HIPAA--Why, Bother?One Health System's Experience Somewhere in America, perhaps even at this moment, sits a healthcare IT manager whose eyes have glazed over as he or she sifts through HIPAA proposals and regulations. The daunting task is made more difficult because the lines between fact and rumor are often blurred by conflicting information from well-intentioned government officials, and so-called experts. Realizing that the clock is ticking toward the 2001 implementation date, and muttering "Why bother?" under his or her breath, the reference materials get tossed aside. Why bother? Well, besides the incentive to avoid hefty fines and imprisonment, it just makes good business sense. Just as clinical care has advanced in the last ten years, so too has our ability to document and share patient information. The role and responsibility of IT departments, though awesome in scope, is pivotal to the safety and privacy of patients. While standardizing industry methods is a welcome idea among the vast majority of the nation's healthcare IT managers, getting the policies and systems in place is the real challenge. It's a challenge that IT Director Tom Duncan of Salinas Valley Memorial Healthcare System (SVMHS), Salinas, California knows well. Since 1996, Duncan has progressively set his sights on complying with HIPAA regulations while building one of the country's most advanced healthcare IT systems. Road Less Traveled "We decided early on that integration and interoperability of information systems was crucial to our hospitals success," says Duncan of his organization's proactive culture, under the direction of SVMHS CEO Samuel W. Downing. "HIPAA has served as a road map to follow in the course of developing our system." Duncan concedes the HIPAA map hasn't always been easy to read, necessitating a close alliance with knowledgeable legal counsel. After studying the intent of HIPAA for close to a year, SVMHS began its approach to HIPAA in earnest in 1997. Educating hospital administration, physicians and employees of the organizations' 52 sites became the top priority. Education is still considered by Duncan and his team as the critical link to moving their program forward. According to Computer Systems Security Analyst Suad Picardi, the time and money invested in the hospitals HIPAA efforts has been relatively modest. She says, "In terms of time spent, Tom and I probably spend about six to eight hours a week on HIPPA-related projects." The hospital investment in hardware and software has amounted to roughly $50,000. A nominal amount when you consider that they have not had to pay a single IT consultant. It's worth noting that both Duncan and Picardi agree that starting on the project early has spared them from many headaches. Disparate systems only add to the cost and frustration level when trying to catch up and implement HIPAA regulations. Centralizing the IT function early on in the process will prevent the need to start from scratch each time a department adds a new piece of technology. The Bleeding Edge "We're ahead of the game. Although sometimes we're not on the leading edge, but the bleeding edge," Duncan says wryly, adding that there have been times when they've had to step back a bit from their zealous efforts. But overall, they insist that not only will SVMHS be able to meet HCFA's 2001 implementation date but the entire employee-base and medical staff will have a thorough understanding on how to access and use the technology appropriately. The philosophy they wish to pass on is that IT has become the custodian and certain people within the system will be the stewards of information. Picardi explains that patient safety and the accuracy of medical records are critical IT factors which have a direct impact on patient care. Securing that information to ensure patient confidentiality is naturally a prime concern. She urges authorized users to recognize the solemn nature of their roles. Duncan concurs, "There are technological issues, but it always boils down to people." RELATED ARTICLE: Putting Administrative Simplification into Action * Educate key players on the implications of HIPAA. Get buy-in on the importance of the regulation to your organization. * Establish an Information Security Awareness Program to educate staff members regarding their responsibilities. This is a continual process. * Obtain information on electronic format and diligently monitor access by the user. * Use the latest Federal Register (August 1998) to map out policies. * Have all IT policies reviewed by administration and knowledgeable legal counsel. * Closely examine any other systems brought into the organization as to how it can best be integrated into the policy. * Put in a solid back-end auditing component to assure only authorized personnel have access to patient information. Some hospitals have placed PCs on nursing floors so patients can review who has accessed their patient records. * Use encryption. The Virtual Private Network (VPN) is the gold standard when using the Internet to tunnel information to remote locations. * Vendor confidentiality agreements are a must in return for access to information and to guard against inappropriate disclosure to a third party. RELATED ARTICLE: Profile in Excellence: Salinas Valley Memorial Healthcare System, Salinas, CA Licensed Beds: 232 Service Area Population: 400,000 within three counties. Remote Locations: 52 total remote locations including: 34 physician offices 13 ambulatory clinics Freestanding surgical center Home infusion therapy program Visiting nurse program Authorized Users: 2,650 total--1,700 of those on hospital premises IT Department: 40 Employees within four divisions including telecommunications, computer operations, client services and network operations. Kim Simers is President of Vista Marketing, Wheaton, IL. Charles Hamilton is a consultant with Vista Marketing. |
|
||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion