HIPAA Requirements – Time for a Major Regulatory Change

HIPAA Requirements – Time for a Major Regulatory Change

by Bevon Findley (SU)

It is only fitting that legislation that was created in the mid 1990’s be considered, as most HIPAA experts would agree, outdated. Even with changes brought about by HITECH and the Omnibus Act, the implementation specifications remain relatively unchanged. It is still one-size-fits-all when it comes to meeting the requirements.

Sure, you could argue what is reasonable and appropriate for one healthcare provider is not for another. Therefore, it comes down to how each implementation specification is interpreted, how you decipher what the Code of Federal Regulation (CFR) is asking for. After spending 27 years working for the Federal government and being involved in policy and regulatory oversight, even I sometimes struggle with how to make sense of a particular CFR.

For larger healthcare providers that have regulatory and compliance staff, HIPAA compliance might be a bit easier. But for the smaller providers who are required to follow all of the same requirements, albeit what is “reasonable and appropriate,” this is a colossal struggle. I can see why some small providers just throw their hands up and say, “This is way too complex for us to figure out.”

When the HIPAA legislation was created, the healthcare system in this country was really starting to transform. Today, with more and more specialty practices and other types of healthcare service providers tapping into this growing market, updating regulation requirements must be a priority. It cannot be a one-size-fits-all requirement anymore. The U.S. Congress needs to take into consideration how the healthcare industry has changed, in particular with the emergence of new health related mobile apps hitting the techno-sphere. HIPAA regulatory requirements must be adaptable to meet this changing environment.

When I conduct a HIPAA risk assessment for a smaller healthcare provider and I ask a question in an attempt to adhere to the implementation specification, often I get a non-applicable response. The hard work for me is how to get that provider covered in meeting a required implementation specification if it is non-applicable. If a provider is truly making the effort with due diligence to follow the HIPAA regulations, then that should be factored into the equation.  The process must allow for more discretion when it comes to some of the implementation specifications.

All of this will require legislative fixes. The U.S. Congress can rattle a few cages and give the impression there is real concern with making sure healthcare providers are doing everything they can to safeguard patient records, but until there is movement towards making necessary legislative changes, HIPAA requirements will remain as confusing to some as the U.S. tax code.

Back in the mid 1990’s, Senators Kasebaum and Kennedy, the sponsors of the insurance reform legislation that became known as HIPAA, clearly had a vision about the changing landscape of healthcare security in this country. Which current day senators will have that vision and want to undertake this monumental task in reforming HIPAA for the next decade remains to be seen.  The time is now to start down this road.