Systems approach offers seamless privacy act integration in seven easy steps

Finding success in the world of HIPAA (Health Insurance Portability and Accountability Act) is much easier with the System Development Life Cycle to guide the implementation process, according to an e-session presented at the Healthcare Information and Management Systems Society meeting taking place in Dallas this week.

"SDLC seamlessly integrates HIPAA with the covered entity's existing information technology structure," said Joan Kiel, Ph.D., chair of health management systems at Duquesne University.

With SDLC, users will find HIPAA implementation much more manageable, she said.

SDLC is a systems approach to problem solving that breaks the approach down into several phases. Before beginning implementation, it is important to assemble a team of data managers, data miners, and other IT representatives to complement compliance and medical records personnel, Kiel said.

She cited seven steps to HIPAA integration:

• Step one identifies what HIPAA rules need to be implemented. Currently, HIPAA consists of 11 rules, of which five (transaction code sets, privacy, standard unique employer identification, security, and national provider identifier) are final. The enforcement rule has been released but not finalized.

• Step two is planning. "Time, money, personnel, and technology must be considered," Kiel said.

• Analysis comes in step three. The organization must conduct data-flow diagrams to follow patient health information. Where are the data going? Who sees them? Do they meet necessary need-to-know requirements?

• In step four, a logical design is developed, with forms, reports, and databases emerging to track data and perform HIPAA audits. The key is to implement HIPAA with IT and data management. "Perhaps then people will not view HIPAA as a burden," Kiel said.

• Step five is the actual physical design. Data integrity is paramount to ensure that data can be distributed to the right person at the right time. "This has been mentioned many times in relation to medical errors," Kiel said.

• Implementation happens in step six. Here, personnel must be trained and tested in HIPAA standards.

• Finally, step seven is maintenance. The organization must become an evaluative culture with maximum employee input, Kiel said. Maintenance cannot be static, or real, necessary change will not take place.

Kiel advised responding simply to the act.

"Do not cut corners or go overboard," she said. "Take time to evaluate and you will find success."