Most people we interview — at least those working on health care IT staffs — have one beef or another with the Health Insurance Portability and Accountability Act (HIPAA). Lawyers and regulators don’t mind it as much. Patient privacy advocates tend to be either neutral or of the “doesn’t go nearly far enough” mindset.
But if you’re in IT, chances are you probably think HIPAA is vaguely worded, enforced in peculiar ways that makes compliance a moving target or carries outrageous potential maximum fines. Or some combination of the above.
Doing interviews for an article on identity management, I ran into David Sheidlower, a guy who actually likes HIPAA. He’s chief information security officer at Health Quest — an upstate New York provider that includes three hospitals and several multi-specialty ambulatory group practices — and manages about 5,000 employee identities as part of his job.
HIPAA, he says, gives him a set of rules that helps organize his strategy for doling out privileges to employees that otherwise would be tough to manage: per-diem nurses, student/resident employees, “floaters” who work in multiple departments and other health care staffers whose job definitions defy traditional classifications.
Not only that, but it helps justify to administrators the case for stronger security and credentialing systems. Breaking down the vagaries of technology-assisted identity management might make for a snoozer of a presentation — until you point out that state attorneys general can now prosecute HIPAA patient privacy breaches.
“For someone whose function in the organization is to be a champion for compliance and for patient confidentiality, HIPAA’s a tool. It’s not a hindrance — it’s something that helps me,” Sheidlower said, pointing out that identity management programs automate HIPAA’s requirements for limiting access to patient data, and documenting access changes for later audits. “It helps me make the case for identity management.”
So, HIPAA naysayers, put that in your pipe and smoke it. While compliance with the complex regulation won’t get easier in 2011, here’s one IT leader turning what many people consider a negative into a positive. You, too, can use Sheidlower’s trick in those heated IT budget meetings when the negotiations for your side need a little shot in the arm.