Cutting Edge Issues

eHealth:
Towards A New World of Communications in Medicine

Case Study: Overlake Hospital Medical Center

Information on Demand: Consumer-Controlled Medical Records

Finding Leaders for Internet Health Care

Building the Security-Capable Enterprise

Planning Business Strategies with Internet Support

Internet Use as a Survival Strategy

Case Study Zone

Who is eMed?

Building the Security-Capable Enterprise: HIPAA Preparation

Part 2

Research is also affected by HIPAA. Federally funded research governed by institutional review boards has inherent regulations that will now be applied to nearly all research. This change calls for the development of a risk-management plan that will be used to determine the policies, procedures, and technology that will be deployed to address the security and privacy standards.

DECREASING RISK

The DHHS has recognized that it is impractical to address all security and privacy concerns in all locations of an enterprise simultaneously. Therefore, it is necessary to treat HIPAA preparation as a business-risk case assignment. This involves determining where significant risks lie, what the options for mitigating those risks are, and what the tradeoffs and costs involved in that mitigation might be. This exercise is followed, of course, by implementing those steps that the organization can afford and being prepared to accept the risks that cannot be fully addressed.

It is necessary to assign responsibility for confidentiality to specific individuals. The task of dealing with privacy and security issues may be unpopular because the new law provides that some of these individuals, should they fail to perform their tasks properly, may be jailed.

There are a few explicit actions that must be taken in preparation for HIPAA. It is necessary to have unique user identification names or numbers, for example. Passwords must be used, and these cannot be shared. For the most part, however, the standards are not explicit. The extent to which a particular entity should implement specific policies, procedures, or technologies is not determined. It is up to the institution to design its response to HIPAA, making business decisions concerning how to devise, implement, and maintain appropriate measures. By no means does HIPAA preparation involve using a cookbook approach. A number of groups have engaged in efforts to try to gain consensus within particular industry segments on what is appropriate, but so far results have been incomplete.

It is time for health care organizations to plan their responses to HIPAA. This is a regulatory mandate. Compliance with it will be expensive, but will be accompanied by an opportunity to improve some processes, and many enterprises might be wise to take advantage of this chance. Such a dyal purpose may permit organizations to recoup some of the cost of change through enhanced efficiency.

2 of 5                                                                               Next >