Forward, HIPAA Should Not Have Much More

¶ … forward, HIPAA should not have much more impact on health care systems in general. HIPAA was passed into law in 1996 nearly three Presidents ago and has been in full implementation since the final modifications to the privacy rule were put into place in 2002, giving health care stakeholders a dozen years to have been working with the regulations (HHS.gov, 2014). This means that everything should have been implemented already with respect to HIPAA -- full compliance was required by 2003 - and there should not be any future changes. There should have been changes over the course of the last 18 years to address the different elements of HIPAA, however, and build the law into the health care systems. The HITECH Act is more recent, having been passed into law in 2011. This law creates incentives to implement electronic health records, and HITECH also made some changes to HIPAA compliance as well (HealthIT.com, 2014).

Holloway (2003) notes, however, that in many cases state laws supersede HIPAA, if the state law is deemed to be more protective. As is the case with many federal laws, such as those governing minimum wage, HIPAA presents a legislation floor, a minimum standard for the country. Any state can go beyond this standard should it choose. The problem that this creates for health care providers who transcend states and especially for software vendors is that the nation has a patchwork of laws governing the development of electronic health records (EHRs) and health information privacy protections.

2)

HITECH is of particular importance because it provides incentives to "stimulate the adoption of electronic health records and supporting technology," and these incentives run through 2015 (Health IT, 2014). HITECH also provides grants for training centers for the personnel required to support a health IT infrastructure (Ibid). From an economic perspective, these incentives are intended to bring new customers to the EHR market, which should be good for business for the hardware and software vendors in particular. They needed to be prepared for the passage of this law -- if they are not prepared yet there might not be any point to it because the moment has almost passed. The spike in demand does present challenges for software companies in particular, since they need to understand which states and rules are on HIPAA and which are not -- hopefully they've figured that out by now -- but also there needs to be an understanding of the legislative interpretations of HIPAA. Oates (2007) notes that the courts have made changes to the way that HIPAA is interpreted and enforced, and it can be expected that this will happen at the state level, too. That presents a major challenge for software vendors who are trying to match up their software products and the training on those products with legislative patchwork that also happens to be a moving target.

The implementation of the systems by providers has been incentivized by HITECH, and health care providers might find themselves rushing to implement EHR before the incentives run out. This could create challenges for technologically-challenged organizations. While employees should be well-versed in HIPAA at this point, the use of software can be a challenge and many health care organizations are now faced with moving to electronic health records as the result of HITECH in particular.

3)

For vendors, the key problem is to keep up-to-date with the changing regulations and to effectively manage their training programs. The changing regulations are a threat because they require frequent updates to the software to ensure that it continues to meet government guidelines, either at the state or the federal level. Moreover, vendors are facing high demand because of HITECH and even with additional funding it can be a challenge to provide adequate training. Yet without adequate training, health care employees can struggle and the systems can be rendered ineffective as a result. Hardware is actually more fluid than software at this point, as there are many off the shelf solutions that could be used in terms of tablets and other portable devices, but organizations need to understand the capabilities of each and how they will affect compliance.

4)