HIPAA regulations loom large as implementation deadline

December 1, 1999

HIPAA regulations loom large as implementation deadline nearsMany privacy and administrative rules based on existing standardsMention “HIPAA” to a roomful of PACS and teleradiology vendors and you are likely to be met by a sea

HIPAA regulations loom large as implementation deadline nears

Many privacy and administrative rules based on existing standards

Mention “HIPAA” to a roomful of PACS and teleradiology vendors and you are likely to be met by a sea of blank stares, along with a few nods and yawns. Not that this industry doesn’t take the Health Insurance Portability and Accountability Act of 1996 seriously (PNN 10/98); it’s just difficult to get excited about a set of pending federal regulations that are so broad and extensive that finding the most relevant parts is like searching for a needle in a haystack.

In addition, compliance with the various HIPAA rules will not become mandatory until 2002 or, in some cases, 2003. Thus, the priority today for many companies is still Y2K. But once the final HIPAA regulations are in place and being enforced, they will have a significant impact on the image management and electronic patient records industries.

In the world of image and information management, the most relevant parts of HIPAA involve administrative simplification and security. These standards are covered in subtitle F of the proposed regulations and include electronic transactions and codes, national provider and employer identifiers, claims attachments, security, and privacy. According to Harry Rhodes, director of health information management products and services at the American Health Information Management Association (AHIMA), they have several implications for the PACS industry.

“HIPAA was intended to bring together all the activity going on with electronic transaction of health information,” Rhodes said. “There is no clear-cut standard, so there are a lot of interoperability issues.”

Generally speaking, the primary goal of HIPAA is to promote a set of universal standards that will streamline the exchange of electronic patient information and make this information more reliable and more secure. Wherever possible the proposed rules are built on existing standards, including DICOM and HL7. In fact, HIPAA mandates that the Department of Health and Human Services, which is responsible for developing and implementing most of the HIPAA rules, cannot create new standards if relevant standards are already in place.

“So a lot of what is being proposed already exists,” he said. “If a vendor wanted to, they could go out and begin working with the standards that are out there already.”

A few PACS and RIS companies are doing this. For example, OA Systems, a developer of Web-based teleradiology and image archiving products in Danbury, CT, markets security tokens that actually exceed the HIPAA requirements. The company began developing this technology last year in anticipation of HIPAA compliance becoming mandatory this year (PNN 1/99).

But customers haven’t responded to the security benefits of the technology as enthusiastically as expected, said Gary Hauft, vice president of marketing for OA Systems.

“I think we jumped in a little too early,” he said. “For most of our customers, if you emphasize security as a frontline feature of your product, it doesn’t get you very far.”

But those vendors already working to make their existing and planned products HIPAA-compliant will likely have a competitive advantage very soon, according to Jon Zimmerman, general manager of HDX, an electronic information exchange services subsidiary of Shared Medical Systems in Malvern, PA. SMS is cosponsoring a series of HIPAA security summits for the healthcare industry with Johns Hopkins University and the Workgroup for Electronic Data Interchange (WEDI).

If a PACS company is planning a product for release in 2001, for example, they need to be thinking about the HIPAA regulations, Zimmerman said. And if they are planning to have that product integrate with an RIS, they need to be aware that HIPAA also contains standard code sets for diagnostics and therapeutics.

“PACS vendors need to be cognizant of HIPAA from an electronic data exchange and code-set standardization perspective, a security perspective, and a privacy perspective,” Zimmerman said. “Integration with radiology information management systems is also going to be affected, as is sending data to physicians’ offices.”

In some cases, complying with the HIPAA regulations will be easier than expected. Many parts of the legislation leave room for multiple interpretations, AHIMA’s Rhodes said. For example, the rules call for all electronic patient information to be encrypted before it is transferred, but they don’t delineate what type of encryption method should be used.

For those companies looking to market HIPAA-compliant PACS and RIS products, Zimmerman believes the key is to make sure you talk to the right person, preferably a data security officer or CIO. In addition, he recommends emphasizing how your products not only satisfy data archiving and recovery needs, but do so in accordance with the HIPAA security regulations, which are designed to protect business operations as well as the confidentiality of information.

“Archiving companies have a whole opportunity here they may not be aware of,” Zimmerman said. “If I were an archive vendor, I would be asking myself how I can help my customers with their need for backup and recovery, and how to do it according to HIPAA. That way, you kill two birds with one stone.”

Publication of the final HIPAA regulations governing administrative simplification and security is expected by the end of this year; compliance dates vary from February 2002 (transactions and code sets) to July 2003 (national health plan identifier), depending on the standard. The regulations governing privacy and confidentiality, which include a proposal for a national individual identifier numbering scheme, are on hold until related privacy legislation and regulations can be completed. Under HIPAA, Congress was supposed to have drafted privacy regulations by August of this year but failed to do so; thus, the task has reverted back to DHHS. President Clinton announced a 600-page draft proposal of these regulations in October; DHHS now has until February to publish a notice of proposed rules in the Federal Register.

© 1999

Miller Freeman, Inc.

All rights reserved.