[ISN] HIPAA One Step at a Time

From: InfoSec News (isnat_private)
Date: Wed May 28 2003 - 00:25:20 PDT

  • Next message: InfoSec News: "[ISN] Security can't stop Asian hackers"

    http://www.computerworld.com/securitytopics/security/privacy/story/0,10801,81439,00.html
    
    By Jean Consilvio
    MAY 26, 2003
    Computerworld 
    
    The Health Insurance Portability and Accountability Act of 1996
    (HIPAA) is putting a financial strain on most hospitals these days.  
    It's forcing them to measure and account for data in ways they never
    had to before. At Baptist Health Care Corp., CIO Dave Garrett used
    tools from Superior Consultant Co. in Southfield, Mich., to do a gap
    assessment and to identify deficiencies in HIPAA compliance. The
    company's IT team then made a remediation plan.
    
    One of the first things Garrett did was centralize and coordinate the
    destruction of protected health information. Instead of shredding
    documents in small batches, Garrett brought in huge locked bins with
    small slits just large enough to slide through paper, radiology film
    and magnetic tapes. Baptist contracted with a company that's bonded
    and insured to empty the bins, either by shredding the bins' contents
    under lock and key in the contractor's truck in the parking lot or, if
    the volume is too large, back at its plant.
    
    "People love it because they say they don't have to waste time
    standing around in front of the shredder anymore," says Garrett.
    
    To comply with HIPAA requirements, the electronic systems at Baptist
    are password-protected. Users who forget their passwords are
    automatically e-mailed new passwords. One person handles all security
    help desk calls.
    
    Another project Garrett's Web team worked on was creating a Web-based
    application that tracks all patient information to comply with the
    minimum requirements of HIPAA's privacy rules. "Whenever you disclose
    information on a patient, it asks you certain information about the
    patient and who you're disclosing information to. It keeps track of
    the date and time of the request, and it keeps it by medical record
    number or Social Security number. There's a couple of different ways
    it tracks it, and it's stored in a database on a server," Garret
    explains. This is called the disclosure/capture component. At Baptist
    Hospital, only the medical records department does the reporting
    disclosure.
    
    "One of the things that HIPAA requires is that you're accountable for
    seven years to report back, and I've got to be able to produce that
    list," Garrett says. Instead of buying an application for what he
    estimates would cost $50,000, his application group wrote code in
    about two weeks. "We're not in the business of writing applications,
    but we can when we need to. And the government tells you what to
    track," he says, which made programming doable.
    
    The key to meeting HIPAA requirements is taking reasonable steps,
    Garrett says, and in many cases, Baptist has gone beyond the minimum
    of what's expected. "We feel very comfortable with our transaction
    code sets. We've already started testing them, and we're working on
    security," he says. The HIPAA deadline to start testing modifications
    to transactions and code-set standards for transferring patient data
    was in April. The deadline for compliance is Oct. 16.
    
    The hospital's board and senior management have been supportive of all
    HIPAA efforts, but they don't have much choice. The HIPAA budget last
    year was $1 million, and it will probably be the same for this year.  
    But it's not just the IT expense that's considered a financial drain.  
    Beyond that million-dollar budget, Baptist Hospital Chief Operating
    Officer Bob Murphy says, doing things the HIPAA way takes up valuable
    nursing time. For example, if the hospital has to report child abuse
    or a sexually transmitted disease, or provide medical information to a
    third party such as law enforcement or a child's parent, then a nurse
    has to stop and fill out a two-page paper form before it can be
    entered into an electronic database. That way, if the hospital is
    asked five years from now whether that information was documented and
    protected, it can say yes.
    
    "In the ER alone, we're going to have to fill out about 50 forms per
    week, and that's time that nurses aren't going to be able to spend
    with patients," Murphy says. The hospital will also have to keep
    buying more servers and storage, so it's unlikely that its HIPAA
    budget will shrink.
    
    The advantage Baptist does have, says Murphy, is that employees are
    providing what Press Ganey Associates Inc., a South Bend, Ind.-based
    company that measures health care satisfaction, says is some of the
    best service in the entire country to their patients. "And you can
    build a lot on that," he adds.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Wed May 28 2003 - 02:42:42 PDT