|
|
|
|
HIPAA - WHAT DOES IT
MEAN TO MY ORGANIZATION |
|
| |
 |
|
 |
| |
COVERED
ENTITIES:
For most,
HIPAA compliance will require
far-reaching changes within each
"covered entity." The transition to
a more streamlined process, higher
quality healthcare, and a more
efficient healthcare delivery system
will not come without cost. Many
covered entities will have to
develop policies and procedures and
make administrative changes that
will impact their organizations at
every level. From personnel training
to implementing hardware and
software designed to address the
technical aspects of privacy and
security, the expense will be
realized in the form of dollars and
human resources.
Covered entities will be required to
appoint Privacy Officials to handle
the ongoing compliance efforts, as
well as ensure that appropriate
training is conducted
organization-wide. All third-party
agreements in which protected health
care is used or disclosed, will need
to be evaluated and potentially
modified to adhere to the new
regulatory requirements. Security
protocols, privacy policies,
contingency planning and
administrative operations will also
undergo newly heightened scrutiny to
determine each organization's level
of compliance.
Healthcare providers have always
been charged, to some degree, to
maintain the privacy of their
patients' health information. Under
HIPAA, however, a new, standardized
level of protection provides
patients with affirmative rights to
review their information, determine
how and to what extent it may be
used for certain purposes.
Additionally, providers will be
required to take measures ensuring
that proper authorizations are
obtained and notifications of
privacy practices are provided to
patients where appropriate.
Documentation of the compliance
process is key to successful
implementation and long-term
compliance. Because the Act requires
covered entities to take "reasonable
measures" to address the law's
provisions, covered entities should
track all process modifications,
policy changes, and training
efforts, as well as document any
decisions of "inaction," where
existing measures suffice to comply
with the regulatory requirements.
Additionally, organizations should
seek industry assistance from those
partners who participate in the
healthcare delivery process. From
service providers to product
vendors, industry partners should be
willing to bear some of the burden
associated with compliance efforts.
Inquiring as to vendor Privacy and
Security policies, training
programs, termination procedures,
disaster recovery and contingency
mode planning, etc., will be helpful
to organizations performing "due
diligence" in the implementation
process, and will provide the
required "assurances" that protected
information will remain
confidential, secure, and available.
VENDORS:
Product and
service vendors will be expected not
only to be aware of regulatory
provisions and ongoing changes, but
they will be charged with the task
of offering solutions that address
significant and specific customer
needs. A thorough understanding of
how HIPAA Privacy and Security
Regulations will impact healthcare
providers will assist vendors in
developing and delivering the
technologies and services needed to
aid in customer compliance efforts.
HIPAA will require, in many
instances, some type of agreement
between vendor and customer. Whether
the agreement is required under the
Privacy Regulation (Business
Associate) or the Security
Regulation (Chain of Trust) will
depend upon the nature of the
relationship between the parties. A
hybrid agreement containing
provisions to cover both information
privacy and technical security may
be the most appropriate approach in
some cases. Sensitivity to customer
compliance efforts, and an
understanding of the customers' need
to secure information is of utmost
importance. Policies and procedures
addressing Privacy and Security
issues, including personnel
training, must also be in place
within the vendor organizations in
order to meet the heightened
standards set by the customer
seeking to comply with HIPAA
regulations.
Educated personnel, from field sales
to high-level management, as well as
the ability to anticipate customers'
future needs will provide vendors
with an advantage over those who
erroneously believe that only
"covered entities" need worry
themselves with such regulatory
matters.
Reaching the ultimate goal of the
Act-Administrative Simplification,
cost savings, and higher standards
of healthcare-will undoubtedly be a
multi-faceted, inter-industry
effort. From vendor to provider to
patient, new responsibilities are
inherent in facilitating this
sweeping change endeavored to
streamline and protect health
information and raise the bar on the
standard of healthcare in this
country.
|
|
|
|
|
