Security News > 2003 > May > HIPAA One Step at a Time

HIPAA One Step at a Time
2003-05-28 07:25

http://www.computerworld.com/securitytopics/security/privacy/story/0,10801,81439,00.html By Jean Consilvio MAY 26, 2003 Computerworld The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is putting a financial strain on most hospitals these days. It's forcing them to measure and account for data in ways they never had to before. At Baptist Health Care Corp., CIO Dave Garrett used tools from Superior Consultant Co. in Southfield, Mich., to do a gap assessment and to identify deficiencies in HIPAA compliance. The company's IT team then made a remediation plan. One of the first things Garrett did was centralize and coordinate the destruction of protected health information. Instead of shredding documents in small batches, Garrett brought in huge locked bins with small slits just large enough to slide through paper, radiology film and magnetic tapes. Baptist contracted with a company that's bonded and insured to empty the bins, either by shredding the bins' contents under lock and key in the contractor's truck in the parking lot or, if the volume is too large, back at its plant. "People love it because they say they don't have to waste time standing around in front of the shredder anymore," says Garrett. To comply with HIPAA requirements, the electronic systems at Baptist are password-protected. Users who forget their passwords are automatically e-mailed new passwords. One person handles all security help desk calls. Another project Garrett's Web team worked on was creating a Web-based application that tracks all patient information to comply with the minimum requirements of HIPAA's privacy rules. "Whenever you disclose information on a patient, it asks you certain information about the patient and who you're disclosing information to. It keeps track of the date and time of the request, and it keeps it by medical record number or Social Security number. There's a couple of different ways it tracks it, and it's stored in a database on a server," Garret explains. This is called the disclosure/capture component. At Baptist Hospital, only the medical records department does the reporting disclosure. "One of the things that HIPAA requires is that you're accountable for seven years to report back, and I've got to be able to produce that list," Garrett says. Instead of buying an application for what he estimates would cost $50,000, his application group wrote code in about two weeks. "We're not in the business of writing applications, but we can when we need to. And the government tells you what to track," he says, which made programming doable. The key to meeting HIPAA requirements is taking reasonable steps, Garrett says, and in many cases, Baptist has gone beyond the minimum of what's expected. "We feel very comfortable with our transaction code sets. We've already started testing them, and we're working on security," he says. The HIPAA deadline to start testing modifications to transactions and code-set standards for transferring patient data was in April. The deadline for compliance is Oct. 16. The hospital's board and senior management have been supportive of all HIPAA efforts, but they don't have much choice. The HIPAA budget last year was $1 million, and it will probably be the same for this year. But it's not just the IT expense that's considered a financial drain. Beyond that million-dollar budget, Baptist Hospital Chief Operating Officer Bob Murphy says, doing things the HIPAA way takes up valuable nursing time. For example, if the hospital has to report child abuse or a sexually transmitted disease, or provide medical information to a third party such as law enforcement or a child's parent, then a nurse has to stop and fill out a two-page paper form before it can be entered into an electronic database. That way, if the hospital is asked five years from now whether that information was documented and protected, it can say yes. "In the ER alone, we're going to have to fill out about 50 forms per week, and that's time that nurses aren't going to be able to spend with patients," Murphy says. The hospital will also have to keep buying more servers and storage, so it's unlikely that its HIPAA budget will shrink. The advantage Baptist does have, says Murphy, is that employees are providing what Press Ganey Associates Inc., a South Bend, Ind.-based company that measures health care satisfaction, says is some of the best service in the entire country to their patients. "And you can build a lot on that," he adds. - ISN is currently hosted by Attrition.org To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY of the mail.


News URL

http://www.computerworld.com/securitytopics/security/privacy/story/0,10801,81439,00.html