How to get management to accept HIPAA compliance
My company is slow to accept that HIPAA compliance will require significant spending on items from infrastructure through capital items and possibly personnel. How can I help them step up?
Start with an assessment of the regulatory and business requirements and then, propose spending for items that will enable the company to meet those needs.
Be sure to assess your company's compliance with new record keeping and data retention requirements under the HIPAA Privacy Rule. Covered entities (CEs) -- including healthcare providers and health insurance carriers -- must keep records of all disclosures of protected health information (PHI) for six years, so the CE can respond to a patient's request for the record of such disclosures. This may require new infrastructure capabilities for logging and indexing all requests for patient information, and their handling and disposition -- and for generating a report in response to a patient's request.
Also, assess the impact of the HIPAA Security Rule that requires CEs to safeguard the confidentiality and integrity of PHI in electronic records during transmission and storage. The compliance deadline for large companies is April 2005 for the Security Rule but companies should plan to complete their assessments and implement their infrastructure solutions by the end of 2004
. Allow time for validation testing, staff training and compliance audits -- before the compliance deadline.
If your assessment shows that you need new infrastructure to implement the appropriate technical safeguards, it will take some time to get the new infrastructure defined and installed. So the time to start is now!
Ed note: If you would like to read additional compliance articles, opinions and expert advice, make sure to sign-up for our ALERTS on compliance. Click here to sign up. SearchStorage.com also offers alerts on low-cost storage.
Do you agree with this expert's response? If you have more to share, post it in one of our
This was first published in December 2003