We attempted to provide a practical overview of the HIPAA Security Rule and HIPAA Privacy Rule, and in more general terms, the implications of the HITECH Act with respect to both. As we mentioned in the Introduction of this guide, the combined legislation is sweeping in scope. To describe the regulatory text as dense would be a gross understatement. We greatly empathize with providers, both large and small, who struggle with the complexities inherent in compliance while at the same time keeping up with their own industry and working hard to deliver high quality care on a daily basis. Compliance starts with awareness. It is our hope that this guide has delivered on this modest objective.
We believe that most providers have made an honest effort to comply with key sections of the Privacy Rule (e.g. the notice requirement), while implementation of other sections of the rule (e.g. process documentation requirements) are either rudimentary or completely lacking. For small providers this state of affairs may be due to any number of factors including resource constraints and lack of actionable information. The Security Rule has largely been ignored by small providers since most do not currently have EHR systems in place. As we indicated in the HITECH Act discussion, both rules are now front and center as HHS attempts to build a national health infrastructure and pushes for the adoption of electronic health records.
We want to reiterate our belief that privacy and security issues are important public policy concerns. Full compliance with HIPAA and HITECH, to the degree that full compliance is possible, is certainly a goal that all providers should work diligently to meet. However, we also believe that the majority of providers need help in reaching this goal. The aforementioned public policy concerns need to be balanced with our need to increase the number of primary care providers. It is simply not helpful to ignore the cost of compliance while attempting to achieve other important national objectives. Compliance is one of many challenges that require a public/private partnership if we hope to meet it in a reasonable way.
We have a project underway to make this guide available online at www.hipaasurvivalguide.com, together with links to the full text of the regulations. We believe that compliance can be enhanced dramatically through better guidance from HHS and through online professional networks of providers willing to share their knowledge for the common good of the provider community. This can be accomplished using wikis, blogs, videos, interactive websites, Twitter, and other enabling technologies. We see some evidence of this "open source" approach already underway, albeit in its early stages.
We need to continue moving forward. Hopefully our effort will "jump start" other initiatives. Transforming the health care industry is simply too important a goal to go unmet. The devil is in the details and these details are messy and complex. Any top down mandate, without adequate support from the trenches, is not likely to meet with much success, despite the best of intentions. This is true with respect to compliance; with respect to EHR adoption; and with respect to a myriad of challenges that the industry's transformation implicates. We will either collectively solve the problem or individually bear the failure.
We choose to believe in the former. Keep the faith.
Make sure you are Omnibus Rule Compliant: HIPAA Privacy Checklist.