Accudata Systems has charted the HIPAA course since its legislative introduction. April 2003, the date upon which certain certain patient privacy regulations will take effect, is rapidly approaching. A number of smaller providers have not, up to this point, begun the rules evaluation nor implementation process necessary to achieve compliance. The Feds have hired over 1000 inspectors, who, clipboard in hand are ready to move against providers where complaints have been filed. It could be just a matter of a disgruntled patient.............to seriously jeapordize your financial stability and way of life. It happened with OSHA back in the 70's. Many businesses were overburdened and financially crippled by over zealous inspectors and uncompromising regulations......WHEN THEY GET YOUR NUMBER, WATCH OUT! It could happen with HIPAA....

The Accudata staff has come to a number of meaningful, yet straight forward conclusions regarding HIPAA implementation(having lived thru the OSHA debacle). They are:

  • Don't ignore the need to take action......the sooner the better
  • HHS is more concerened about you reaching a compliance destination rather than your journey to achieve it. i.e. not how you get there but that you get there! And on schedule.
  • Familiarize yourself with the broader regulations....so that you can plot an achievable compliance strategy. (see documents below) These are invaluable reprints and docs, authored by industry specialists, that have been compiled since 2001.
  • Document, document, document.....The more you document your office's planning and implementation efforts, the better prepared you will be to respond to any and all inquiries.
  • Positive vs. negative approach. Compliance is not voluntary...its mandatory....Hence why not consider the broader implications and impact upon improved patient care.
  • Your insurance company will applaud your efforts and attitude. Without a data disaster recovery plan (a core component of HIPAA) for example, some insurance companies will NOT underwrite "business interruption" coverage.
  • "Rome wasn't built in a day". Don't heap unrealistic expectations upon you and your staff for overnite implementation. We firmly believe that if you can demonstrate that you are taking every reasonable step to comply with the HIPAA regs (as you interpet them), that the compliance police will move on to the next guy.
  • Cultural & Procedural vs. Technical. Many (if not most) of the HIPAA regs do not involve digital/technical solutions but rather deal with office structure, environment, and cultural/behavioral adaptation.

WEB Based HIPAA Compliance tool....

  • HIPAASimple.com offers targeted solutions designed to assist today's health-care provider with the tools needed to meet compliance requirements with a minimum of administrative time. Using basic company information, HIPAASimple.com software generates finished documents, training materials, and guidelines specific to a health-care company's situation.
  • With the April 14 compliance deadline fast approaching, HIPAASimple.com offers the combined knowledge of its experts for questions to lessen pressure on health-care providers in private practice straining to meet requirements or remain compliant.
  • Accudata Systems has arranged a specially discounted subscription rate for our client base. When prompted, enter 6394 for the special rate
  • To learn more about this this service, and it's straightforward approach to clinical compliance.

Click here


Accudata Systems can assist all providers in the following areas:

  • Patient Privacy....use our EMR system, which is designed for HIPAA readiness
  • Disaster Recovery....assist you to plan and implement a recovery system which will incorporate both off and on-site procedures and policies.
  • Biometrics....needed to facilitate data access protocols.
  • HIPAA Consulting... in all data security issues.
  • Web Site Design... incoporate patient information interaction with a med-practice website.

Documents on this web site

Note: These documents and reprints have appeared in nationally recognized industry periodicals and journals. Accudata Systems makes no claims regarding these documents other than the views expressed herein represent the views of the various authors. Taken in their totality however, they do suggest a common thread of implementation planning and strategy.

Other documents, certainly official**, ( i.e. "Final Rule" ) were prepared and offered by the HSS web site. All of the documents can be opened to read and print. You may also download for future reference needs . They do require Adobe Acrobat Reader which is a free download from the Adobe website. Just click on the Adobe icon below to download and install.

**Download/Open HIPAA privacy regulations: Published August 14, 2002.
**Download/Open HHS HIPAA final rule modifications: article details "Privacy Rules" modifications published 08/09/2002 Acrobat

Download/Open HIPAA Compliance guidelines with "ready-to-go" compliance worksheets, patient privacy forms, medical personnel acceptance forms. The forms are specific to NJ. You should consult your attorney prior to using these forms.


Download/Open HIPAA Security Issues Reprint: invaluable advice from an industry expert.....Radiology Today Reprint Acrobat
Download/Open HIPAA Healthcare Personnel Education Reprint: excellent article regarding healthcare staff training..... Acrobat
Download/Open HIPAA Readiness Reprint: terrific article regarding patient privacy and office process modifications & strategy. Acrobat
Download/Open HIPAA small providers compliance guidelines: Nuts & bolts of "patient privacy" regs. for small providers
Download/Open HIPAA security needs outline: another excellent nuts & bolts provider guideline. Acrobat
Download/Open HIPAA Legal Guidelines: Legal compliance considerations for all providers. Not jurisdictional specific. Acrobat
Download/Open HIPAA Data backup & Recovery Guidelines General considerations on selecting a data security and disaster recovery strategy. Acrobat
If you do not have Adobe Reader installed download by clicking on the "Adobe" icon above


Note: This is a reprint of an article entitled "11th Hour HIPAA: How Can You Meet the Deadlines" authored by D'Arcy Guerin Gue in Health Management Technology January 2003

January 2003. After years of regulatory turmoil, the fact that just three months remain until the HIPAA privacy compliance deadline and the transactions testing deadline strains credulity.

You're ready, right? Your organization has completed a gap assessment, created its remediation plan, determined "minimum necessary" policies and procedures, established disclosure tracking systems, executed its business associate contracts, implemented new security measures needed to protect data confidentiality, and is well along in training its workforce on these changes. Right?

Not right? You're not alone. If your organization resembles up to half of the country's providers and payers, its HIPPA implementation team is bogged down in remediation preliminaries such as project planning or assessments-or worse, it has not yet begun.According to an old Chinese proverb, the best time to plant a tree was 20 years ago (or at least one year ago, in HIPAA time). According to the same proverb, the secondbest time is now. HIPAA regulations should not be news to you, even if the mid-April deadlines haven't been the brightest blip on your organization's radar. Your staff must read, interpret and implement the updated HIPAA Standards for Privacy of In 12 JANUARY 2003 dividually Identifiable Health Information (42 pages of fine print), which include 57 different standards for ensuring patient privacy, all by April 14.

Even if patient privacy has always been important to your operations, it is likely that you must institute major changes to meet the letter of the new privacy law. Assuming your organization filed for an extension for compliance with the HIPAA transactions regulations, it must begin testing its systems on April 15 to ensure that new standard transactions can be successfully transmitted by October 2003.

Not Compliant by April?

Are there real risks if you're not compliant by mid-April? No "HIPAA police" will storm the front entrance, but this should not lull you into permanent procrastination. Although enforcement by HHS' Office of Civil Rights and the Centers for Medicare and Medicaid Services will be primarily complaint-driven, and although patients or others will have to say "ouch" to the Feds before you see uniforms at your door, some will say "ouch." This is the millennium of the educated consumer; fines and penalties will be exacted.

HIPAA is a media darling. Attuned to the new healthcare privacy protections, the nation's press, fueled by privacy advocates, is eager to let loose on delinquent providers and payers if it can uncover them. Negative media coverage could quickly threaten your organization's reputation, undermine hard-won public confidence, and alter your competitive edge in the health. care marketplace. HIPPO police may be the least of your worries.

Privacy Compliance

It's the 11th hour of HIPAA privacy compliance implementation. If your organization has not already completed a comprehensive gap analysis, it does not have enough time now to conduct it and translate those gaps into remedial recommendations and convert them into action and train your workforce on resulting operational changes. It's time to "let the work teach you how to do it."

The quickest, most effective way to achieve privacy rule compliance at this late date may be through "negative" or noncompliance assumptions. Consider starting from ground zero with your privacy action plan. With this approach, your organization would assume that it meets none of the regulatory standards and go from there.

You start not with the gaps but from the goals-and act to implement HIPAA-compliant policies, procedures and processes right now, eliminating or altering any that are incongruent with the privacy regulations along the way. In a traditional phased-in HIPAA implementation, which first includes privacy practices gap assessment and then comprehensive planning before implementation, the project "design" process is completed before, and independent of, the implementation.

To borrow the building construction industry's concept of "design-build," we recommend you combine the three stages into one: immediate action focused on outcomes, not filling gaps. In this scenario, implementation leaders prepare the "plan" and other "preactivities" by presuming an "empty lot"-in other words, few or no existing compliance policies or practices-while "construction" is proceeding.

There are two critical features of this design-build approach. The first is that your organization should already suspect that it is not operating within many or perhaps most HIPAA privacy requirements. If no one internally is qualified to make this judgment (by virtue of a detailed knowledge of the privacy provisions), consider bringing in a HIPAA expert to interview key department heads over two or three days. While a full-scale gap assessment could be beneficial for organizations that are already strong patient privacy advocates, a brief overview of policies and practices is often sufficient to clarify that a major HIPAA overhaul is needed in less privacyfocused enterprises.

The other critical feature is that such an 11th-hour project must be "owned" and driven by a single qualified leader who is backed by unwavering executive support. The attractiveness and likely success of the design-build approach lies in the promise of a quality result in a shorter time, usually possible through the singleminded championship of one dedicated person to drive the team to the desired goals.

Designate a privacy officer, a security officer and a HIPAA task force. The task force will be the group that decides what, when and how, and will supervise functions that must be performed. Historically, many hospital's HIPAA project organizations have been headed up by the CIO, supported by staff from IT and other key departments. In the 11th-hour approach, the task force's organization should be shifted one level up to speed decision-making.

The sponsoring executive should be the CEO, COO or CFO, who will work in tandem with the project manager, providing an effective blend of organizational power and technical/legal knowledge. Make sure that the project manager understands the specific requirements of HIPAA, as well as hospital business operations. If no such person exists internally, it may be time to bring in an external HIPAA project manager.

The task force's decision-making membership should be heads of key departments such as registration, nursing, medical records, HR, IT, the CFO, security and privacy officers, the applications manager and heads of ancillary facilities. The team should be supported by legal counsel and the training director.

Instead of the traditional preliminary gap assessment, begin your privacy project by listing all privacy policies required by the final privacy rule, including the modifications made by DHHS in August 2002. Basing your decisions on the 57 privacy standards, and depending on how, you choose to combine requirements, your organization will probably have to implement between 35 and 60 new policies, along with procedures to support each.

Next, create a "7 P's" matrix with columns titled as follows:

  1. Privacy standard. In rows below,list each privacy standard, such as 164.520.
  2. Policy. List the policy or policies related to each privacy standard, such as (in the example of standard 164.520)
    Notice of Privacy Practices.
  3. Procedures/processes. List by department or function the procedures and processes related to each recorded policy. For example, with the Notice of Privacy Practices policy, you would begin by listing:
    a) Registration: notice distribution procedure, acknowledgement procedure, revision/redistribution procedure, etc
    b) E-health website: notice procedure, acknowledgement procedure, etc.
  4. Paper. Identify all of the related paper and forms associated with each policy, such as formal notices, acknowledgement forms, documentation, etc.
  5. People. List the people who will lead or own the implementation for each policy For example, the director of registration.
  6. Priority. Assign hard numbers. Rank the policies based on the level of risk to the organization if the compliance deadline is not met.
  7. Plan. Develop a plan for implementation of each policy, including a schedule for development, approvals, training and go-live transitions. Note that in the sample plan, scheduling is, by necessity, tight. To meet deadlines, plan to concurrently undertake as many tasks as possible, such as "paper" and training development.

Policy: Notice of Privacy Practices
Develop Procedures/



Go Live


By 1/20 By 1/27 By 2/17 By 2/27 By 3/21 By 3/24


It is clear from the privacy regulations that all requirements must met by the compliance deadline. However, some provisions affect patient confidentiality more immediately than others, and the absence of some may also create greater legal risks for covered entities. If necessary, implement first policies and practices that are visible to the patient (such as the Notice of Privacy Practices and policies on medical records amendment, restriction of access, accounting of disclosures, and patient priorities should be establishing disclosure tracking mechanisms (the only way longterm compliance with accounting of disclosure provisions will be possible is if disclosures of protected health information are recorded from day one), covering known security vulnerabilities by installing needed measures to protect data confidentiality (e.g., firewalls, passwords, logon/logoff procedures), and workforce training in privacy and security awareness.

At this juncture, consider jumpstarting the policies process by investing in a high-quality set of privacy policy templates that can be tailored to your organization. The research and legwork needed to develop a comprehensive set of original HIPAA privacy policies can take three to six months; however, customization of an authoritative set of templates can be accomplished in as little as a month.

Beware of free or inexpensive commercially available policy templates; many are cursory, if not downright inaccurate. However, various law firms and HIPAA specialty consultants have developed excellent, moderately priced options worth looking into. Just make sure your legal counsel reviews and approves your choice (as well as final customized text).

Specified members of the task force should lead the development, customization and implementation of specific policies, based on the applicability of associated requirements to key areas in the organization. While final decisions on policies and procedures will often necessitate the multidisciplinary perspective of the task force, each "owner" should be responsible for making recommendations and driving task force decisions to remain on schedule.

Transactions Readiness

According to the HIMSS/Phoenix Health Systems Fall 2002 HIPAA Compliance Survey conducted in October, up to 35 percent of providers and health plans will not be ready for transactions testing in April 2003. If you are not yet ready for testing, begin now by working backwards from the goal rather than by starting with a traditional gap assessment.

First, the CFO and the director who oversees coding should identify transactions that you currently transmit electronically and the systems used to do so. Focus on the 837 claims transaction, the linchpin of healthcare providerpayer business interactions. Do not, at this point, implement any electronic transactions not already in use. Also, if need be, defer checking out the big picture on your organization's use of identifiers and code sets.

Map out where and how the data flow through your systems and third parties, such as your clearinghouse and payers. Then, go to the clearinghouse and ask if it will be able to transmit the transactions in HIPAA standard format on your behalf and what you need to do to ensure you get the transmission capabilities you need. Go to your billing system vendor and ask similar questions: What do you need to do, and what will it need to do to accomplish the goal (i.e., upgrade the system or write custom code for your organization)? Do you need to modify business processes to be able to collect data necessitated by the standards? If the vendor has developed a HIPAA-compliant release, make sure you get a list of system changes. If you doubt the vendor, push for different arrangements, either with it or your clearinghouse.

Then, if there is additional time, go through a similar process of internal inspection of current uses of identifiers and local codes, combined with focused communications with your vendors and payers.

You need to move-fast and now. One small consolation: For many of us, if it weren't for the last minute, nothing would ever get done.


^ top ^