DALLAS - Since its passage in 1996, the Health Insurance Portability and Accountability Act (HIPAA) has been bedeviled by confusion surrounding the implementation of its various sections. In an e-poster presentation at this week's Health Information and Management Systems Society (HIMSS) meeting, Joan Kiel, Ph.D. offered a seven-step framework for healthcare facilities faced with implementing this complex set of regulations.
Healthcare providers have spent the past two years muddling through HIPAA's Transactions and Code Sets and Privacy sections. Implementation of the next section, Security, is due in April, and organizations continue to seek assistance from those who have successfully integrated HIPAA’s regulatory requirements.
Kiel is chairman of the department of health management systems at Duquesne University in Pittsburgh, and in her presentation she shared an approach to HIPAA implementation that she called the system development life cycle (SDLC) method. The SDLC strategy implements the five existing rule sets -- Transactions and Code Sets, Privacy, Unique Employer Identifier, Security, and National Provider Identifier -- and places them into existing information technology structures utilizing a seven-step process.
Kiel identified several barriers to successful implementation, including:
- Disparate regulation interpretation
- Time and budgetary restrictions
- Lack of credentialed individuals
- Unsupportive organizational culture
To overcome these obstacles, Kiel suggests an approach that modifies existing operational procedures to incorporate required HIPAA policies and procedures, and capitalizes on the variety of operational levels and areas of expertise within each organization.
Kiel suggested that providers assemble an implementation team that includes the following members: compliance officers, office manager, information technology representative, and medical records representative. Once the team is together, they should move into step 1 of the implementation process, project identification. This calls for identifying the various requirements involved in implementation while considering the impact the initiative will have on the overall organizational.
Step 2 of the HIPAA planning phase is to assess the facility's time, financial, personnel, and technology limitations, of both internal and external covered-entity environments. Step 3 involves organizational dataflow diagramming, and analysis of compliance with the “minimum necessary” and “need to know” aspects of HIPAA.
Step 4, the logical design phase, includes processes focused on procedure, form, and report development, as well as integration of HIPAA-required policy into data management. This step also addresses the required auditing and data-tracking procedures.
Physical design, step 5, identifies the need to maintain data integrity, calling for implementation of authentication mechanisms (HIPAA's Security Regulation), and additional physical and technical measures implemented to ensure the confidentiality, integrity, and availability of protected health information (PHI), according to Kiel.
Step 6, implementation, calls for incorporating HIPAA's substantial process change into the organization’s standard operating procedures. Kiel also identified the most essential aspects of any implementation strategy: testing, training, and documentation. This is often the most challenging of any HIPAA compliance strategy, as it involves changing human behavior among the personnel at a facility, rather than the more simple effort of implementing technological change.
Understanding the evolving and dynamic nature of compliance is a key to long-term compliance on the organizational level, Kiel wrote. Maintenance, step 7 in the SDLC strategy, calls for organization-wide input and continuous review and modification of the policies and procedures that have been implemented. This step is not only required by the regulations themselves, but is also essential to any successful effort to implement organizational change.
The seven-step SDLC approach helps organizations meet some of the most complex and vexing obstacles head on, permitting successful implementation of existing and future HIPAA requirements. Most important, every organization will need to undergo some level of organizational culture change, and will be required to modify its approach to data creation, management, and transmission, according to Kiel.
By Kris Knight
AuntMinnie.com contributing writer
February 14, 2005
Related Reading
A practical approach to HIPAA security compliance, February 10, 2005
HIPAA security: IHE guidelines help ensure compliance, November 26, 2004
HIPAA compliance encountering rocky road, August 30, 2004
Analysts offer advice on keeping HIPAA security compliance simple, March 12, 2004
HIPAA security and privacy compliance concerns, October 23, 2003
Copyright © 2005 AuntMinnie.com
