An Interpretation of HIPAA as it relates to Home Health Agencies

Many industries are subject to US government regulation regarding Information Security.  Aside from direct government contracting entities, the main three industries are now national infrastructure, financial, and healthcare.  Government contracting entities and the financial industry have had to deal with this type of regulation for a long time now, but the other two are fairly new to it.  The healthcare industry looks more like the financial sector, specifically the credit card processing model, in that even the smallest entities are impacted by the regulations.  With the passing of HIPAA, HITECH, and now what is commonly referred to as Obamacare, the healthcare industry is undergoing a transformation.  How it impacts individual entities is the subject of much concern.  The natural reaction is to get away from regulation as much as possible, but these acts leave very little room to breathe.  Other industries have already accepted the fate to which Information Security regulatory acts have imposed upon them, and it is time for healthcare to get serious about it.  In this article, I will attempt to break down the specifics and suggest a course of action.

Before a suggested course of action, an examination of the government regulation is in order here. Specifically, whether the regulation is even applicable to a particular entity.  Currently, the HIPAA and HITECH acts apply only to healthcare clearinghouses, agencies that must work with the federal government for either Personal Identifiable Information or billing purposes, or professionals in the healthcare field such as doctors and hospital administration.  This seems to leave some entities out, but be very wary.  With the passing of Obamacare, this could be rapidly changing.  The observation here is that Obamacare mandates that everyone carry health insurance, and those that are not provided insurance through an employer must purchase it at the state level, funded by the federal government.  Although private industry insurance providers are still the carriers, the government oversight here cannot be ignored.  Obamacare impacted every man, woman, and child currently carrying insurance by enacting regulation over the industry.  Much like the financial industry, the healthcare insurance carriers now cannot ignore governmental regulation.  By extension, any entity doing business with the insurance carriers are similarly impacted, much like any business that accepts credit cards must be found to be in compliance with PCI-DSS.  This is the transformational event that is being addressed right now.  The implication here is that even the smallest agencies will have to consider HIPAA and HITECH compliance in the very near future.  Due to the heavy penalties of HIPAA non-compliance, and the ramifications stated above, it is in the best interests of any entity planning or operating any type of healthcare industry to budget and implement a security compliance effort whether they feel they are in scope or not.

HIPAA and HITECH generally go hand in hand, but compliance with one does not equate to compliance with the other as they have different focus areas.  They are complimentary, not conflicting though, so achieving compliance in one or the other makes it easier to become compliant in the second.  The problem with both of these is they do not state how compliancy is to be achieved, they simply lay out the objectives.  In order to meet the objectives, another tool must be adopted in order to move an entity through the design, planning, implementation, and assessment phases in order to prove compliance.  Many security frameworks are out there, some publically available, some through a small cost for licensing.  None of them are simple in scope, cost, or time.  Once a security framework is adopted, a software toolset is necessary as well to move the entity through the process.  So, to sum up, government regulation must be examined to see if it applies, a security framework compatible to the regulation must be chosen, and the corresponding toolset must be obtained.  These steps are relatively easy to achieve, and as stated above, it is in the best interests of a business to just simply submit to the regulation and make the effort to become compliant as doing otherwise may be the first death toll heard for them.

As many in other industries have pointed out, becoming compliant is very costly, both in capitol and labor.  Although there are a few shortcuts that can be done, the effort itself is the bulk of the cost and cannot be avoided.  As in other industries though, there is hope for entities that simply could not afford the compliance effort otherwise.  A new type of B2B entity is beginning to emerge, one that provides a service to small and mid sized businesses to take the responsibility of compliance out of their hands.  This is not a new concept for the financial industry, but it is much larger in scope as applied to the healthcare industry.  The healthcare industry cannot simply obtain an approved device and let the worry of compliancy fall upon the processor....or can it?  Such a model does not currently exist in the healthcare industry, but perhaps as the industry maturates, this could be possible.  Currently though, the headache is squarely on the entity performing transactional services for medical records or medical billing for Medicare or Medicaid reimbursement.  So what about private pay agencies?  Well, this is a very gray area, as discussed above in relation to Obamacare.  Now that everyone is mandated to carry insurance, and insurance will most likely carry some form of long term care clause, doesn't it follow that the pressure is already evident for private pay home care agencies to be compliant as well?  In my opinion, it is.

Job Hunting

Perhaps I'm getting older in an ever increasingly complex online world, but the job hunt has me all "a twitter" right now.  The last time I was on the hunt was three years ago, and the premier job board was still monster.com, although there were several offshoots that were getting much more specific to certain industries.  This time, I have found that things have changed yet again, and the best place to look is now firmly in the hands of a social media site, LinkedIn.  This led me down the road to examine my other social media accounts and connections.  Updating the information on them has been completed, and I have cross-linked them as much as they have allowed me to do, and where they don't inherently do this for me, I have done so manually by posting the links to the status updates fields on all of them.

While all the above is all great, in the end, it's rather like climbing to the highest tower in a city and shouting from the rooftops.  Not only will your words be drowned out by the din of the others, there is no expectation of a reply worth pursuing.  Is this really good networking?  Sure, the friends and followers on the social media sites have been picked carefully, or at least with an eye toward some personal gain, but it's a far cry from showing up at a company and handing your resume to them personally.

I have never been very comfortable with selling myself, nor being an active participant in social media in general.  My comfort zone is firmly on the right hand side of someone else as a trusted advisor, being an expert in my field, and my social circle is almost exclusively limited to my own wife and kids.  I truly envy people that can thrive in the limelight of the media, be the social butterfly at any event, or those that seem to have a natural ability to land a really great job.  I've learned what I needed to over the years, and followed the trends as much as I was able, but the one factor that has been the most useful over the years has been to be in the right place at the right time when the new job came along.

I only hope this factor comes my way this time as well.  In the end, I've done what I can to encourage this to happen, even extending myself outside of my normal comfort zone tremendously, yet I can't help but wonder if there is something I can be doing that will further this cause.  Get myself in front of more people who can see what my skillset may bring to them.  On LinkedIn, I could try to friend all the recruiters I can.  On Twitter, I could hashtag the popular trends with a link to my LinkedIn profile.  I can blog here.  I can spread the word on the other social networks.  Does this cross any boundaries or present me as an annoying person?  I am simply not sure about the perception such actions would be viewed.  That having been said, the end may justify the means here, all I can hope is that it does not tarnish my online reputation.