Home > Security > Privacy

Computerworld - As the health care industry prepares for complex regulations that will affect most of its systems and business processes, IT managers advise taking cautious steps to avoid being exploited by consultants.

Assess Your Needs Some tips for managing relationships with HIPAA consultants: Perform a “gap analysis” to identify organizational needs. Avoid open-ended engagements. Make sure you understand your legal obligations before hiring a consultant. Choose a consultant who has worked in health care for an organization similar to yours.

The Health Insurance Portability and Accountability Act (HIPAA) presents a lucrative opportunity for so-called experts, since noncompliance by health care officials can result in stiff fines and even jail time. The regulations define standards for electronic transactions, as well as measures for protecting the security and privacy of patient information.

In addition, certain aspects of HIPAA remain unclear, making it easy for health care providers to sign up for services they might not need.

In a given week, Ronald Margolis, CIO at the University of New Mexico Hospitals, receives 15 to 50 phone calls from HIPAA consultants. With the exception of consultants who work for its health information systems vendors, the Albuquerque-based hospital chain hasn't used any consultants because it's still too early, Margolis said.

Some consultants have tried clever marketing tricks, such as asking Margolis to participate in surveys that they use to gauge the kind of services his organization will need. In other instances, companies are giving away gadgets such as PalmPilots to people who respond to mailings that are really "leads to a sales call," Margolis said.

Indeed, HIPAA has "certainly got [consultants] in a feeding frenzy," said Greg Walton, vice president and CIO at Carilion Health System in Roanoke, Va. "It's really the obligation of the buyer to figure out what they want from a consultant, [or] the consultant is going to run all over them."

Carilion is "40% done with HIPAA," so Walton doesn't anticipate using any consultants himself. But he cautions against working with consultants who don't have experience in health care, because you may have to spend a lot of time explaining the context to them.

In fact, clients should make sure that a consultant has experience with their specific type of health care organization, whether it's an insurance company, a hospital or a clinic, said Mike Thorsen, executive vice president and chief financial officer at the Rx2000 Institute, a Minneapolis-based nonprofit organization that educates health care firms about business and technology issues.

For instance, a consultant who has primarily worked with insurers wouldn't be well suited for a clinic or hospital, because the environments are completely different, he said.