Rx2000HIPAA Digest, Volume 1 #1 From: brider@jhmi.edu Subject: Re: RE: HIPAA Costs #2 From: oplandr@uphs.upenn.edu Subject: Re: HIPAA Costs #3 From: dgmyr@northnet.org Subject: Re: HIPAA Costs #4 From: lsmith@stjames.ie Subject: Standards of Privacy #5 From: Woosleew@aol.com Subject: Re: HIPAA Costs #6 From: eellis@metalogics.com Subject: Re: HIPAA Costs #7 From: larisa_funk@smhwecare.com Subject: Re[2]: HIPAA Costs #8 From: NBorho@ascensionhealth.org Subject: Re: RE: HIPAA Costs ********** Message #1 ********** From: brider@jhmi.edu To: Rx2000HIPAA@rx2000.org Subject: Re: RE: HIPAA Costs Date: Wed, 16 Feb 2000 15:24:03 -0500 Roger...I suspect most of us hospitals are looking down that barrel. Just = thinking out loud here, but what about the idea of carving out the EDI = issues (aka transaction sets, code sets, etc.) and the identifiable data = elements with potential impact to applications (since those two seem to be = the most finite at this point) and begin attaching dollars/time/resources = to those in the form of project plans - I'm starting to lean towards a = recommendation for that approach. Also, I think many of the issues = involving privacy and confidentiality of information will require a very = detailed and comprehensive look at existing and/or proposed policies/proced= ures/standards/practices which will require time and resources but maybe = not as much in the way of hard dollars. Just some thoughts....... >>> 02/16 1:36 PM >>> I agree...I don't think you'll see the high expenditures at the onset of = the regs. But you will start seeing some drastic numbers toward the later = part of this year and on throughout as mid to large sized organizations = continue to grapple with the changes required to meet the guidelines.... With that, I have a question...since our budgetary process runs from July 1 - June 30, are there any hospitals out there that can give me a grain-of-salt approach on budgeting for this project?? The final rules = are not out, they will impact my next budget, but until they finish the = regs...I won't really know how much?? Are any other hospitals looking down the = same barrel?? Just my two-cents... Roger Neal Director, Information Systems Jackson Co. Memorial Hospital Altus, OK. http://www.jcmh.com=20 -----Original Message----- From: Rx2000HIPAA@rx2000.org [mailto:Rx2000HIPAA@rx2000.org]=20 Sent: Wednesday, February 16, 2000 11:47 AM To: Rx2000HIPAA@rx2000.org=20 Subject: Re: HIPAA Costs Not all final rules will be posted in 2000, in fact some proposed rules have not even been published yet, see dates below obtained from AHIMA website. Revised Final Rule Dates: Transactions and Coding Expected: March 2000 Compliance: May 2002 National Employer Identifier Expected: March 2000 Compliance: May 2002 National Provider Identifier Expected: June 2000 Compliance: December 2002 NPRMs in Development: National Health Plan Identifier Expected NPRM: April 2000 Final Rule: April 2001 Compliance: June 2003 Claims Attachments Expected NPRM: March 2000 Final Rule: October 2000 Compliance: December 2002 A date to publish the final rule establishing Standards for Privacy of Individually Identifiable Health Information has not been determined. In an another development, the Electronic Signatures/Security proposed = rule will be separated into two rules: 1) Security and 2) Electronic Signatures. The Security final rule is expected in May 2000 and compliance will be required by July 2002. The Electronic Signature rule will follow by several months. Rx2000HIPAA@rx2000.org on 02/15/2000 07:45:37 PM Please respond to Rx2000HIPAA@rx2000.org=20 To: Rx2000HIPAA@rx2000.org=20 cc: Subject: Re: HIPAA Costs I guess I am somewhat at a loss. Are ANY final rules set and published yet, if so what are they? I don't think the costs will be that high this year, everyone is still reeling from the Y2K expenditures and waiting on all the final rules to be published (by the end of the year). In 2001 and 2002 I think we will see significant costs in the area of data security and efforts to change corporate culture. ********** Message #2 ********** From: oplandr@uphs.upenn.edu To: "'rx2000hipaa@rx2000.org'" Subject: Re: HIPAA Costs Date: Wed, 16 Feb 2000 16:19:52 -0500 The official Administrative Simplification [provisions of HIPAA dealing with Security, Privacy, etc.] website is at http://aspe.os.dhhs.gov/admnsimp/. It includes a "Tentative Schedule for Publication of HIPAA Administrative Simplification Regulations" at http://aspe.os.dhhs.gov/admnsimp/pubsched.htm. It's good to check back occasionally for updates. The main site also includes a list server signup feature that will provide you with official notification of AS developments. Russ __________________________________ Russell M. Opland, MPH, EMT-P Information Systems Auditor Office of Audit and Compliance University of Pennsylvania Suite 214, 3819 Chestnut Street Philadelphia PA 19104-3106, U.S.A. Voice: +1.215.573.4496 Fax: +1.215.662.7265 E-mail: oplandr@uphs.upenn.edu -----Original Message----- From: Rx2000HIPAA@rx2000.org [mailto:Rx2000HIPAA@rx2000.org] Sent: Tuesday, February 15, 2000 7:46 PM To: Rx2000HIPAA@rx2000.org Subject: Re: HIPAA Costs I guess I am somewhat at a loss. Are ANY final rules set and published yet, if so what are they? I don't think the costs will be that high this year, everyone is still reeling from the Y2K expenditures and waiting on all the final rules to be published (by the end of the year). In 2001 and 2002 I think we will see significant costs in the area of data security and efforts to change corporate culture. ********** Message #3 ********** From: dgmyr@northnet.org To: Rx2000HIPAA@rx2000.org Subject: Re: HIPAA Costs Date: Wed, 16 Feb 2000 18:51:15 -0500 Please, what is HIPAA? Thanks! Rx2000HIPAA@rx2000.org wrote: > Dear Listserv Reader, > > Welcome to the new Rx2000 HIPAA listserv. We are very pleased to be > providing this service free of charge to the healthcare community. This > listserv is here to help you, as a forum where HIPAA related discussions > can occur and you can find answers to your questions. I encourage you to > post your questions here; it is likely that others may have similar > questions, and with over 3000 participants on this listserv, someone will > either have an answer or be able to get one. > > I'd like to start off the discussion with some questions I have. I have > spoken with many of you and I have read a number of articles all of which > indicate that healthcare's costs for complying with the HIPAA regulations > may be two to three times the amount healthcare spent in preparing for > Y2K. What do you think, and how is your organization planning on dealing > with the expense? How do you feel the expenses will be incurred (i.e., > where specifically will the costs be)? How do you expect the expenses will > be spread over the years 2000, 2001, etc.? Have healthcare organizations > adequately budgeted for HIPAA expenses to be incurred in the current budget > year? Do you feel that the senior management of healthcare organizations > is sufficiently aware of HIPAA implications and costs? > > Feel free to submit any other questions you have, as well as any responses > you would like to share regarding my questions above. I look forward to > your postings and participation in this healthcare community forum. > > Joel Ackerman > Executive Director > Rx2000 Institute > ackerman@rx2000.org > ********** Message #4 ********** From: lsmith@stjames.ie To: Subject: Standards of Privacy Date: Thu, 17 Feb 2000 12:13:59 -0000 This is a multi-part message in MIME format. ------=_NextPart_000_0054_01BF7940.78402200 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Can you please let me know where I can get details of standards for privacy= of individually identifiable health information and also rules for electro= nic signatures and security. I am working in Ireland and HIPAA does not af= fect our hospital - although I was very interested in it. I am surrently lo= oking at capture of patient consent to the sharing of information with thir= d parties and to the use of information for internal research within the ho= spital - If anyone has collected information sharing consent for patients a= nd could assist me in regard to wording and procedures I would be delighted= to hear from them.=20 Regards Lesley Gail Smith RGN, =20 IMS Department,=20 St. James's Hospital, Dublin.=20 Telephone: 4162513 or 4103337 Fax 4103470 ********** Message #5 ********** From: Woosleew@aol.com To: Rx2000HIPAA@rx2000.org Subject: Re: HIPAA Costs Date: Thu, 17 Feb 2000 08:35:10 EST In a message dated 2/16/00 3:05:36 PM Eastern Standard Time, Rx2000HIPAA@rx2000.org writes: << One other that I am finding alarming is the potential for provisions of = the regulations to be presumptively preemptive of state laws. >> Bill, You're right, the law does appear to be presumptively preemptive of state law. However, in reading further, this appears to be a lever used to get the states to act on HIPAA. If they neglect to act the federal is assumed. I am not a lawyer, but it does appear that the states have the option to override much of the ruling, except the spirit of the law. I would be interested in hearing some opinions from legal eagles out there. Errick Woosley 3X Corp. ********** Message #6 ********** From: eellis@metalogics.com To: Rx2000HIPAA@rx2000.org Subject: Re: HIPAA Costs Date: Thu, 17 Feb 2000 07:44:28 -0500 Obviously, HIPAA costs for the first phase will be spread over the three main areas of the compliance issues; Privacy, Security and the Transaction Sets. Then, within four years after HHS publishes the "start date" for the first phase, the Computerized Patient Record layouts will be published, beginning a second phase of HIPPA compliance. Dollars are difficult to project as the guidlines are "scaleable" and, as a colleague put it, "specific in their ambiguity". However, there are some projectable costs. The Privacy issues will be the easiest and least costly - Privacy Goals will be set by administrative edicts and are, for the most part, already set forth in Medical Record policy and JCAHO directives. A temporary administrative committee will initiate a corporate mindset and a list of directives that set forth the basis for Security. This will not be terribly difficult or expensive. Training and indoctrination for the staff will also be part of this phase. Security compliance will consume significant resources. However, utilizing the existing inventories from Y2K provides a good starting point. Interface maps will allow identification of data flow, internal and external users and HIPAA-defined business partners. A Gap Analysis comparing the Privacy goals to current data usage will provide targeted lapses. Policies for data control will be developed (much more stringent than most in existence) and Procedures documenting the processes will be published. Identifying and controlling progeny (e.g., Pulminary Function "carry cards" that are filled out throughout the day and then data-entered to the patient care system at day's end)will require significant analysis. Security "layering" will evolve - The firewall between the internet and the file servers will be augmented by a change in architecture - an additional (diferent type than original) firewall will be placed between the servers and their data. Biometric sign-on devices will become more common. Network-wide security applications will be implemented. Encryption methodoloigies will suddenly become buzzwords with comparisons of 128- and 256-bit. At present healthcare systems have disparate systems with likewise disparate security built into the applications. New, standardized security will be required. Transaction, and even field-based security will be required. There are myriad additional issues here that will consume most of the resources for HIPAA compliance efforts. The Transaction Sets proposed for HIPAA compliance probably won't require much MIS effort on most healthcare system's part. The intermediary clearing houses will supply the reformats and the billing system's vendor will have to supply the code enhancements to satisfy specific changes and/or new requirements. Costs here will most likely be in retraining registrars and billing personnel and a temporary rise in days-in-accounts-receivable as procedures get ironed out. Since Y2K costs were scalable to institution size, it makes sense to attempt to compare the scaleable HIPAA costs to Y2K. However Y2K saw healthcare systems across the nation describing identicle goals and very similar methodoligies. HIPAA costs will depend upon each institutions' interpretation and adminstrations' setting of Privacy goals. That being said, Y2K costs for an individual healthcare system will, based solely upon the manual efforts required (not including technology expenditures) exceed Y2K costs by at least 50%. Healthcare administration is not presently aware that such a detailed and resource-intensive project looms. Nor have most budgeted for HIPAA. The most likely scenario will parallel Y2K with a groundswell of information and then the sudden realization that this is real. Following comes the requisite nashing of teeth and self-imolation of hospital administrators as they realize another huge, hairy and expensive beast has camped directly on their doorstep. Opinions and statements here are mine alone. Good Luck to all. Ernie Ellis Rx2000HIPAA@rx2000.org wrote: > Please, what is HIPAA? Thanks! > > Rx2000HIPAA@rx2000.org wrote: > > > Dear Listserv Reader, > > > > Welcome to the new Rx2000 HIPAA listserv. We are very pleased to be > > providing this service free of charge to the healthcare community. This > > listserv is here to help you, as a forum where HIPAA related discussions > > can occur and you can find answers to your questions. I encourage you to > > post your questions here; it is likely that others may have similar > > questions, and with over 3000 participants on this listserv, someone will > > either have an answer or be able to get one. > > > > I'd like to start off the discussion with some questions I have. I have > > spoken with many of you and I have read a number of articles all of which > > indicate that healthcare's costs for complying with the HIPAA regulations > > may be two to three times the amount healthcare spent in preparing for > > Y2K. What do you think, and how is your organization planning on dealing > > with the expense? How do you feel the expenses will be incurred (i.e., > > where specifically will the costs be)? How do you expect the expenses will > > be spread over the years 2000, 2001, etc.? Have healthcare organizations > > adequately budgeted for HIPAA expenses to be incurred in the current budget > > year? Do you feel that the senior management of healthcare organizations > > is sufficiently aware of HIPAA implications and costs? > > > > Feel free to submit any other questions you have, as well as any responses > > you would like to share regarding my questions above. I look forward to > > your postings and participation in this healthcare community forum. > > > > Joel Ackerman > > Executive Director > > Rx2000 Institute > > ackerman@rx2000.org > > ********** Message #7 ********** From: larisa_funk@smhwecare.com To: Rx2000HIPAA@rx2000.org Subject: Re[2]: HIPAA Costs Date: Thu, 17 Feb 2000 09:26:27 -0500 HIPPA stands for: Health Insurance Portability and Accountability Act of 1996. Basically what this means is ensuring the security of, as well as standardizing, the transaction of patient information via Internet. This includes the transfer of information from provider to payor and visa-versa, as well as the transfer of any patient information to physicians, other hospitals, etc. over the Internet. There it is in a nutshell. There is tons of information on-line about the subject. Check out this website for some more information. Remember though, the regulations are not yet finalized! http://healthcare.3com.com/securitynet/hipaa/index.html Another member of this listserve sent out the website for the Administrative Simplification Requirement with tentative dates of compliance listed. That is also a good site to check out! Happy surfing! ____________________Reply Separator____________________ Subject: Re: HIPAA Costs Author: Rx2000HIPAA@rx2000.org Date: 2/16/00 6:51 PM Please, what is HIPAA? Thanks! Rx2000HIPAA@rx2000.org wrote: > Dear Listserv Reader, > > Welcome to the new Rx2000 HIPAA listserv. We are very pleased to be > providing this service free of charge to the healthcare community. This > listserv is here to help you, as a forum where HIPAA related discussions > can occur and you can find answers to your questions. I encourage you to > post your questions here; it is likely that others may have similar > questions, and with over 3000 participants on this listserv, someone will > either have an answer or be able to get one. > > I'd like to start off the discussion with some questions I have. I have > spoken with many of you and I have read a number of articles all of which > indicate that healthcare's costs for complying with the HIPAA regulations > may be two to three times the amount healthcare spent in preparing for > Y2K. What do you think, and how is your organization planning on dealing > with the expense? How do you feel the expenses will be incurred (i.e., > where specifically will the costs be)? How do you expect the expenses will > be spread over the years 2000, 2001, etc.? Have healthcare organizations > adequately budgeted for HIPAA expenses to be incurred in the current budget > year? Do you feel that the senior management of healthcare organizations > is sufficiently aware of HIPAA implications and costs? > > Feel free to submit any other questions you have, as well as any responses > you would like to share regarding my questions above. I look forward to > your postings and participation in this healthcare community forum. > > Joel Ackerman > Executive Director > Rx2000 Institute > ackerman@rx2000.org > ********** Message #8 ********** From: NBorho@ascensionhealth.org To: Subject: Re: RE: HIPAA Costs Date: Thu, 17 Feb 2000 10:01:43 -0600 re presumptive preemption of state laws... "The HIPAA provides that the = rule promulgated by the Secretary may NOT preempt state laws that are in = conflict with the regulatory requirements and that provide greater privacy = protections. The HIPAA also provides that standards issued by the = Secretary will NOT supercede certain other state laws." The HIPAA = essentially establishes a floor / a minimum standards set. Nicholas Borho Ascension Health << 02/16/00 12:29PM >>> Joel, I agree with David's observations with regards to having some areas of the = HIPAA components in place in the organization. Many of the areas addressed by HIPAA = represent controls that typically would be present within the business processes as a normal course (i.e., = data backups, logon authentication, etc.) The issue becomes evaluating current controls as they map to HIPAA and = determining what gaps (if any) exist, the amount of dollars, training and time to address those gaps (or assume a level of = risk) and the ongoing monitoring and reporting of compliance. What is still a hazy area is the confidentiality/privacy area where we = will need to react to things like the data elements that are defined as "identifiable" information and to what degree we can = de-identify the record, what impact de-identifying data will have on = research, market analysis, etc. and how much all of that will cost.=20 Also, what dollar/resource impact there will be on "legacy" applications = when we have to modify them to support HIPAA compliant EDI transactions, = code sets, etc.=20 One other that I am finding alarming is the potential for provisions of = the regulations to be presumptively preemptive of state laws. That would = seem to be contrary to both the spirit of Administrative Simplification = and derived benefits of E-Commerce. I guess we're coming up with as many questions and issues as we are = answers or solutions - but I think dialogue like this is great. Thanks.....= Bill Rider Manager, Information Security & Disaster Recovery Johns Hopkins Hospital >>> 02/16 11:14 AM >>> Joel, The answers to your HIPAA cost questions are dependent on the organizations= size, risk tolerance, and present state of the network/IT infrastructure. Very small and small organizations may be able to comply with HIPPA requirements fairly inexpensively using only policy and procedure = upgrades. Medium size and larger organizations most likely will be required to implement the HIPAA privacy and security proposed regulations to the = letter (and expense) of the law. If you can believe the Blue Cross BlueShield Assoc./Nolan Consulting ( http://www.renolan.com/healthcare/privacy.htm ) report on HIPAA 5 year costs, over half of HIPAA costs will be related to infrastructure upgrades. If your network is not secure (both physically and technically), plan on spending money to bring it into compliance. What is your organizations risk tolerance? Are your manual downtime procedures adequate for HIPAA compliance or do you feel you need a hot = site? How many applications have "individually identifiable health care information" and how comfortable are you with the access to those applications. How about paper records? It seems clear that HHS is going to go after paper records in the future. How's the HIM process? In our organization we are fortunate in that we have a very secure technical/network infrastructure and we currently have in place many of = the proposed HIPAA security regulations. In our case, I believe many of our costs will be in the form of "behavioral modifications" i.e. business process changes and the associated training of those process changes. Initially, our HIPPA costs will be absorbed into those department budgets that are most affected (IS, HIM, HR, Risk Management, Learning and Education, Legal). Eventually we will have to formally budget for HIPAA. = (In FY-2000 we do NOT have a specific HIPAA line item budget). I look for additional costs in upgrading applications to HIPAA compliant versions = (read "tracking and disclosure audit trails) and associated hardware upgrades = for those applications (read "increased disk space"). I do NOT think the cost will be 2-3 times Y2K for our organization, but perhaps equal to it. My biggest worry is NOT the main clinical and financial applications, but the numerous small applications used both at the individual department = level and at remote sites (Hospice, Homecare, EMS services, HME's) that may fall through the traditional support paths of our organization. Again, the = risk assessment process will help determine where our risks are and are not. Is our Senior Management aware of HIPAA costs and implications? Some are, some are not. It is our job to inform and educate. Our HIPAA project main initial focus is pointed at senior management education for HIPAA issues, including financial penalties and jail time. Over all, however, we are attempting to posture HIPAA compliance as a = "good thing" because of the standardization of a very non-standard industry, = the potential of reduced costs of EDI and paper, reduction of human intervention, increasing electronic availability of "allowed" information within our hospitals and setting the stage for a "standard" Electronic Medical Record (EMR). That is not to trivialize the challenges of getting to HIPAA compliance, but to realize that, once we achieve it, there will = be benefits). One final comment. Y2K came and went. It was a one time deal. HIPAA = will not go away in a year or two. When budgeting your HIPAA costs, keep in mind that it will be an ongoing process. Sorry to get on the soap box. Perhaps it will get the listserve started = with comments on....My opinions only. David Tefft Mount Carmel Columbus, Ohio > -----Original Message----- > From: Rx2000HIPAA@rx2000.org [SMTP:Rx2000HIPAA@rx2000.org]=20 > Sent: Tuesday, February 15, 2000 4:45 PM > To: Rx2000HIPAA@rx2000.org=20 > Subject: HIPAA Costs > > > Dear Listserv Reader, > > Welcome to the new Rx2000 HIPAA listserv. We are very pleased to be > providing this service free of charge to the healthcare community. This > listserv is here to help you, as a forum where HIPAA related discussions > can occur and you can find answers to your questions. I encourage you = to > post your questions here; it is likely that others may have similar > questions, and with over 3000 participants on this listserv, someone = will > either have an answer or be able to get one. > > I'd like to start off the discussion with some questions I have. I have > spoken with many of you and I have read a number of articles all of = which > indicate that healthcare's costs for complying with the HIPAA regulations= > may be two to three times the amount healthcare spent in preparing for > Y2K. What do you think, and how is your organization planning on = dealing > with the expense? How do you feel the expenses will be incurred (i.e., > where specifically will the costs be)? How do you expect the expenses > will > be spread over the years 2000, 2001, etc.? Have healthcare organizations= > adequately budgeted for HIPAA expenses to be incurred in the current > budget > year? Do you feel that the senior management of healthcare organizations= > is sufficiently aware of HIPAA implications and costs? > > Feel free to submit any other questions you have, as well as any = responses > you would like to share regarding my questions above. I look forward to > your postings and participation in this healthcare community forum. > > Joel Ackerman > Executive Director > Rx2000 Institute > ackerman@rx2000.org=20 > >