Help for the Little Guy

With most physicians already struggling under the burdens of managed care - juggling mass amounts of paperwork and patients while facing dwindling reimbursement - few seem to have the time or desire to find out what the Health Insurance Portability and Accountability Act (HIPAA) will require of them.

However, according to expert Tom Hanks, practices can't afford to ignore the legislation anymore. Specifically, says Hanks, practice director of enterprise security and HIPAA compliance with Boston-based Beacon Partners Inc., a national management-consulting firm that helps large healthcare providers become HIPAA compliant, it's the smaller practices he is most worried about. Physicians in solo and small group practices don't have the resources the larger organizations have and they can't afford to bring in consultants to do the necessary assessment work. What are the options? Complying with HIPAA is not a choice - it's a must.

Recently, Hanks talked to Physicians Practice about how tough HIPAA will be and the obstacles small healthcare providers face to effectively work their way toward compliance.

PPD: While most physicians are just getting to know HIPAA, you have been involved with the legislation since before it was even a bill, contributing to the development of the security and standards regulations. How did you get introduced to the legislation?

HANKS: I was vice president of strategic systems for the largest single provider of healthcare services in the country at the time. In 1995, one of our lobbyists saw the bill and said, "Wow, you might want to take a look at this." So I did and got on a couple of committees. At the time, I was already a member of AFEHCT, the Association for Electronic Health Care Transactions, and we were working with the Department of Health and Human Services (HHS) and the Health Care Financing Administration (HCFA) to actually educate them on what the impact of this legislation was going to be to the provider community. From there I got on the board of Work Group for Electronic Data Interchange (WEDI) and currently co-chair their privacy policy action group.

What's significant about WEDI is that it's a work group that's actually named in the legislation- the HHS actually has to consult with us in order to write the regulations.

PPD: It is generally understood that many physicians aren't familiar with HIPAA legislation. What would you tell them about the impact this act will have on their practices?

HANKS: Explaining the impact of HIPAA on practices is a two- or three-hour conversation, but there are things that are real important that we need to get across to the provider community. First, you don't have to be Fort Knox. One of the things that's been real distressing to me is all of the hardware and software vendors out there and people who aren't involved in the healthcare community deciding that all healthcare practices have to have high levels of encryption or whatever. These companies are telling doctors they can go out and buy products that will make a practice HIPAA compliant. A message I want to get across is that there is no such thing as HIPAA-compliant software or hardware - it simply doesn't exist. It is totally up to the individual practice to be compliant - it's their responsibility, not their vendors'. Practices need to understand their own organization and to develop security and privacy policies and procedures. Then -and only then - should they select the technology that supports the policies and procedures in their operations.

PPD: What physicians are probably the most concerned about is the cost and degree of difficulty associated with HIPAA compliance. Can you shed any light on just how costly or troublesome complying is going to be?

HANKS: I think what we really need to get across to these folks is that HIPAA isn't going to be as tough on you as you think it is. Cost-wise, if you are talking about a small practice, physical security is a lock on the door. For a larger environment, physical security may mean that you need to separate your computer systems and put them in a separate room and lock that door. In an even larger healthcare system, like a Mayo Clinic-type environment, you may need card access and the establishment of "perimeters of protection." But a good thing about HIPAA is it's designed to be extremely scalable.

Physicians are going to have to expend some time and energy on this - that's without question. But is it going to put them out of business? Only if they let it. HIPAA is very clear. There's a portion in the preamble of the security regulations that specifically says it's up to the individual [practice] to apply appropriate protections to patient information, taking into account the type of entity and its assessment of the size and cost of remediation. The assessment phase will probably be where small practices put most of their attention. And that's looking at where they are and comparing it to where they need to be to be compliant.

PPD: Many doctors are already overburdened by the financial and time constraints placed on them by managed care. Are you concerned that HIPAA compliance will add yet another layer of bureaucracy?

HANKS: I'm very concerned about how these smaller providers are going to become educated and how they're going to be able to do the assessment work. Many don't have the resources the larger organizations have and they can't afford to bring in consultants. Smaller healthcare providers are going to have to figure out how to do it on their own, but the upside is HIPAA will let them do that.

It's my understanding that HHS doesn't have an educational program in their budget, but they do have a rollout plan that will help with the education. Part of the problem is the providers have simply been ignoring HIPAA, but there have been tons of resources for them to learn about the act and how it impacts them. The whole attitude is that, "This may go away, so we don't really need to worry about it." Now, larger organizations finally have HIPAA on their radar screens, but the smaller organizations haven't woken up and smelled the roses yet.

PPD: What would you say to the physicians who haven't woken up or are just plain intimidated when it comes to preparing to meet HIPAA requirements?

HANKS: Physicians need to realize HIPAA isn't going to go away and that there are significant ramifications if you fail to comply. Practices are going to have to expend some time and energy. It will be aggravating, but in the end you're probably going to come away with a better-run business than what you have now.

PPD: What will be aggravating about preparing for HIPAA? Is it merely the time physicians will have to invest or the changes they'll have to make?

HANKS: Most people don't like change, and there will be some changes where practices will have to do things differently. Some office functions won't change; physicians will just have to document what they're doing. I say aggravating because practices are going to have to spend time and energy doing the assessment process and really putting thought into it. That's where the conflict with the smaller provider organizations is going to be because it's not like doctors have a lot of time to throw away. I believe that is going to be one of the biggest issues with the small practices - just the attention that is going to have to be given to it and the distraction factor. But it's not going to be nearly as difficult for the small practices as they think it is. Physicians need to get over the denial phase though, because if you don't you're going to be making it real tough on yourself in the future.

PPD: You usually counsel large healthcare providers on getting ready for HIPAA, yet you've put a lot of energy into educating small providers, even going so far as to write a white paper. Why are you so worried about smaller practices in relation to HIPAA?

HANKS: My main concern is that there is no evidence that smaller providers are paying attention to what's going on. And I think that's a real problem because they're not aware of HIPAA and its ramifications. I really hope they pay attention because they can meet compliance regulations, but there is nothing out there that they can buy off the shelf to solve this with. Physicians have to get educated on HIPAA and get to work. The time to act is now, but the beauty of being a smaller provider is that you get stuff done in less time, so the time for education is now, too.

This artcile originally appeared in the January/February 2001 issue of Physicians Practice.