Cutting Edge Issues

eHealth:
Towards A New World of Communications in Medicine

Case Study: Overlake Hospital Medical Center

Information on Demand: Consumer-Controlled Medical Records

Finding Leaders for Internet Health Care

Building the Security-Capable Enterprise

Planning Business Strategies with Internet Support

Internet Use as a Survival Strategy

Case Study Zone

Who is eMed?

Building the Security-Capable Enterprise: HIPAA Preparation

Part 3

Once the final regulations have been issued, expected this fall, providers will be given 26 months to reach complete compliance. In informal discussions, the DHHS has indicated that is does not foresee the Department of Justice or the Health Care Financing Administration (HCFA) auditing organizations the very day that these regulations become effective. Instead, they will work with organizations to move toward full implementation.

USING EXTERNAL RESOURCES

Managing Information Security in Health Care, a toolkit produced by the Computer-based Patient Records Institute-Healthcare Open Systems Trials (CPRI-HOST), Bethesda, Md, can be used as a resource and aid in preparing for HIPAA. This toolkit was assembled, beginning in 1998, with the original intent of training health care provider organizations’ staff. The project, however, became much larger. Six volunteers, over the course of 9 months, put together the document. It occupies more than 500 printed pages, and it is has been fairly well received. Through the assistance of an external underwriter, it has been made available on the World Wide Web.

To encourage wider input, CPRI created a Content Committee composed of a number of information security experts to oversee changes and additions to the Toolkit, including representation from HCFA, the Joint Commission on Accreditation of Healthcare Organizations (JCAHO) and the information technology industry. The third version of the toolkit has been available since May 2000, when the most recent additions to the toolkit were made. CPRI-HOST has a profound interest in confidentiality and security, as well as in advancing the use of computer-based patient records in health care, this toolkit helps organizations address more than just HIPAA requirements. Focusing on HIPAA requirements alone will cause an enterprise to spend too much money and accomplish too little, compared with what could be achieved by spending its money slightly differently.

That second course of action entails building a security-capable organization. In doing so, it is necessary to incorporate sound security practices in the everyday work of all members of the organization, including the patient. This involves more than just implementing security measures. In assembling a program, it is necessary to look at laws, policies and procedures, and practices, and to make some considerable changes (especially to make sure that the entity has done what HIPAA wants it to do). Then, the organization will have to select and deploy appropriate technology.

3 of 5                                                                               Next >