick Skinner didn't need the government to tell him it was time to act.
Between the increasing use of electronic communications at Tigard, Ore.-based Providence Health Systems and proposed HIPAA regulations, the chief information officer knew his organization needed to assess its security and privacy policies.
Providence brought in consultants to look at its technical security measures and its security and confidentiality policies and then compare them with what HIPAA is expected to require. While the organization has spent some money on the consultant and creating a new position for a privacy and security official, Skinner says the exact cost of becoming HIPAA compliant is not known.
"There were a number of security issues we needed to work on," Skinner says. He says most of those had to do with how the group managed information technology rather than exposure to external security threats.
Providence, with more than 1 million enrollees and 5,500 physicians, found that it needed policies to address issues such as integration of the different aspects of security and confidentiality. The group then compared its policies and procedures with what was known about HIPAA, took that information and went to work.
The security/privacy official Providence hired is a position that will be required under proposed HIPAA regulations. The official will be the point person for each organization's HIPAA compliance activities.
Providence is writing new security and privacy policies, which will be ready by the end of the year.
"We tend to communicate that this is not so much of a 'I want you to do this or I'm going to jail' but rather 'This is our policy and this is the right thing to do as a healthcare organization and the right thing to protect the confidentiality of our patients' information."'
Frustrating any organization's efforts to improve security and confidentiality is the fact that most physicians aren't aware of HIPAA and its impact.
"A fair number of physicians don't know about HIPAA at this point," Skinner says. Those who do know about HIPAA don't understand the broad scope of the regulations, he says. "Very few to none are conversant in the details or what they have to do different to be compliant."
Consultants say it's important to start getting ready for HIPAA regulations.
But they caution against guessing what the final regulations will be.
The delay in getting a final set of regulations published has made people take HIPAA less seriously, Skinner says. People mistakenly believe they'll have a long lead time to become compliant once the regulations are finalized, he says.
The bottom line, he says, is that physicians have to start getting ready.
"I would recommend that physician practices go through the same processes we have," Skinner says. Physicians will have to find a more secure way to treat patient information. "In essence, someone has to do an assessment.
"To change those things to become compliant, I think for many, if not most physicians, the process doesn't have to be hugely expensive or burdensome. It's got to be done."