Enterprise Software

Client education is key to landing HIPAA contracts

Many second- and third-tier healthcare organizations still aren't aware of HIPAA regulations and their upcoming deadlines. Industry experts and TechRepublic members share their advice for educating clients and securing HIPAA contracts.


The consultant business will be booming as the Health Information Portability and Accountability Act (HIPAA) compliance deadlines draw ever nearer. While large healthcare organizations (HCOs)—which typically have entire teams dedicated to HIPAA compliance—may be finishing their initiatives, midsize to small HCOs may not even be fully cognizant of the effect HIPAA’s requirements will have on their business.

As a consultant, you can help see that your firm will receive its share of HIPAA compliance contracts by educating potential clients now.

We spoke to three experts about why some clients are still unaware of HIPAA's requirements, how they’re educating potential clients, and how consultants can win HIPAA contracts.

Why aren't HCOs aware of what HIPAA will entail?
While some have compared the need to hire contractors for HIPAA compliance to the hiring frenzy surrounding Y2K, consultant Brad Turkin said that unlike with Y2K, many HCOs haven't been educated about how the pending regulations will affect their business processes.

Turkin, senior vice president of COMFORCE Corporation, a global IT consulting and staffing firm based in Woodbury, NY, said his firm is trying to remedy that ignorance by focusing their education efforts on the IT managers within the medical community.

Hot skills for HIPAA
As a provider of consultants, Turkin said his firm is "targeting the hot divisions that will be in demand for the transitions over from the legacy systems." He said consultants who will be most in demand are interface designers, programmers, project managers, and system architects.

Others in the healthcare industry have been slow to act because they believed HIPAA’s deadlines would be delayed, said TechRepublic member Luba Halich, a principal consultant at healthcare consulting firm ZoriaMed, Inc.

"Our lawmakers are continuously handing out regulations, and… there's always a stone in the road," she said. "I think everybody was hoping that something was going to delay it and they don't have to act on it yet."

A third reason for many HCOs’ lackluster approach to HIPAA has been the way physicians view technology, said TechRepublic member James Wilson, a security and network consultant with XCS, Inc., a consulting firm based in Cleveland. He suggests that physicians are more scientists than business people and don't tend to embrace new technology.

Compliance deadlines: The clock is ticking
Halich said that educating and helping HCOs become compliant takes more time than clients may think because the requirements don't spell out exactly what each particular type of business must do.

"HIPAA specifies the 'end results' of regulations…but it doesn't tell you how to get there," Halich said.

The compliance deadlines are quickly approaching. The electronic transfer components, for example, need to be completed by Oct. 16, 2002. Businesses may apply for an extension until Oct. 16, 2003, but HCOs must specify their compliance strategy when applying in order to be approved. Another major deadline is April 14, 2003, when HIPAA’s privacy components must be implemented.

The deadlines, however, are not the only thing that will motivate smaller HCOs to become compliant, Wilson said. The pressure will build as the larger insurance companies—the payers—become compliant.

"Think of HIPAA as a chain, and each individual link is a piece of the chain," Wilson said. "Each link has to be compliant. If you are not compliant, God forbid, the hammer is going to fall on you because you're going to be the weakest link in the chain."

Ways to educate the client
Both Halich and Wilson said face-to-face meetings—especially with decision makers like CEOs and CFOs—are one of the best ways to educate clients, especially since many haven't actually read the regulations. Such an approach can help drive a “top down” approach to HIPAA compliance.

Halich said she starts with a high-level discussion of HIPAA's transaction, privacy, and security components, and explains what each will mean for the client’s particular organization. From there, she discusses the act’s deadlines, what work they may need done, and how long the implementation process may take.

"If you give them too much information, sometimes they'll say, 'We're just going to do that on our own,’" she said. "So the balance of getting the contract is not giving… too much to where they think they don't need you."

Wilson's firm has tried two approaches that has it "inundated with HIPAA work." First, XCS hosted a HIPAA seminar in November 2000 that resulted in many contracts, and it's planning to do more. In addition, Wilson provides his clients with an educational CD comprised of information originally included in a HIPAA Webcast produced by the Centers for Medicare and Medicaid (CMS, formerly HCFA). Wilson downloaded the information and produced CDs that his clients can share with their staff.

"The physicians don't understand that it's not just going to be the physician who's responsible for this," Wilson said, "but that it also includes employees, policies and procedures, training, access control systems, a privacy statement, etc."

Halich said she's also successfully educated clients while working on other projects for them. For example, she's currently working on a systems implementation engagement for a client who believes he “still has time" and doesn't need to "do too much" in regards to HIPAA. To help the client prepare for HIPAA, she has incorporated roles-based access—as dictated by HIPAA's security measures—and disaster recovery planning into the system implementation.

Changing the client's view
Wilson and Halich reported that fear and resistance to change have complicated their efforts to educate their clients about HIPAA. Halich also said her clients are sometimes weary from past experiences and look at the HIPAA guidelines with disdain. She suggested that consultants should encourage potential clients to see it as an opportunity instead.

Wilson agreed that it's vital to change clients' attitudes. If the client is saying, "I just want to be compliant," they're looking at it the wrong way, he said.

"HIPAA should not be something that is a one-time fix."

Closing the deal
Halich has some words of advice for consultants hoping to land HIPAA contracts:
  • Understand the client's business and industry segment in order to realize how the HIPAA regulations will apply to their business.
  • Present HIPAA compliance as an opportunity for the client to implement positive changes.
  • Realize that each client will have an individual interpretation of HIPAA. To help them find the best approach to become compliant, focus on defining options, risks, and opportunities to improve business processes.

"I think the key is remaining calm about this…and not to use a scare tactic because that's going to backfire," Halich said. "I think the best approach is to let them know that they can get through it, but it's going to be more work the longer they put it off."

How are you educating your clients?
Are you vying for HIPAA contracts? How are you educating your potential clients about the necessary regulations? Send us an e-mail or post your comments below.

 

Editor's Picks

Free Newsletters, In your Inbox