HIPAA: Cost Impact on Compliance and Healthcare
HIPAA: Cost Impact on Compliance and Healthcare
The development of technology has penetrated major areas of life, including the healthcare industry. It has ensured that the healthcare sector uses technology to simplify procedures within the industry. The creation of The Health Insurance Portability and Accountability Act (HIPAA), which was signed into law in 1996, provided for the integration of technology within the healthcare industry. Although a major part of the Act is to provide coverage for workers, Title II of the Act aims at ensuring that the personnel in the healthcare industry become more efficient in using electronic media, when transmitting the patients’ records. Patients are concerned with the use of electronic media, despite its efficiency. This is because of the relative privacy concerns. Because of these concerns, the legislators found it necessary to include safety and security provisions in the Act. These provisions act to ensure the patients of the safety of their medical records (Bowers, 2001). The implementation and compliance with the Act has some cost implications to the healthcare industry.
All covered entities have to comply with the Act. These entities include health care clearinghouses, health care providers, and health plans. Some of the main purposes of the law are ensuring the protection of the patients’ health care information by maintaining privacy of the records, enabling people to continue receiving their healthcare coverage despite changing their jobs, standardizing electronic claims transactions, and administrative simplification (Krager & Krager, 2008). The Act considers the advance of technology in healthcare, and it mandates healthcare providers to ensure that they provide standards for the secure transmission of the patients’ electronic data. The administrative simplification regulation is aimed at guaranteeing and ensuring that the patients’ information recorded in electronic form is safer than when recorded in paper form. The Act singles out activities and roles such as eligibility, payment of claims and premiums, coordinating benefits, referral, and electronic data interchange (Freeman & Peace, 2005). Under the law, healthcare providers have to instill security measures such as user authentication and encryption among others.
For healthcare providers to comply with the HIPAA regulations, they have to implement several changes within their institutions. They have to change some of the practices, which they used to do, but which ended up compromising the patients’ privacy. Most healthcare providers use white boards in emergency rooms, where they list the patients’ name and condition. Since the passage of the law, the healthcare providers have to ensure that these boards are not in full view of the public. They also have to ensure that other people cannot see the patients’ charts, and this means facing the charts to the walls. Many hospitals use sign-in sheets in reception areas. Previously, patients were required to write their names and conditions. This is no longer the case, as patients do not have to write their conditions. The law has also given the patients more control. The hospital staff cannot decide the people to divulge the information to, without consulting the patients, and seeking their consent (Freeman & Peace, 2005). These changes affect the healthcare providers and others working in the institution. The people have to make several adjustments in accordance with the law.
HIPAA has increased the financial investment that healthcare providers make to ensure that their patients’ records are secure. Healthcare providers have to enhance their information technology systems to ensure that they meet the standards recommended under the law. In most cases, many healthcare providers have had to make additional investment to ensure that hackers and other unauthorized personnel cannot access the system. The management has to provide tools to detect intrusion in all the systems. In addition, the management has to ensure that it has installed tools that detect and eliminate viruses on the systems. Moreover, the management has to ensure that it has installed an audit and tracking system (Lindh et al., 2009). The management at health institutions has to purchase more hardware and software for the security systems. The management invests a lot of money in providing the software necessary for ensuring privacy. For instance, it has to develop access control measures to incorporate in the security system. The management can decide to use personal identification numbers, the password system, the token system, or the biometric identification system. The system that the organization decides to use depends on the level of security within the institution, and the amount of money the management is willing to spend in developing the security system. The biometric identification system uses a part of the body, such as the eye or the fingerprint, to authenticate (Krager & Krager, 2008). This system is obviously more complex and complicated than the password system, and it might require substantial financial investment. Some institutions choose to combine different systems, for added security.
Healthcare providers have to spend other resources to ensure that they are compliant. They spend a lot of time, and a considerable amount of money on education. The management has to educate employees on how to use the security system. The training involves all the members within the institution, though the extent at which the members receive training differs. Some employees receive more training than others do, since they work more intensively with the system. Some of the training involves knowing when to detect viruses, and how to remove them. Employees should learn how to report any problems within the system, the login and logoff procedures, usage and change of passwords, and any other necessary information (Krager & Krager, 2008). The management should ensure that the employees receive training periodically, especially if there are any changes within the system. The management has to hire people to develop and maintain the security system, and this can be expensive. Entities spend money when they develop training tools such as brochures, handouts, booklets, and pamphlets, when they hold workshops and training sessions to train the employees, and when the pay the people they have hired to develop the security system. They have had to develop new consent forms that ensure compliance with the Act (Harman, 2005).
HIAA changes the working of the organization. It changes some of the roles of the healthcare institution staff. It also changes the way the staff relate to each other. The management of health institutions have to add more staff to deal with security issues, or delegate more duties to the staff on duty, to ensure that it maintains maximum security. The management has to identify a person, who will be responsible for all security concerns in the institution. The implementation of HIAA changes the way the relationships within the workplace. Because of security concerns, the workers are not free to share information concerning the patient, since they have to maintain confidentiality. Only a few people can access the security system, and retrieve the patients’ medical records. The management has to implement a sanctions policy for those who have violated the rules (Lindh et al., 2009). These actions can change the way the staff relate to each other. Those who can access the medical records feel that they have to do their best to ensure privacy. Therefore, they will limit their interactions with the other staff. The process of reporting violators can be a source of tension within the institution.
HIPAA regulations require the management at healthcare institutions to provide written confidentiality protocols, which protect the patients’ information. These protocols and procedures act as a guide to all the employees regarding their treatment of the patients’ records. They help the employees in understanding their limits towards use and access of the patients’ information. The institution should also have authentication protocols for all the personnel, to limit the number of people with access to the security system. The person in charge of security should have a way of maintaining the system, to ensure that even those who have authorized use of the security system can only access the system during working hours. These measures cover employees who have changed departments. The security personnel should ensure that they have removed names from access lists, they have removed the user accounts, and that the users have turned in their keys, swipe cards, or any other means of access to the system. In case of breach in security, the personnel should ensure that they have changed the combination locks. It is also necessary to change passwords in case of any unauthorized access (Krager & Krager, 2008).
The management in the covered entities should have a system of controlling discarded records. It should delegate these tasks to an individual, and should have a definite system of getting rid of the unnecessary information. It should also ensure that it has a way of storing and maintaining information, in a way that ensures confidentiality. The covered entities should ensure that they have physical safeguards such as locks and badge access, as this will help in limiting accessibility. They should consider the physical layout of the institution. For instance, the reception area is a sensitive area, because it has many patient records, yet many people access it. The institution should design the reception area in such a way that the receptionist has a whole view of the reception area, but the other people cannot access the documents within the working station.
HIPAA has affected health care in the way research is conducted. The advancement of treatments, improved diagnosis measures, development of effective therapies, and the development of more effective drugs and vaccines depend on research (Nass et al., 2009). Before HIPAA, patients were rarely consulted. The health care providers would collect the patients’ information and would distribute it to others for different purposes, part of these purposes being research. The researchers did not need to ask for authorization from the patients before they could conduct any research (Harman, 2005). This has changed since the implementation of the Act, as researchers have to ask for the patients consent unless they have a waiver. Patients have the freedom to decide with whom they want to share their information. This has affected health care in the sense that researchers seeking ways of finding better treatment have to wait for some time so that they can seek the patients consent. In some cases, patients may opt out of a research study. HIPAA has enhanced patients’ knowledge concerning the use of their information. It has enhanced ethical research, because it is a way for researchers to collect information in an ethical manner.
Although HIPAA covers insurance coverage, much of the provisions in the Act are concerned with security and privacy measures. These measures have changes the provision of healthcare, and has changed several aspects of the health industry. The Act has led to the development of new software technologies, which enhance the patients’ privacy by protecting their records. It has led to the development of technologies such as access and control systems. The Act has increased the financial investments that health institutions have to make. Health institutions incur expenses in the purchase of new hardware and software, training of employees, hiring of personnel to develop the security systems, and maintenance of the system. The Act has had negative and positive effects on health research. On one hand, it has ensured use of ethical procedures when collecting research information, by giving the patients more authority, while on the other hand it has slowed down the development of research, leading to the slow development and discovery of treatment.
Bowers, D. (2001). The health insurance portability and accountability act: Is it really all that bad? Baylor University Medical Center Proceedings, 14 (4), 347-348
Ferrell, T. (2001). Impact of HIPAA security rules on healthcare organizations. SANS Institute. Retrieved from http://www.sans.org/reading_room/whitepapers/policyissues/impact-hipaa-security-rules-healthcare-organizations_495
Freeman, L., & Peace, G. A. (2005). Information ethics: Privacy and intellectual property. Hershey, PA: Idea Group Inc (IGI)
Harman, B. L. (2005). HIPAA: A few years later. The Online Journal of Issues in Nursing, 10 (2). Retrieved from http://www.nursingworld.org/MainMenuCategories/ANAMarketplace/ANAPeriodicals/OJIN/TableofContents/Volume102005/No2May05/tpc27_216018.aspx
Klosek, J. (2010). Protecting your health privacy: A citizen’s guide to safeguarding the security of your medical information. Santa Barbara, CA: ABC-CLIO
Krager, C., & Krager, D. (2008). HIPAA for healthcare professionals. New York, NY: Cengage Learning
Lindh, Q. W., Pooler, M., Tamparo, D. C., & Dahl, M. B. (2009). Delmar’s administrative medical assisting. New York, NY: Cengage Learning
Nass, J. S., Levil, A. L., & Gostin, O. L. (2009). Beyond the HIPAA privacy rule: Enhancing privacy, improving health through research. Washington, DC: National Academies Press