Case Study on Regulation Information System implementation of the HIPAA Regulations

Introduction

When a government passes new regulations, the new regulations come with a raft of measures on what companies are required to abide by to comply with the rules. According to Powner (2008), the government can voluntarily partner with organizations to implement laws or make it mandatory for companies to comply with the requirements.

In the US, the federal government has identified some key areas which deal with computerized information which have to be regulated. These key areas are banking, telecommunications, and healthcare. These sectors depend on computer infrastructure significantly, and they are usually controlled by the private sector and therefore the need to regulate them to protect the information of citizens. In this paper, I am analyzing case studies of the implementation of information systems concerning the Health Insurance Portability and Accountability Act.

Description of the Regulation

Health Insurance Portability and Accountability Act (HIPAA) is a federal regulation of 1996 which required all hospitals to safeguard patient data. This legislation protects the Protected Health Information (PHI). The health and human services with the office of civil rights are tasked with ensuring that the required parties comply with the legislation ('What is HIPAA Compliance? - Requirements & Who It Applies To', n.d.). HIPAA serves to assure people that their healthcare data is protected and at the same time, allows the concerned people to access the data and use it to provide quality care.This regulation covers hospitals, doctors, nursing homes, dentists, psychologists, business associates, and health clinics, among others. These federal legislations have measures to address to show that concerned entities have complied with the regulations. For HIPAA, there are physical and technical requirements for a company to satisfy to be considered HIPAA compliant. The physical conditions involve controlling physical access of data, policies on the access of workstations and electronic media, and restrictions on transfer and disposal of information. The technical requirements require the access of data be limited to only the authorized personnel through the use of uniques user ids and keeping track of logs.

Case studies

The Adventist Health

Adventist Health is a faith-based health facility that is comprised of several hospitals. This health facility was established in the 1980s before the enaction of the HIPAA act. On the passing of the HIPAA act in 1996, all health facilities were mandated to adhere to the regulations. In 2000, the Adventist Hospital embarked on ensuring it complies with the rules. The first action the company undertook in complying with the regulation was the convening of the committee meeting to brainstorm on the elements which the company needs for implementation of the law ('HIPAA Case Study,' n.d.).

The committee resolved to hire a director who will be directing the process of implementation of the policy. A virtual implementation team was also created to follow up on the implementation of the directives in the different business units and the various branches of the hospital. Another central committee was also formed to manage any legal issue which may arise during implementation. The implementation committees drafted the strategic plans based on the obstacles encountered during the implementation. After meeting twice a month and assessing the implementation plans, the committees finally implemented the HIPAA regulations fully. Some of the things which the committee addressed for the hospital to be compliant are the electronic transfer of data, operating procedures, and training of staff.

Encompass Health

Encompass Health is a US-based company that was formed in 1984, and it offers post-acute services in more than 36 states and Puerto Rico. Encompass Health is composed of several health facilities. In the beginning, this company had challenges in aligning operations to federal regulations such as HIPAA. Another problem was that the company is increasingly expanding and therefore, there is an increasing need for an increase in the storage capacities of the company to host the new data. Unsure on how to go about with the compliance issues, the company contracted Clearwater Compliance to help it comply with the HIPAA regulations.

Clearwater Compliance uses an automated software known as IRMIPro, which is comprised of four modules, namely IRMIAnalysis, IRMIFramework, IRMISecurity, and IRMIPrivacy ('Clearwater partnered with Encompass Health to implement its enterprise Risk Analysis & Cyber Risk Management Solution powered by IRM| AnalysisTM,' n.d.). These different modules address different aspects of the HIPAA regulation. Encompass Health purchased the IRMIPro software together with a HIPAA risk analysis workshop. This enabled Encompass Health employees to be trained by Clearwater on how to use the software and how to conduct a risk assessment. This whole process took around six months, and it resulted in centralization of risk data, consolidation of assets, and real-time risk analysis. In the end, the company had complied with the HIPAA requirements courtesy of the software in only six months.

Conclusion

New legislations always have specifications on how those regulations are to be implemented. Compliance with these regulations can either be voluntary or mandatory. Voluntary compliance is whereby the federal government works with the respective organizations in ensuring that they comply with the rules. Mandatory compliance is whereby the companies have to abide by the regulations, or they be penalized. Among the laws by the federal government is the HIPAA act which covers health facilities and personnel in distribution and use of patient data.

All hospitals and healthcare practitioners in the country are required to comply with this legislation. In the case study of the Adventist health, the management ensured that they had met the HIPAA regulations by instituting internal mechanisms to ensure compliance with the laws. For the case of Encompass health, the administration after several failed attempts to comply with the HIPAA and OCR regulations chose to outsource the task to Clearwaters. Clearwaters helped Encompass Health to comply with the requirements through their cloud-based software, which centralizes information and also automates risk assessment and management.