HIPAA: Where Do Providers Stand? - Industry Trend or Event - Panel Discussion

Health Management Technology, Jan, 2001 by David Hellerstein

For this month's focus, HMT presents a roundtable of HIPAA experts. Their comments about how ready providers are for HIPAA compliance, what they must yet do and how they expect to protect against risk were expertly moderated by HMT's own contributing editor, David Hellerstein.

READINESS

How far along are most providers in their preparations for HIPAA privacy, security and transaction standards?

Malley: Most providers have initiated education and awareness programs and are in some stage of project and budget planning.

Culbertson: While some larger provider organizations have started their HIPAA awareness programs, smaller provider groups and practices have almost no readiness or understanding of HIPAA.

Yablonka: Although some providers have completed the HIPAA impact assessment, my sense is that the majority is just starting or is planning to start this process. Beyond an assessment, I am not aware of any providers beginning to fully implement the standards. I do see providers incorporating standards such as security in projects or programs that are already under way.

Esslinger: I work almost exclusively with small to medium physician practices, generally in the range of one to 10 physicians. Most have taken few, if any, steps toward HIPAA compliance, or they have just entered the education phase.

The problem is that the transaction regulation has been finalized but the security and privacy regulations have not. These regulations are inextricably tied together, so I believe many providers are delaying their compliance efforts because the security and privacy regulations are still up in the air.

Where should providers be?

Malley: Providers should be engaged in detailed planning focused on the business drivers behind HIPAA. Organization and governance structures should be formalized including establishing a program management office and steering committee, as well as identifying a HIPAA champion.

Esslinger: At the very least, small to medium physician practices should be completing the education phase of their compliance efforts and beginning to move into the planning stage. Then, once the final security and privacy regulations are released, compliance is mandated within 26 months.

Culbertson: Where should they be? That depends on the work that needs to be done. Providers must examine their information systems (IS) infrastructure, and should be asking serious questions from their vendors about how product offerings will comply with the new standards. Since privacy and security rules are not yet final, it may be reasonable for some smaller providers to await the final rules before beginning remediation. However, all organizations should start HIPAA awareness education now.

The more sophisticated the IS foundations, the more complex the business partner relationships, the more frequently that protected health information is shared with others, then the more involved the HIPAA remediation effort and the greater the time required to become compliant.

The following key points determine the effort, resources and lead time your organization will need:

* Complexity of your organization and number of business units or decentralized operations

* Relevance to HIPAA of current documented policies, procedures and programs

* Culture toward confidentiality in business operations

* Current systems environment

* Custom-developed vs. vendor package software

* Data architecture

* Current EDI capabilities

* The degree of connectivity and e-business activity

* The complexity of the existing security architecture and security administration

How does provider readiness compare with that of payors, clearinghouses and e-health keepers of protected health information?

Yablonka: Payor have moved out more aggressively than other organizations, including providers.

Esslinger: Small to medium physician practices lag behind because they lack the size and resources of other covered entities. Such practices simply cannot afford to put an individual on HIPAA compliance duty full time. Much of their compliance efforts eventually will be outsourced.

Culbertson: Although providers in general are far behind the HIPAA curve when compared to payors and vendors, providers may not have to comply with all of the regulations, depending on their level of e-business or electronic claims activity, and clearinghouses can offer providers transaction compliance services. Moreover, many providers focus primarily on claims, whereas clearinghouses and payors must comply with all eight standard transactions, so it is not surprising that these latter organizations are well out in front.

IMPACT

Which of the privacy, security and transaction requirements pose the greatest risk to providers, place the greatest demand on provider resources, and will have the greatest operational impact on providers?

Esslinger: The transaction regulation was finalized first and will actually be a benefit to providers. Software upgrades or new installations will entail some short-term costs, but these costs should be recouped quickly.