IT consultants trying to win contracts for work required by the Health Insurance Portability and Accountability Act (HIPAA) should stay away from the scare tactics so many of their brethren used before Y2K.
Scare tactics won’t work, experts contend, because the hospitals, insurance companies, and other health care organizations that need HIPAA remediation work are savvier than they were a few years ago. They learned some lessons in the aftermath of Y2K and most aren’t going to repeat their mistakes.
They also have a lot less money to spend. Many companies, for example, believe they overspent preparing for Y2K and have little to show for it.
“Y2K made customers very leery,” said Tari Schreider, security practice director at Extreme Logic, an Atlanta consulting firm, and author of Encyclopedia of Disaster Recovery, Security & Risk Management.
“Customers are saying you are going to have to prove to me that HIPAA requires this. They aren’t going to roll over the way they did with Y2K.”
The smartest customers want to know how HIPAA remediation work can improve their IT infrastructure, Schreider said. But nearly all potential sales could be thwarted by IT pitches that overstate the reach of HIPAA. Here’s a list of “talking points” that you can draw on when discussing your role with a health care organization’s HIPAA-related contracts.
What is the truth?
First, beware of these common overstatements of HIPAA, Schreider said.
“HIPAA requires the same level of security for every part of a patient’s record.”
Not true, according to Schreider. HIPAA requires organizations, especially hospitals, to ensure the privacy of patients’ records. But in a hospital, for example, a patient’s record typically includes several hundred fields of information and not every field will require the same level of security.
“HIPAA requires certain aspects of patients’ records to be absolutely secure and private, but some consultants may recommend a company spend $100,000 protecting an entire Oracle database instead of spending a few thousand dollars to scramble the data in the Oracle frames that HIPAA addresses.”
“HIPAA requires hospitals and health care organizations to install intrusion-detection security systems to guard against theft of patient information.”
Not exactly: “The law requires health care organizations to be able to monitor and receive alerts when someone is trying to steal patient information, and you can do that for a lot less.” Schreider said. “For example, you can get a host-based intrusion detection system that will monitor the database directly for $1,200.”
The intrusion-detection system requirement is a myth perpetrated by overzealous salespeople, Schreider said.
“I sat in on a number of meetings where salespeople said because of HIPAA you have to have an intrusion detection system, and I sat there and thought, well that’s interesting, because HIPAA actually requires a lot less.”
“The annual security training requirement of HIPAA applies equally to all of an organization’s employees.”
No way, she said. “HIPAA requires annual security awareness training and some people will interpret the law to say they’ve got to take all 5,000 employees and have them trained in an auditorium, when, in actuality, the level of training required is commensurate with the amount of access to the health care information.”
For employees with very limited access to patients’ records, training could be as simple as an e-mail each year reminding them of HIPAA basics, he said.
Meanwhile, organizations can save a lot of money on training by limiting the number of employees who have access to patient records, Schreider said.
“By locking people out of seeing certain things, you can make your system idiot-proof. And that person doesn’t need any training. The ones you invest in training are the people who have been given a high level of trust for access to patient records.”
Know the products and landscape
Consultants must also be able to evaluate the many vendors touting their own HIPAA solutions. Be skeptical of the multitude of products and services advertising themselves as the antidote to various aspects of HIPAA. Investigate products offering easy answers thoroughly, and be able to draw a direct line between any product or service that you recommend and the HIPAA requirement that the product or service addresses.
“HIPAA compliance has become the buzzword for health care vendors,” cautioned Mary Staley, vice president of HIPAA operations at Houston-based Healthlink Incorporated, one of the largest health care IT consulting services. “Everyone has ‘THE’ HIPAA solution.”
Inspire confidence by understanding your customer’s information technology. IT professionals who want a piece of the HIPAA pie should have a working knowledge of the software and systems that dominate the health care sector, several HIPAA experts advised.
For example, Novell claims that more than 80 percent of hospitals use its NetWare operating system, said Jim Allred, vice president of marketing for Orem, Utah-based NetVision Inc.
“If you’re an IT consultant and you’re clueless about the Novell environment, you are going to have some problems sounding credible about the whole HIPAA story,” said Allred, whose company’s NetVision Policy Management Suite is used by about 35 hospitals, most of which use it for at least some portion of HIPAA compliance.
Be able to hold your own about relational database management systems, like Oracle, Microsoft’s SQL, and Sybase because many of the health care applications are based on those databases, Allred said. Also be aware that many patient billing systems are built on UNIX operating systems.
Many health care organizations are testing or getting ready to test their data transactions to see if they comply with HIPAA, said John Lilleston, technical supervisor for Verizon Information Technologies, Inc. in Tampa. (The first deadline for HIPAA compliance was last October, but so many organizations applied for year-long extensions that the deadline has, in effect, been moved up a year to October 2003.)
Be ready to field questions about the many automated testing tools being advertised, said Lilleston, who recommended consultants become familiar with Claredi, a testing service, and two software tools: HIPAA Validator and Edifecs.
The best-prepared IT consultants will be able to discuss the products and services that have proven themselves. Be able to cite HIPAA requirements as specifically as possible when proposing services, Schreider said. And avoid scare tactics. The customers who fell for them before are still sore about it, Schreider said.
HIPAA is “very ambiguous and subjective,” but Schreider counseled against taking “the shotgun approach” when it comes to solutions. It costs more for the customer and may hurt the reputations of your colleagues in the long run.