HIPAA hurdles loom as deadline approaches

With the deadline to meet privacy provisions in the Health Insurance Portability and Accountability Act of 1996 (HIPAA) less than a week away, the crowd in the E-Town theater at FOSE today complained about some of the challenges posed by the new rules.

Panelist Sharon Arndt, HIPAA compliance manager with the IT Department of Fairfax County, Va., said e-mail is one of the biggest hurdles of HIPAA compliance. According to HIPAA privacy rules, no longer can doctors or other health care providers write about sensitive patient information such as mental health support in an e-mail message.

E-mail can be FOIA'd, which could violate a patient's right to privacy, said Jon Frey, director of IT for the Health and Human Services Department of Montgomery County, Md. So as of next week, health care providers can no longer put protected client health information in an e-mail.

"You've had doctors who've been doing this for years, e-mailing data back and forth about patients," an audience member said. "How can we make a reasonable effort to comply with this unreasonable law?" he asked.

Organizations are looking at how this e-mail can be encrypted, said Mike Huddleston, a manager with Fairfax County's IT Department. "We're working on getting our e-mail Federal Information Processing Standard 140-certified," he said.

Huddleston says he "was never a big fan of public-key infrastructure. It's incredibly hard to administer all those public keys, when you have an organization with 4,000 employees. I think it was a fad."

"I don't think the original crafters of HIPAA realized the broader implications of it," Frey said.

Montgomery County has 130 applications, 50 of which have implications for HIPAA, Frey said. One good thing that has come out of HIPAA is that the county is consolidating the 50 systems, which will save the county "massive amounts of money." The duplicate data entry that was required for the 50 standalone applications added about 45 minutes of labor to each transaction, he said.

Tom Davy, former Navy HIPAA program manager and now on the staff of George Washington University, said the main challenge of HIPAA is the cultural change at the root of it. "We had staff members who would leave patients' charts hanging with the face up. We need people to subscribe to HIPAA, not just comply with it."

The panelist agreed that HIPAA isn't solely an IT issue, although it's often treated as such.

"HIPAA is as mundane as putting locks on file cabinets," Frey said.

Even answering machines have to change as a result of HIPAA, Huddleston said. "We had two nurses sharing a phone. One would have to listen through the other's voice mail messages to get to hers."

Training is also a daunting issue. Montgomery County is using an online HIPAA module through Maryland's Health Department that provides basic training. Huddleston said his county had to train 700 employees over 500 square miles.

"People out there are running scared," an audience member said.