June 2001 Bulletin

HIPAA could mean more computer investments

Guidelines mandate use of storage and transmission techniques that may require new hardware

By Ronald B. Sterling

Although you may still be paying your Y2K computer lease, the security and privacy regulations of the Healthcare Insurance Portability and Accountability Act (HIPAA) will once again put computer systems on the top of your administrative to-do list. Most Y2K upgrades had nothing to do with HIPAA compliance.

The HIPAA Security and Privacy Guidelines standard have been released and the two-year implementation clock has started. (Note that a number of healthcare organizations are appealing the schedule and requesting changes in some HIPAA provisions.) Many practices will experience "sticker shock" from the investments that will be needed to insure that your practice is compliant with HIPAA. Security, user tracking and system features needed under HIPAA will require significant changes to your practice computer facilities.

HIPAA directly effects two significant computing issues: the storage of information in computers, and the transmission of electronic medical information with outside parties. For example, the storing of patient word processing files may pose a number of HIPAA problems. Exchanging e-mails on care issues is another problematic area. In both cases, practices will need encryption, a way to verify the recipient or user of the information, and an effective security mechanism. Thereby, HIPAA affects almost every aspect of your computer infrastructure.

Hardware. HIPAA mandates the use of certain storage and transmission techniques that may require investments in hardware. For example, many practices still use communication devices that do not encrypt transmissions. Additionally, the storing of HIPAA access records, audit trails and other information may require more computing power and storage space than your current system has. Vendors may require investments in more powerful systems for their HIPAA applications.

Software. HIPAA requires certain features that few systems support today. For example, HIPAA regulations require tracking who accesses information as well as controlling that access. Your computer system should have an audit log of the changes and additions made to the system by user as well as a log of which users accessed a patient record. HIPAA also will require more effective security and management tools that are not found on many systems today. Finally, HIPAA also includes electronic transactions such as electronic prescriptions and electronic referral authorizations that many software products do not support. If you are using an older system that is no longer supported, you should expect to move to a new software product, and, in many cases, new hardware configuration to support HIPAA requirements. If your current product is supported, prepare yourself for a significant change to your current software.

Practice-based support. Many practices lack a formal computer support structure. However, HIPAA mandates providing information on a "need to know" basis as well as monitoring and managing security. Regardless of the money you spend on technology, your investment will require a more active and costly computer management strategy. For example, HIPAA requires training staff on privacy and security issues as well as having a designated computer security officer.

Procedures. HIPAA is not only about the technology you buy, but how you use it and control it. Even if you have hardware and software that complies with HIPAA security and privacy standards, you have to back that up with policies and procedures that will insure that you comply with HIPAA. For example, your practice could be non-compliant if many employees inappropriately store patient information on an unsecured computer.

Depending on your viewpoint, HIPAA regulations may be a bothersome intrusion into your practice, or a significant step in allowing you to take advantage of computers to improve services to patients. Either way, you will need to insure that you are compliant with various HIPAA standards to protect your practice in the evolving use of technology throughout healthcare system.

Ronald Sterling, of Sterling Solutions, Silver Spring, Md. is a nationally recognized expert on electronic medical record and practice management systems.

Home Previous Page