HIPAA has arrived. While portions of the regulations remain to be completed, there is no doubt that HIPAA will be part of our future. As healthcare organizations size up the challenge and develop their strategies and plans for becoming HIPAA compliant, several observations can serve as guides.
HIPAA is useful. Much will be made of the burden it places on healthcare organizations. However, HIPAA is needed and useful legislation. HIPAA will cause activity and action in areas where it is needed.
For one thing, it is difficult to make a case that the industry's security and privacy practices are adequate. HIPAA will create pressure to improve these practices -- pressure that is often lacking in the day-to-day challenges of running complex organizations.
In an industry that bemoans the lack of standards, we now find that some standards have been defined for insurance transactions and for identification of payers, providers and employers.
Those providers that examine their claims denial rates and their costs of handling insurance claims will find that there is little question about the ability of electronic data interchange to deliver a superb return on investment. HIPAA serves as a major catalyst to the introduction of regional and national EDI solutions and should enable the gradual reduction in the costs of those solutions.
Common frameworks have also been delineated. Security can be in the eye of the beholder, making it difficult to answer the question, "Do we have good security?" HIPAA provides an industry framework; it drives a security and privacy stake in the ground.
The orientation to HIPAA should be on obtaining value, not on being a victim. At times, HIPAA will be characterized as another set of onerous federal regulations. However, healthcare organizations should adopt a posture of utilizing HIPAA to improve organizational performance rather than passing an audit.
HIPAA can be leveraged to reduce days in accounts receivable and reduce the cost of processing a claim. It can be utilized to effect some needed improvements in security and privacy practices. It can be applied to reduce the variation in identifying providers and payers.
Organizational funding of HIPAA initiatives should be considered and thoughtful. Healthcare organizations invariably will have a variety of strategic initiatives that require scarce resources; HIPAA should not unduly hinder progress on these strategies.
The definition of compliance is not always clear. Should all ancillary department systems, such as laboratory and pharmacy systems, that do not currently have audit trails be replaced to be HIPAA compliant? Given restrictions on access to clinical data based on need to know, does that mean individual providers have to be restricted to certain data fields within a single electronic record?
The practical definition of compliance will be set by those who audit compliance. If the Joint Commission on Accreditation of Healthcare Organizations will examine HIPAA compliance during its audits, that audit process will establish compliance. And if the HIPAA compliance process is similar to the Information Management portion of the JCAHO survey, the definition of compliance will evolve.
Until the definitions are clearer, organizations should take reasonable steps to improve compliance (and organizational performance), but hesitate to expend extraordinary resources to achieve a definition of compliance that may not be necessary.
HIPAA is not another Y2K. The HIPAA undertaking has been compared to the effort and expenditures invested by organizations to prepare for Y2K. HIPAA has even been stated, on the basis of conjecture more than data, to be several times more expensive than Y2K. But HIPAA should not be as onerous as the Y2K effort.
The business consequences of failing to be HIPAA compliant are not as severe as the consequences of failing to be Y2K compliant. In the case of HIPAA, an organization faces fines. By comparison, the organization faced the possibility of major disruptions in operations and care delivery if its Y2K preparations weren't on the mark.
HIPAA has a more limited scope than Y2K. Several aspects of computer systems and organizational policies and procedures will need to be altered to support HIPAA. But power, elevators, medical equipment, research equipment and all aspects of computer systems are not affected.
The boards of healthcare organizations were very anxious to ensure that Y2K compliance efforts were progressing well. That's partly because members of the boards came from companies facing their own Y2K challenges. This level of board anxiety is unlikely to be seen in HIPAA, and consequently board interest in major capital expenditures to support HIPAA generally will be limited.
The deadline for Y2K was absolute: Jan. 1, 2000. While HIPAA deadlines for compliance are set once the regulations become final, it is not clear they are absolute. Nor is it clear how compliance will be determined or whether compliance will be measured in degrees. Moreover, legislation and regulation can be revised, unlike the Y2K millennial deadline.
So what should we do? With the above as background, healthcare organizations should proceed along these lines:
* Put someone in charge. Some person within a key department needs to be responsible for HIPAA compliance. This person can be from the departments of information systems, corporate compliance, health information management or some other group that has a solid perspective on the issues and challenges. Regardless of who is in charge, the organization should recognize that HIPAA touches many aspects of the organization.
* Focus. With HIPAA as a framework, a plan should be developed that identifies obvious opportunities and problems to be addressed. This plan should also be a reasoned and reasonable reflection of the organization's need to carry out its non-HIPAA-related strategies, plans and daily operations. This plan should avoid extreme measures to achieve compliance unless there are obvious negligent practices.
* Watch the auditors. At some point, the auditors of HIPAA compliance will become clear and their approach to assessing compliance will become apparent. At that time, the organization is in a position to determine whether its initial focus was sufficient or needs to be adjusted. Mock audits can be arranged with reasonable certainty that the outcome of those audits will provide meaningful guidance.
* Jump all over insurance EDI. Significant business rationale exists for most healthcare organizations to move as rapidly as possible to electronic mechanisms to handle insurance transactions. The compliance value is dwarfed by the potential improvement in business performance.
* Clean up sloppy security and privacy practices. There is no reason to have poor security and privacy, HIPAA or no HIPAA. Sloppy practices are a form of management negligence. If access controls are weak, release-of-information procedures are uneven or an organizational policy of confidentiality cannot be found, these problems need to be fixed.
* Educate and learn. Conferences, publications, associations and consultants can provide a wealth of information on the topic. This information should be distilled and shared with the organization.
* Be thoughtful. Healthcare organizations face many challenges: shortages of staff, nonexistent operating margins, medical errors, complex managed-care relationships and HIPAA. Though HIPAA needs to be taken seriously, efforts to comply should not dominate the attention of the organization's leadership. The magnitude of the HIPAA efforts should reflect a thoughtful assessment of the efforts needed to address the full portfolio of the organization's agenda.