HIPAA Advisory Services
A new area of training from AACI

Abbey & Abbey, Consultants, Inc., provides a range of advisory services for hospital associated health care providers in implementing the wide range of systems, policies and procedures that are necessary to meet the HIPAA mandated privacy and security rules and regulations. Health care providers should view the HIPAA rules and regulations as the gateway to e-commerce in health care. However, properly developing and implementing the correct strategies, systems, equipment, and protocols is a daunting task. It is estimated that HIPAA prepatory costs will exceed Y2K activities by two to three times.

The consultants at Abbey & Abbey, Consultants, Inc provide the following advisory services. These involve assessing, reviewing and coordinating activities such as:

  • Develop and Assess HIPAA Implementation Strategies
    • Develop operational, tactical strategies to achieve the two-year implementation plan mandated by the HIPAA rules and regulations. There are multiple levels that must be considered and varying degrees of concern. The new rules and regulations are general and thus quite comprehensive. The perspective that should be taken is to prepare the given hospital or system for healthcare e-commerce. A part of developing implementation strategies is to determine the areas in which risk or exposure is the greatest. The process of risk assessment and determination of the highest priority steps in a part of this process. In order to properly address the many facets of HIPAA, it is necessary to develop a strategy team which then has sub-teams to address more specific areas, technical and administrative.
  • Develop Project Plans and Financial Budgets
    • After the scope and breadth of HIPAA implementation has been determined through appropriate analyses and risk assessments, then specific project plans can be developed and financial budgets determined. Some aspects of the HIPAA implementation will be quite technical in nature involving computer security, network security and the like. Other aspects will be much more administrative such as setting up trusted partner agreements, various policies and procedures and education and training of personnel.
  • Train and Educate All Levels Of Personnel
    • Training and education development is an absolute prerequisite for HIPAA planning and implementation. A comprehensive training program for virtually all levels of personnel must be developed and implemented over the two-year implementation period. Even beyond this implementation period, personnel will need to receive additional training on an ongoing basis. Note that a comprehensive program of this nature will involve in-house training as well as external training. Some of the external training will need to be quite technical in nature especially in the computer and network security areas.
  • Supply Policy and Procedure Templates and Outlines
    • There are a number of good sources for various policy and procedure development in the computer and network areas. In many cases it is primarily necessary to pick, choose and modify already existing standards and procedures for administrative purposes. Integrating computer and hardware security choices into the administrative policies and procedures is necessary. While a number of sources exist to assist in the process, including the British Standard BS 7799, there must be careful modification to meet specific hospital or system requirements. In some cases the standards will virtually be mandated since there will be a single standard for a given type of process. In other cases there may be choices relative to standards' selection. For instance, significant yield increases will be achieved when computer vendors adopt HL-7 (Health Level 7) secure interfaces. Adopting HL-7 will increase efficiencies and increase future compliance.
  • Evaluate and Assess Services and Vendors
    • A number of different vendors, services and various standards will need to be chosen for any given situation. Some of the vendors will provide products that are of significant technical complexity such as VPNs (virtual private networks) while other services are more typical such as virus scanners or firewall software. Add to this the complexity of having outside sources audit various aspects of the privacy and security at the hospital and we see that a number of different vendors and/or relationships will need to be established or extended. Evaluating, assessing and managing these relationships requires significant time, expertise and resources.
  • Review and Coordinate Implementation
    • Implementation of the HIPAA privacy and security arrangements in order to approach healthcare e-commerce will require significant time, effort and resources both in terms of money and personnel time. Since these new rules and regulations are mandated with significant penalties for failure to comply, hospitals and hospital systems must constantly review and coordinate the efforts of often disparate departments and personnel. Implementation of the HIPAA rules and regulations comes at a time when overall payment for healthcare services is decreasing. Thus, the need to have routine careful review of the overall process is critical to cost-effective implementation of the various systems and processes.

      © 1999-2001 Abbey & Abbey, Consultants, Inc. – Version 2.3 January, 2001