Doctor's Shopper article - Information Systems

ARTICLES:

MEDICAL INDUSTRY NEWS

House Bill Would Eliminate SGR-Based Payment Systems by 2010

Experts Answer 101 Tough Practice Management Questions
(MGMA)

Towards the Electronic Patient Record (TEPR) Conference Planned for May 17-21, 2008

MEDICAL COMPUTER SYSTEMS / MEDICAL BILLING

Bill of Health Services: Outsourcing Lets You Concentrate On Your Patients

No More Paper!

Advanced Data Systems: A Profile in Stability & Reliability

Information Systems: HIPAA Help or Hindrance?

HOME HEALTH CARE / ASSISTED LIVING

Home Rehabilitation for the Orthopedic Patient

TRAVEL & LEISURE

An Eight-Day Odyssey to Mexico City: Exciting, Dangerous, Big, Challenging!

The Challenge of Hawaii: Capturing the Aloha Spirit in 10 Days

Vacation On Curaçao, the Jewel of the Dutch Caribbean

HOME

Information Systems: HIPAA Help or Hindrance?

What Practice Management and EMR systems can and should do to support HIPAA requirements, including things to ask your vendor.

HIPAA (the Healthcare Portability and Accountability Act of 1996) presents a confusing set of regulations with vast implications for healthcare organizations. Impending and past deadlines have many scrambling for answers from software vendors and other business associates, who customarily respond with a guarantee of “100% HIPAA compliance.”

The level of confusion and rumor that surrounds HIPAA can have a disruptive effect on an organization, especially considering the lack of clear and focused information available from the federal bodies in charge of enforcing the regulations. You may be surprised to learn what is (or, more appropriately, what isn’t) required of your vendor.

If your vendor is ill-prepared for HIPAA, you will be at tremendous risk. Nevertheless, a cooperative and HIPAA-ready vendor can and should be able to smooth your organizations transition to HIPAA compliance.

Information Systems and HIPAA

As it impacts health organizations using information systems (such as billing and medical records systems), HIPAA contains sections dealing with: Privacy, Transactions Code Sets, Security, and Unique Identifiers.

Obligations under these sections of HIPAA fall squarely on the medical provider (in HIPAA terms, the “covered entity”) and not, as is often confused, on software vendors. The covered entity (i.e., medical practice) needs to make sure that vendors (“business associates” in the language of HIPAA) provide tools and services enabling full compliance.

Play Ball!

In light of the April 2003 deadline double-whammy—April 14 for Privacy compliance and the April 16 for Transactions and Code Sets testing—the HIPAA ball is clearly in play. (HIPAA’s final rule for Security was published on February 20, 2003 with compliance deadlines at least a year away, by most estimates.)

So what do you need from your software vendor? You might want to start with a standard business associate agreement. There are several templates available on the Web. Download and modify one, and ask your software vendor to sign it.

While HIPAA Privacy requirements are mainly focused on office policies and procedures for handing patient protected health information (PHI), you should familiarize yourself with how these requirements may be impacted by your use of technology. For example, a traceable audit trail of all system user activity is indispensable in terms of an organization’s obligation to document (and, in some instances, report) access by individuals to PHI. This becomes all the more imperative if your organization uses an electronic medical record (EMR).

If you are using an EMR, HIPAA’s just-published final rule on Security has huge implications. Focused almost entirely on information technology, HIPAA’s Security rule outlines a vast array of technical requirements for safeguarding and verifying the authenticity of health information.

Considering the enormous commitment of time and expense involved in implementing any practice management or information system, especially an EMR, it is imperative that your organization understand this section of HIPAA. Your vendor(s) should have a plan for achieving full compliance in this area. Make sure that you receive a copy.

What Are Vendors Doing to Prepare?

A number of vendors have invested heavily in reprogramming their existing products, often passing this cost on to customers in the form of costly “HIPAA upgrades”. Some newer vendors, born in the age of HIPAA, have been focused on HIPAA from the start. One such company, New York City-based CureMD, provides a Web-based platform for practice management and EMR.

“One of the most common questions have to do with the Web,” said CEO Kamal Hashmat. “Physicians and administrators hear the word ‘Internet’ and right away ask, ‘What does that mean in terms of HIPAA?’ The simple answer is everything and nothing.”

Hashmat explains that CureMD was following the HIPAA curve for three years leading up to the company’s incorporation in 1999. “We knew early on that the Internet was the direction to go, but HIPAA was brand new and there was very little written on Security, and nothing published in the form of final rules.”

Still, according to Hashmat, much of what ended up in the final rules on Privacy, Transactions and Code Sets, and Security was predictable. “By the time we were ready to start up EDI, we knew we were going to need an ANSI file, even if the payers and clearinghouses weren’t ready to accept one.”

This kind of readiness has paid off for Doug Reich, MD, director of Wyckoff Heights Medical Center’s Department of Family Practice. Before selecting CureMD in 2001 for the Brooklyn, NY practice, Dr. Reich already had a wish list.

“I knew I wanted connectivity between our outpatient clinics and our inpatient facility, and I knew I wanted access for attending physicians, residents and billing staff, from our multiple sites and from home,” said Dr. Reich. Based on CureMD’s multiple security levels, Dr. Reich felt that the company’s Web-based solution provided an opportunity for significant savings in networking costs, while leaving the option open for VPN-type connectivity.

As CureMD completes interfaces with Wyckoff’s legacy registration and ordering systems, family practice has entered the final phase of the CureMD implementation—EMR.

“Family practice had the opportunity to go with some very good, very expensive off-the-shelf EMR’s,” explains Dr. Reich. “But we bet on a horse with newer technology and strong HIPAA foundations. It definitely looks like we are going to finish at the front of the pack.”

Summary

With HIPAA requirements for Privacy and Transactions and Code Sets a reality, and Security provisions practically around the corner, health organizations have no time left to wait. Medicare has already indicated that mandatory electronic claims are coming, making the transition to HIPAA-compliant information systems a must.

If your practice management and EMR vendors have not provided you with a HIPAA roadmap, now is the time to require it. The provider as “covered entity” bears ultimate responsibility and faces the legal and cash flow consequences of non-compliance.

For more information:
212-213-6230
877-362-9549
www.curemd.com
info@curemd.com