.. ity in the event of a security incident. The damage control procedures should also include: a disaster recovery plan, emergency mode operations, equipment control, an organization security plan, procedures for verifying authorization prior to physical access, maintenance records, need-to-know procedures for personnel access, and sign-in procedures for outside (contract) vendors. Security Management Process Health care operators are required to establish risk reduction security policies to insure accountability, prevention, containment, and correction of security breaches including risk analysis, risk management, and sanction policies. Additional measures to protect sensitive data includes: firewalls, intrusion detection devices, and audit logs. Training It is imperative that personnel be properly trained in order for a health care operator to meet the HIPAA standards.
Each organization must develop, implement, and maintain records of awareness training for all personnel on virus protection, reporting data discrepancies, and password management to ensure protection of health care information. Terminations Procedures In order to meet the HIPAA standards, health care operators must establish termination procedures for personnel leaving the organization including: changing the locks, terminating user access to databases, denying access to the physical facilities, and revoking control mechanisms (i.e., swipe cards and keys). Market Refortm / Impact The financial impact for organizations preparing for the Y2K bug was estimated to have cost the health care industry upwards of $10 billion. Implementing the HIPAA privacy and security regulations is being estimated to cost the health care industry $40 billion over the next two years. According to a recent survey conducted by the newsletter HIPAA Alert, 80 percent of health care operators, and 75 percent of insurers, are trying to build overall awareness in their organizations about the new HIPAA requirements.
Additionally, more than half of healthcare industry professionals are completing their initial assessment process. Over half of billing clearinghouses and vendors are well into HIPAA compliance, planning, and implementation. It is the health care providers and insurers who are behind in their efforts, with less than a third of respondents saying they have begun planning and implementation for the HIPAA compliance. One reason given for the slow movement of providers was that they were waiting for the final rules to be set in place before moving forward with implementation. Three-fourths of information system vendors indicated that they would complete internal testing of the HIPAA-compliant systems within 12 months, and all billing clearinghouse respondents reported they will be HIPAA-ready within 18 months.
More than half of insurers indicate that they will not be fully HIPAA-compliant for 24 months or longer, possibly because of confusion over what is really needed to be compliant. Court Decisions Inasmuch as the HIPAA law has yet to go into effect, there is no case law yet involving this legislation. It will be interesting, however, to see how this legislation impacts further interactions between health care operators and the people they serve. Recommendation Health care operators who will be affected by the final ruling slated for December 2000, should assess their current status to ascertain whether they will be in compliance with HIPAA and, if not, what they need to do about it. Such assessments should include: Educate organization staff members What can a health care operator do to prepare for HIPAA? Their first step should be to educate their senior management and line-staff. The HIPAA is a complicated and extensive piece of legislation. It requires considerable education and a commitment from senior management to secure the necessary human resources and financial resources.
Especially in larger health care operations, a chief security officer or similar senior management officer is recommended to lead the organizations HIPAA efforts. Coordinate a HIPAA Committee Individual health care operators should each establish HIPAA committees. These group should be responsible for the oversight of HIPAA education, communication, and timelines. Needless to say, personnel from Human Resources, Information Services, Finance, and the General Counsels office should comprise the committee, in addition to personal from medical records, medical staff affairs, managed care, and the business office. Such committee should meet frequently during the establishment and coordination of the HIPAA initiatives to make certain that compliance will be met, and then periodically thereafter to insure proper maintenance.
Audit Policies, Procedures, and Application Systems Health care operators should audit their existing information systems to identify areas that will require improvement in order to comply with the HIPAA rules. One method would be to conduct a gap analysis. The analysis would serve as the foundation for creating a timeline for meeting the HIPAA deadlines. The audit should include an extensive review of all policies and procedures associated with the release of information, network and application security, and medical record confidentiality. Such audits both current and future should be under the direction of the HIPAA Committee referred to above.
Identify Risk Areas As a result of the initial audit, each health care operator should be able to recognize high risk areas and then develop a corrective action plan in response. Such action plan will greatly depend on the identified deficiency. As a matter of necessity, those areas with the highest risk should be addressed first, although these may also require the most time, money, and manpower to correct. Most importantly, health care operators should document each of their efforts towards compliance in the event that their labors are ever questioned. Conclusion Compliance with the upcoming HIPAA mandates will require the coordinated efforts of every health care operator in the United States.
However, despite how long, costly, and tedious this process may be to these organizations, these initiatives are absolutely necessary to safeguard the right of each American citizen regarding his or her health care records. In the current cyber-society in which we live one that will only get more sophisticated with time such laws are imperative. The average cyber-junkie, familiar with the information superhighway and all its little side-streets and alleys, can already find out more information on the average citizen than most of us would want shared: our home addresses, phone numbers, interests, hobbies, etc. In some ways, it is akin to George Orwells 1984. The only exception is, this time it is not Big Brother who is watching instead it is your next door neighbor or the kid down the street. Without laws such as the Health Insurance Portability & Accountability Act, we could one day learn that our most personal concerns the health of our minds and bodies is fodder on the Internet.
Bibliography References HIPAA Insurance Reform http://www.hcfa.gov/medicaid/ HIPAA Health Information Standards http://www.jhita.org/hipaarule.htm Health Insurance Portability and Accountability Act of 1996 Administrative Simplification http://www.hcfa.gov/facts/February 1997 Health Insurance Portability and Accountability Act of 1996 Getting Ready for HIPAA Privacy Rules AHIMA article on preparing for HIPAA security standards http://www.ahima.org/journal/features/feature.0004 .5.html Conducting Your Own Internal Assessment Journal of AHIMA article provides good checklist to do your own assessment http://www.ahima.org/journal/features/feature.0005 .4.html Lemonine, B. The Business Journals. HIPAA compliance cost may exceed Y2K http://www.bizjournals.com/ Part II Potential Effects of HIPAA: A Review of The Literature Stephen Long and M. Susan Marquis http://aspe.hhs.gov/health/reports/hipabase/ Department of Health and Human Services, Proposed Standards for Privacy and Individually Identifiable Health Information http://aspe.hhs.gov/admnsimp/faqtxdif.htm Proposed Rules Federal Register, 63, no. 155 (1998) http://www.access.gpo.gov Implementing HIPAA Security StandardsAre you Ready? ( October 1999) http://www.ahima.org/journal/features/feature.0004 .4.html HIPAA supersite from consulting firm Beacon Partners, includes news, timelines and legal info.
http://www.hipaacomply.com Health and Beauty Essays.