Doin' the HIPAA Hop

In essence, HIPAA represents standards the health industry didn't necessarily ask for-the wool birthday sweater from granny, if you will. When the industry followed internal practices, there was some wiggle room, but in this case the regulations are imposed, leaving a slim (or nonexistent) fudge factor. HIPAA will change the way you do business, increase your responsibility to customers, and shake up your IT department.

So what can your company do to find HIPAA happiness?

What to Do Now

We've said it before and we're saying it again: Assess the situation. Take a serious and honest look at your business. Examine-better yet, scrutinize-your practices and procedures, and compare them to the language in the HIPAA regulations. (aspe.hhs.gov/admnsimp) What remains represents the areas that need work. Consultants often refer to this as a gap analysis-find the holes, fill them in.

That initial analysis isn't a one-week affair. Ken Kisiel, executive vice president and COO of Phoenix Health Systems, said, "This is at least a 60- to 90-day process, depending on the size of the organization. If an organization has multiple entities it's much harder."

But your time in front of the business microscope can't stop there. During the discovery process, you should be in constant contact with-and evaluation of-your subsidiaries, trading and business partners, and others you transact with consistently. They'll also be responsible, to one extent or another, for complying with HIPAA.
According to Tim Schabeck, Anacon's director of HIPAA solutions delivery, some related parties might not know about HIPAA standards. "Look over their business plans and make sure they know what future regulations will expect of them," he said.

Looking after yourself and the groups you deal with sounds like a big task-but you had fair warning. HIPAA was enacted in 1996, and the first set of standards was published in August 2000.

Strategize. Once you've identified at least what must be done to comply, develop a way to enact the changes. As simple as it may seem, checklists and flowcharts can be helpful. So can viewing the process as a smart change to be made, rather than an annoying requirement to be met. "HIPAA is widely viewed as something that has to be done, and that's it," Kisiel said, "but industry leaders view it as a new business strategy."
Of course, restructuring can be a pain. But it's easy to attach a positive spin: If you use a clearinghouse for certain functions, now is the time to justify cutting it loose. HIPAA, in forcing you to reshape, can actually save you money.

Kisiel said to look at the process as strategic planning, not just another implementation. There are internal methodologies that can be deep-sixed. But don't fixate on the short-term. Coming sooner than you think are regulations for security and privacy; start looking at ways you can permit customers access to their patient information any time, from any place, and in a secure environment. Some automated internal monitoring solutions will eventually be necessary to keep track of where, how, and when customer information is transmitted and viewed-and by whom.

But the next obvious step is to actually put words into action: implement the changes.

Perform an audit. Once you start meeting HIPAA's guidelines, it's time to be critical of your actions. As Kisiel put it, "Give serious thought as to the state of the regulations and modifications, then be honest about where you stand."

If you happened to keep your Y2K inventory list, use it! It'll give you a quick and cheap (it's already paid for) way to get a best guess of what software, operating systems, and hardware your company uses, and the physical locations of each. After the discovery phase is over, get the IT staff to evaluate implementation time and cost of upgrades, new equipment, and software.

But don't stretch your resources too thin. You might find that bringing in consultants on a temporary basis to reconfigure your systems, perform upgrades and installs, and do general upkeep is more economical than exhausting your full-time IT staff.

Train as you go. As the tech people explain HIPAA's effects on the company's infrastructure, they should be prepared to educate the entire company on a need-to-know basis. "You're developing a lot of new procedures at this point," Kisiel said, "and the right people should get the right education at the earliest stages possible."
As more and more people are brought up to speed with each new development, they should be educated to the point that they're able to help keep thing running smoothly in their respective department.

Passing the Roadblocks

As with any major overhaul, HIPAA compliance comes with pitfalls. Here are a few ways to smooth over the bumps you're likely to encounter.

Demonstrate ROI. Some execs might have trouble grasping HIPAA's value even though it's law. "It's traditional ROI here," Kisiel said. "It should be easy to show the reductions in cost per claim and cost per receivable. Standardized transactions save money."

Communicate progress. Sounds simple, but it rarely happens the way it should. HIPAA compliance is an enterprise-wide endeavor. Everyone must be kept current on progress as it happens, even if a specific business group isn't immediately affected. Send out weekly e-mails or create a HIPAA progress page on the intranet. And make sure to keep everyone regularly informed of the responsibilities detailed in your implementation plans.

Budget your resources. Many lean companies have used their third wish to strip internal personnel away from their posts to work on HIPAA compliance; it just isn't working, according to Schabeck. Short-term outside help can be expensive-but the last thing you need come implementation deadline is a two-week notice from your prized technical help.

Find solutions. Now is the time to shop for software and modifications for existing applications that will allow for transactions in requisite formats, and to tweak your current code sets to meet new standards. Take a good look at your EDI solutions; buy new ones, if necessary. Or, as Kisiel suggests, you can find a clearinghouse with compliant EDI systems to handle your workloads-a last resort.

Areas to watch for the near future: CRM and data warehousing. You're eventually going to have to grant customers access to their patient information in a secure, always-accessible way, so explore ways to fatten up existing equipment, or buy very, very scalable systems and keep your fingers crossed. Also, keep an eye out for solutions that can build and maintain audit trails; internal access to patient information must be documented.

What Does It All Mean?

HIPAA has been described as the most sweeping government action affecting the health care industry since the introduction of Medicare. In the end, it is expected to cost up to four times more than Y2K compliance.
The hopefuls who, according to Kisiel, "thought the Bush administration was going to save them," are "behind the eight ball on the most recent regulations."

People put it off. Some wishful thinkers thought it would go away. The less receptive would not accept it as real. But HIPAA is not budging. It's time to move.