For most, HIPAA compliance will require far-reaching changes within each "covered entity." The transition to a more streamlined process, higher quality healthcare, and a more efficient healthcare delivery system will not come without cost. Many covered entities will have to develop policies and procedures and make administrative changes that will impact their organizations at every level. From personnel training to implementing hardware and software designed to address the technical aspects of privacy and security, the expense will be realized in the form of dollars and human resources.
Covered entities will be required to appoint Privacy Officials to handle the ongoing compliance efforts, as well as ensure that appropriate training is conducted organization-wide. All third-party agreements in which protected health care is used or disclosed, will need to be evaluated and potentially modified to adhere to the new regulatory requirements. Security protocols, privacy policies, contingency planning and administrative operations will also undergo newly heightened scrutiny to determine each organization's level of compliance.
Healthcare providers have always been charged, to some degree, to maintain the privacy of their patients' health information. Under HIPAA, however, a new, standardized level of protection provides patients with affirmative rights to review their information, determine how and to what extent it may be used for certain purposes. Additionally, providers will be required to take measures ensuring that proper authorizations are obtained and notifications of privacy practices are provided to patients where appropriate.
Documentation of the compliance process is key to successful implementation and long-term compliance. Because the Act requires covered entities to take "reasonable measures" to address the law's provisions, covered entities should track all process modifications, policy changes, and training efforts, as well as document any decisions of "inaction," where existing measures suffice to comply with the regulatory requirements.
Additionally, organizations should seek industry assistance from those partners who participate in the healthcare delivery process. From service providers to product vendors, industry partners should be willing to bear some of the burden associated with compliance efforts. Inquiring as to vendor Privacy and Security policies, training programs, termination procedures, disaster recovery and contingency mode planning, etc., will be helpful to organizations performing "due diligence" in the implementation process, and will provide the required "assurances" that protected information will remain confidential, secure, and available.
Product and service vendors will be expected not only to be aware of regulatory provisions and ongoing changes, but they will be charged with the task of offering solutions that address significant and specific customer needs. A thorough understanding of how HIPAA Privacy and Security Regulations will impact healthcare providers will assist vendors in developing and delivering the technologies and services needed to aid in customer compliance efforts.
HIPAA will require, in many instances, some type of agreement between vendor and customer. Whether the agreement is required under the Privacy Regulation (Business Associate) or the Security Regulation (Chain of Trust) will depend upon the nature of the relationship between the parties. A hybrid agreement containing provisions to cover both information privacy and technical security may be the most appropriate approach in some cases. Sensitivity to customer compliance efforts, and an understanding of the customers' need to secure information is of utmost importance. Policies and procedures addressing Privacy and Security issues, including personnel training, must also be in place within the vendor organizations in order to meet the heightened standards set by the customer seeking to comply with HIPAA regulations.
Educated personnel, from field sales to high-level management, as well as the ability to anticipate customers' future needs will provide vendors with an advantage over those who erroneously believe that only "covered entities" need worry themselves with such regulatory matters.
Reaching the ultimate goal of the Act-Administrative Simplification, cost savings, and higher standards of healthcare-will undoubtedly be a multi-faceted, inter-industry effort. From vendor to provider to patient, new responsibilities are inherent in facilitating this sweeping change endeavored to streamline and protect health information and raise the bar on the standard of healthcare in this country.