Accudata Systems has charted the HIPAA course since its legislative
introduction. April 2003, the date upon which certain certain patient
privacy regulations will take effect, is rapidly approaching. A
number of smaller providers have not, up to this point, begun the
rules evaluation nor implementation process necessary to achieve
compliance. The Feds have hired over 1000 inspectors, who, clipboard
in hand are ready to move against providers where complaints have
been filed. It could be just a matter of a disgruntled patient.............to
seriously jeapordize your financial stability and way of life. It
happened with OSHA back in the 70's. Many businesses were overburdened
and financially crippled by over zealous inspectors and uncompromising
regulations......WHEN THEY GET YOUR NUMBER, WATCH OUT! It could
happen with HIPAA....
The Accudata staff has come to a number of meaningful, yet straight
forward conclusions regarding HIPAA implementation(having lived
thru the OSHA debacle). They are:
- Don't ignore the need to take action......the sooner
- HHS is more concerened about you reaching a compliance destination
rather than your journey to achieve it. i.e. not how you get there
but that you get there! And on schedule.
- Familiarize yourself with the broader regulations....so
that you can plot an achievable compliance strategy. (see
documents below) These are invaluable reprints and docs, authored
by industry specialists, that have been compiled since 2001.
- Document, document, document.....The more you document
your office's planning and implementation efforts, the better
prepared you will be to respond to any and all inquiries.
- Positive vs. negative approach. Compliance is not voluntary...its
mandatory....Hence why not consider the broader implications and
impact upon improved patient care.
- Your insurance company will applaud your efforts and attitude.
Without a data disaster recovery plan (a core component of HIPAA)
for example, some insurance companies will NOT underwrite "business
- "Rome wasn't built in a day". Don't heap unrealistic
expectations upon you and your staff for overnite implementation.
We firmly believe that if you can demonstrate that you are taking
every reasonable step to comply with the HIPAA regs (as you interpet
them), that the compliance police will move on to the next guy.
- Cultural & Procedural vs. Technical. Many (if not
most) of the HIPAA regs do not involve digital/technical solutions
but rather deal with office structure, environment, and cultural/behavioral
WEB Based HIPAA Compliance
- HIPAASimple.com offers targeted solutions designed to
assist today's health-care provider with the tools needed to meet
compliance requirements with a minimum of administrative time.
Using basic company information, HIPAASimple.com software
generates finished documents, training materials, and guidelines
specific to a health-care company's situation.
- With the April 14 compliance deadline fast approaching, HIPAASimple.com
offers the combined knowledge of its experts for questions to
lessen pressure on health-care providers in private practice straining
to meet requirements or remain compliant.
- Accudata Systems has arranged a specially discounted subscription
rate for our client base. When prompted, enter
6394 for the special rate
- To learn more about this this service, and it's straightforward
approach to clinical compliance.
Accudata Systems can assist all providers in
the following areas:
- Patient Privacy....use our EMR
system, which is designed for HIPAA readiness
- Disaster Recovery....assist you
to plan and implement a recovery system which will incorporate
both off and on-site procedures and policies.
- Biometrics....needed to facilitate
data access protocols.
- HIPAA Consulting...
in all data security issues.
- Web Site Design... incoporate
patient information interaction with a med-practice website.
Documents on this web site
Note: These documents and reprints have appeared in nationally
recognized industry periodicals and journals. Accudata Systems makes
no claims regarding these documents other than the views expressed
herein represent the views of the various authors. Taken
in their totality however, they do suggest a common thread of implementation
planning and strategy.
Other documents, certainly official**,
( i.e. "Final Rule" ) were prepared and offered by the
HSS web site. All of the documents can be opened to read and print.
You may also download for future reference needs . They do require
Adobe Acrobat Reader which is a free download from the Adobe website.
Just click on the Adobe icon below to download and install.
Note: This is a reprint
of an article entitled "11th Hour HIPAA: How Can You Meet the
Deadlines" authored by D'Arcy Guerin Gue in Health Management
Technology January 2003
January 2003. After years of regulatory turmoil, the fact that
just three months remain until the HIPAA privacy compliance deadline
and the transactions testing deadline strains credulity.
You're ready, right? Your organization has completed a gap assessment,
created its remediation plan, determined "minimum necessary"
policies and procedures, established disclosure tracking systems,
executed its business associate contracts, implemented new security
measures needed to protect data confidentiality, and is well along
in training its workforce on these changes. Right?
Not right? You're not alone. If your organization resembles up to
half of the country's providers and payers, its HIPPA implementation
team is bogged down in remediation preliminaries such as project
planning or assessments-or worse, it has not yet begun.According
to an old Chinese proverb, the best time to plant a tree was 20
years ago (or at least one year ago, in HIPAA time). According to
the same proverb, the secondbest time is now. HIPAA regulations
should not be news to you, even if the mid-April deadlines haven't
been the brightest blip on your organization's radar. Your staff
must read, interpret and implement the updated HIPAA Standards for
Privacy of In 12 JANUARY 2003 dividually Identifiable Health Information
(42 pages of fine print), which include 57 different standards for
ensuring patient privacy, all by April 14.
Even if patient privacy has always been important to your operations,
it is likely that you must institute major changes to meet the letter
of the new privacy law. Assuming your organization filed for an
extension for compliance with the HIPAA transactions regulations,
it must begin testing its systems on April 15 to ensure that new
standard transactions can be successfully transmitted by October
Not Compliant by April?
Are there real risks if you're not compliant
by mid-April? No
"HIPAA police" will storm
the front entrance, but this should not lull you into permanent
procrastination. Although enforcement by HHS' Office of Civil Rights
and the Centers for Medicare and Medicaid Services will be primarily
complaint-driven, and although patients or others will have to say
"ouch" to the Feds before you see uniforms at your door,
some will say "ouch." This is the millennium
of the educated consumer; fines and penalties will be exacted.
HIPAA is a media darling. Attuned to the new healthcare privacy
protections, the nation's press, fueled by privacy advocates, is
eager to let loose on delinquent providers and payers if it can
uncover them. Negative media coverage could quickly threaten
your organization's reputation, undermine hard-won public confidence,
and alter your competitive edge in the health. care marketplace.
HIPPO police may be the least of your worries.
It's the 11th hour of HIPAA privacy compliance implementation.
If your organization has not already completed a comprehensive gap
analysis, it does not have enough time now to conduct it and translate
those gaps into remedial recommendations and convert them into action
and train your workforce on resulting operational changes. It's
time to "let the work teach you how to do it."
The quickest, most effective way to achieve privacy rule compliance
at this late date may be through "negative" or noncompliance
assumptions. Consider starting from ground zero with your privacy
action plan. With this approach, your organization would assume
that it meets none of the regulatory standards and go from there.
You start not with the gaps but from the goals-and act to implement
HIPAA-compliant policies, procedures and processes right now, eliminating
or altering any that are incongruent with the privacy regulations
along the way. In a traditional phased-in HIPAA implementation,
which first includes privacy practices gap assessment and then comprehensive
planning before implementation, the project "design" process
is completed before, and independent of, the implementation.
To borrow the building construction industry's concept of "design-build,"
we recommend you combine the three stages into one: immediate action
focused on outcomes, not filling gaps. In this scenario, implementation
leaders prepare the "plan" and other "preactivities"
by presuming an "empty lot"-in other words, few or no
existing compliance policies or practices-while "construction"
There are two critical features of this design-build approach. The
first is that your organization should already suspect that it is
not operating within many or perhaps most HIPAA privacy requirements.
If no one internally is qualified to make this judgment (by virtue
of a detailed knowledge of the privacy provisions), consider bringing
in a HIPAA expert to interview key department heads over two or
three days. While a full-scale gap assessment could be beneficial
for organizations that are already strong patient privacy advocates,
a brief overview of policies and practices is often sufficient to
clarify that a major HIPAA overhaul is needed in less privacyfocused
The other critical feature is that such an 11th-hour project must
be "owned" and driven by a single qualified leader who
is backed by unwavering executive support. The attractiveness and
likely success of the design-build approach lies in the promise
of a quality result in a shorter time, usually possible through
the singleminded championship of one dedicated person to drive the
team to the desired goals.
Designate a privacy officer, a security officer and a HIPAA task
force. The task force will be the group that decides what, when
and how, and will supervise functions that must be performed. Historically,
many hospital's HIPAA project organizations have been headed up
by the CIO, supported by staff from IT and other key departments.
In the 11th-hour approach, the task force's organization should
be shifted one level up to speed decision-making.
The sponsoring executive should be the CEO, COO or CFO, who will
work in tandem with the project manager, providing an effective
blend of organizational power and technical/legal knowledge. Make
sure that the project manager understands the specific requirements
of HIPAA, as well as hospital business operations. If no such person
exists internally, it may be time to bring in an external HIPAA
The task force's decision-making membership should be heads of key
departments such as registration, nursing, medical records, HR,
IT, the CFO, security and privacy officers, the applications manager
and heads of ancillary facilities. The team should be supported
by legal counsel and the training director.
Instead of the traditional preliminary gap assessment, begin your
privacy project by listing all privacy policies required by the
final privacy rule, including the modifications made by DHHS in
August 2002. Basing your decisions on the 57 privacy standards,
and depending on how, you choose to combine requirements, your organization
will probably have to implement between 35 and 60 new policies,
along with procedures to support each.
Next, create a "7 P's" matrix with columns titled as follows:
- Privacy standard. In rows
below,list each privacy standard, such as 164.520.
- Policy. List the policy
or policies related to each privacy standard, such as (in the
example of standard 164.520)
Notice of Privacy Practices.
- Procedures/processes. List
by department or function the procedures and processes related
to each recorded policy. For example, with the Notice of Privacy
Practices policy, you would begin by listing:
a) Registration: notice distribution procedure, acknowledgement
procedure, revision/redistribution procedure, etc
b) E-health website: notice procedure, acknowledgement procedure,
Identify all of the related paper and forms associated
with each policy, such as formal notices, acknowledgement forms,
- People. List the people
who will lead or own the implementation for each policy For example,
the director of registration.
- Priority. Assign hard numbers.
Rank the policies based on the level of risk to the organization
if the compliance deadline is not met.
- Plan. Develop a plan
for implementation of each policy, including a schedule for development,
approvals, training and go-live transitions. Note that in the
sample plan, scheduling is, by necessity, tight. To meet deadlines,
plan to concurrently undertake as many tasks as possible, such
as "paper" and training development.
|Policy: Notice of Privacy
It is clear from the privacy regulations that all
requirements must met by the compliance deadline. However, some
provisions affect patient confidentiality more immediately than
others, and the absence of some may also create greater legal risks
for covered entities. If necessary, implement first policies and
practices that are visible to the patient (such as the Notice of
Privacy Practices and policies on medical records amendment, restriction
of access, accounting of disclosures, and patient priorities should
be establishing disclosure tracking mechanisms (the only way longterm
compliance with accounting of disclosure provisions will be possible
is if disclosures of protected health information are recorded from
day one), covering known security vulnerabilities by installing
needed measures to protect data confidentiality (e.g., firewalls,
passwords, logon/logoff procedures), and workforce training in privacy
and security awareness.
At this juncture, consider jumpstarting the policies process by
can be tailored to your organization. The research and legwork needed
to develop a comprehensive set of original HIPAA privacy policies
can take three to six months; however, customization of an authoritative
set of templates can be accomplished in as little as a month.
Beware of free or inexpensive commercially available policy templates;
many are cursory, if not downright inaccurate. However, various
law firms and HIPAA specialty consultants have developed excellent,
moderately priced options worth looking into. Just make sure your
legal counsel reviews and approves your choice (as well as final
Specified members of the task force should lead the development,
customization and implementation of specific policies, based on
the applicability of associated requirements to key areas in the
organization. While final decisions on policies and procedures will
often necessitate the multidisciplinary perspective of the task
force, each "owner" should be responsible for making recommendations
and driving task force decisions to remain on schedule.
According to the HIMSS/Phoenix Health Systems Fall 2002 HIPAA Compliance
Survey conducted in October, up to 35 percent of providers and health
plans will not be ready for transactions testing in April 2003.
If you are not yet ready for testing, begin now by working backwards
from the goal rather than by starting with a traditional gap assessment.
First, the CFO and the director who oversees coding should identify
transactions that you currently transmit electronically and the
systems used to do so. Focus on the 837 claims transaction, the
linchpin of healthcare providerpayer business interactions. Do not,
at this point, implement any electronic transactions not already
in use. Also, if need be, defer checking out the big picture on
your organization's use of identifiers and code sets.
Map out where and how the data flow through your systems and third
parties, such as your clearinghouse and payers. Then, go to the
clearinghouse and ask if it will be able to transmit the transactions
in HIPAA standard format on your behalf and what you need to do
to ensure you get the transmission capabilities you need. Go to
your billing system vendor and ask similar questions: What do you
need to do, and what will it need to do to accomplish the goal (i.e.,
upgrade the system or write custom code for your organization)?
Do you need to modify business processes to be able to collect data
necessitated by the standards? If the vendor has developed a HIPAA-compliant
release, make sure you get a list of system changes. If you doubt
the vendor, push for different arrangements, either with it or your
Then, if there is additional time, go through a similar process
of internal inspection of current uses of identifiers and local
codes, combined with focused communications with your vendors and
You need to move-fast and now. One small consolation: For many
of us, if it weren't for the last minute, nothing would ever get