HIPAA One Step at a Time

Computerworld - The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is putting a financial strain on most hospitals these days. It's forcing them to measure and account for data in ways they never had to before. At Baptist Health Care Corp., CIO Dave Garrett used tools from Superior Consultant Co. in Southfield, Mich., to do a gap assessment and to identify deficiencies in HIPAA compliance. The company's IT team then made a remediation plan.
One of the first things Garrett did was centralize and coordinate the destruction of protected health information. Instead of shredding documents in small batches, Garrett brought in huge locked bins with small slits just large enough to slide through paper, radiology film and magnetic tapes. Baptist contracted with a company that's bonded and insured to empty the bins, either by shredding the bins' contents under lock and key in the contractor's truck in the parking lot or, if the volume is too large, back at its plant.
"People love it because they say they don't have to waste time standing around in front of the shredder anymore," says Garrett.
To comply with HIPAA requirements, the electronic systems at Baptist are password-protected. Users who forget their passwords are automatically e-mailed new passwords. One person handles all security help desk calls.
Another project Garrett's Web team worked on was creating a Web-based application that tracks all patient information to comply with the minimum requirements of HIPAA's privacy rules. "Whenever you disclose information on a patient, it asks you certain information about the patient and who you're disclosing information to. It keeps track of the date and time of the request, and it keeps it by medical record number or Social Security number. There's a couple of different ways it tracks it, and it's stored in a database on a server," Garret explains. This is called the disclosure/capture component. At Baptist Hospital, only the medical records department does the reporting disclosure.
"One of the things that HIPAA requires is that you're accountable for seven years to report back, and I've got to be able to produce that list," Garrett says. Instead of buying an application for what he estimates would cost $50,000, his application group wrote code in about two weeks. "We're not in the business of writing applications, but we can when we need to. And the government tells you what to track," he says, which made programming doable.
The key to meeting HIPAA requirements is taking reasonable steps, Garrett says, and in many cases, Baptist has gone