Take an insider's perspective on HIPAA

Most people can recall the hype of Y2K, which had CIOs and IT managers preparing for what was supposed to be the biggest technology obstacle of the century. Today, the industry has been clamoring about compliance regulations surrounding the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Organizations were required to have met the government's policies by April 2003, but according to a report issued by the American Health Information Management Assn., only 23% of healthcare organizations believe that they are fully compliant today.

Even organizations with plans already in place are finding it hard to achieve compliance at the required levels. Regulations are subjective and complicated - many organizations look at HIPAA only as a federal mandate, but state laws governing compliance levels will in fact determine how the law is enforced. Acceptable levels of compliance will ultimately be tested and defined by the courts. At a minimum, healthcare organizations must show an ongoing effort to assess their level of compliance. And for many, compliance is uncharted territory where processes, costs and solutions are unknown.

After an assessment is conducted, the pressure is on privacy officers and C-level executives to implement a solution that will effectively change the way patient information is organized, exchanged and protected. At the same time, they are expected to improve the company's bottom line - a balance that seems daunting and hard to achieve.

What's more, regulatory compliance is difficult to manage from a personnel perspective. Institutions are now faced with training their entire staff on new and frequently changing policies regarding the handling of protected health information. This includes everyone from the temporary employee to the financial administrator to the human resource representative, all the way up to the clinician and health information management professional.

SPEAKING FROM EXPERIENCE

St. Clare's Health System, a healthcare network located in northwestern New Jersey, worked with Xerox Global Services to conduct a HIPAA Compliance Risk Assessment, which identified business practices that could potentially put privacy of patient information at risk. In a three-week evaluation period, Xerox provided recommendations for becoming compliant and customized solutions to help us streamline the management of critical documents. The assessment also uncovered ways to enhance productivity and reduce costs. The assessment's delivery of both compliance and efficiency recommendations in a simple, step-by-step format gave us the confidence to take action and move closer to a more efficient, secure healthcare environment.

While HIPAA is viewed by many as a burden, it also presents new opportunities for business improvement. For St. Clare's, evaluating current business and document processes not only uncovered the data needed to reduce costs, it discovered where knowledge existed and how it was transferred throughout the entire organization. As a result, we have been able to identify inefficiencies, saving both time and money.

Regulatory compliance can be a dark cloud lingering over the heads of healthcare executives as they go about their day. Like it or not, it serves as a reminder that stormy times are ahead if appropriate steps are not taken. However, executives and decision makers now realize that the silver lining to the compliance cloud is improving their organization's level of privacy and document management processes.

Unlike Y2K, HIPAA is not a deadline that will pass with the turn of a calendar page. As long as there are records to manage, healthcare organizations can expect to keep hearing about HIPAA and its changing requirements. Organizations creating a culture that embraces the challenges of the mandate will have the advantage of identifying other opportunities to better manage information and improve their bottom line.

David Lundquist is chief operating officer, St. Clare's Health System.