HIPAA Simplified: It’s not *that* bad

Earlier this week I met with a professional HIPAA consultant. The purpose of the meeting was to review our products & services and make sure that everything we’re doing (and want to do) is HIPAA-compliant.

My job requires that I have at least a basic understanding of the different requirements of being “HIPAA-compliant” but this was an opportunity to get real confidence about exactly what has to be done to slap the “HIPAA-compliant” label on our services. What’s amazing to me is that it’s not that hard to officially list out what needs to be done to be HIPAA-compliant, but the government has done a terrible job of making it clear.

After many consulting hours and questions, I can summarize all the complexity of HIPAA as follows. Oh, and this list is for commentary purposes only; I very well may be missing information here. That having been said, here we go:

(1) HIPAA really stands for Health Insurance Portability and Accountability Act and has two “Titles”. When everyone thinks of HIPAA, they really only think of Title II: Administrative Simplification

(2) “Title II: Administrative Simplication” gave rise to five “rules”, only two of which most of us have to worry about — the Privacy Rules and the Security Rules

(3) The Privacy Rules are handled by the Office for Civil Rights within the Department of Health and Human Services and are officially outlined one-by-one here. The only relevants parts for a practice appear to be Part 160, Subpart C (talks about how you might get audited) and Part 164, Subpart E (talks about what you have to do and what patients’ rights are).

(4) The Security Rules are handled by the Centers for Medicare and Medicaid Services (CMS) within the Department of Helath and Human Services. Those rules are officially outlined here. There is a huge amount of text that doesn’t apply to most people, but the good stuff is in Part 164 and is broken down into Physical Safeguards, Administrative Safeguards, and Technical Safeguards.

(5) The rules are very open-ended, saying things like data should be encrypted but leaving open-ended as to which encryption algorithm you use. That means that being “HIPAA-Compliant” is not a certified stamp you earn when you pass a rigorous inspections. Rather, it is a self-assigned description that your organization thinks that it’s made a reasonable best effort to comply with HIPAA. In other words, “HIPAA-Compliant” really means, “we took a look at HIPAA and did the best we could.”

(6) And finally, there are a bunch of non-official templated HIPAA contracts or agreements that are floating around — Notice of Privacy Practices, Privacy Policy, Business Associates’ Agreement. These agreements aren’t official, just based on the stuff above.

And well, that’s it! As I understand it, that is the entirety of the complexity of HIPAA as it relates to an ambulatory practice and by extension a healthcare IT vendor. In my opinion, the government has done such a terrible job of making that clear. I could take two days and set up a website called “The Official HIPAA Resource Center” and leave out things no one cares about like legislation that was proposed and rejected. Because no one has setup a simple-to-use resource center, an entire industry of HIPAA consulting exists that capitalizes on people’s fear.

The reality of HIPAA is also that it was drafted not by clinicians, but by legislators who consulted experts on healthcare. So there is a ton of stuff in there that is a total pain to do. And for Healthcare IT vendors like us? We get a huge amount of latitude as to how we choose to implement HIPAA and apparently “HIPAA-compliant” varies quite a bit.

So, those are my thoughts on HIPAA. Patients should absolutely have privacy and security with their medical records, but the implementation of how that’s legislated leaves quite a bit to be desired. For someone not in the industry, this article must have been incredibly boring. But for the healthcare people, you probably share my frustration with this.

Leave a Reply