Health IT Pulse

Dec 29 2010   1:13PM GMT

This guy likes HIPAA

Don Fluckinger Profile: Don Fluckinger

Tags:
HIPAA
Identity management
privacy

Most people we interview — at least those working on health care IT staffs — have one beef or another with the Health Insurance Portability and Accountability Act (HIPAA). Lawyers and regulators don’t mind it as much. Patient privacy advocates tend to be either neutral or of the “doesn’t go nearly far enough” mindset.

But if you’re in IT, chances are you probably think HIPAA is vaguely worded, enforced in peculiar ways that makes compliance a moving target or carries outrageous potential maximum fines. Or some combination of the above. 

Doing interviews for an article on identity management, I ran into David Sheidlower, a guy who actually likes HIPAA. He’s chief information security officer at Health Quest — an upstate New York provider that includes three hospitals and several multi-specialty ambulatory group practices — and manages about 5,000 employee identities as part of his job.

HIPAA, he says, gives him a set of rules that helps organize his strategy for doling out privileges to employees that otherwise would be tough to manage: per-diem nurses, student/resident employees, “floaters” who work in multiple departments and other health care staffers whose job definitions defy traditional classifications.

Not only that, but it helps justify to administrators the case for stronger security and credentialing systems. Breaking down the vagaries of technology-assisted identity management might make for a snoozer of a presentation — until you point out that state attorneys general can now prosecute HIPAA patient privacy breaches.

“For someone whose function in the organization is to be a champion for compliance and for patient confidentiality, HIPAA’s a tool. It’s not a hindrance — it’s something that helps me,” Sheidlower said, pointing out that identity management programs automate HIPAA’s requirements for limiting access to patient data, and documenting access changes for later audits. “It helps me make the case for identity management.”

So, HIPAA naysayers, put that in your pipe and smoke it. While compliance with the complex regulation won’t get easier in 2011, here’s one IT leader turning what many people consider a negative into a positive. You, too, can use Sheidlower’s trick in those heated IT budget meetings when the negotiations for your side need a little shot in the arm.

12  Comments on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.
  • SearchHealthIT
    We finally found a #healthIT exec who actually likes #HIPAA; read this blog to find out why https://bit.ly/g3alMr #hitpol
    0 pointsBadges:
    report
  • Jeff Clark
    RT @SearchHealthIT: We finally found a #healthIT exec who actually likes #HIPAA; read this blog to find out why https://bit.ly/g3alMr #hitpol
    0 pointsBadges:
    report
  • RisknCompliance
    RT @SearchHealthIT: We finally found a #healthIT exec who actually likes #HIPAA; read this blog to find out why https://bit.ly/g3alMr #hitpol
    0 pointsBadges:
    report
  • Art Gross
    RT @SearchHealthIT: We finally found a #healthIT exec who actually likes #HIPAA; read this blog to find out why https://bit.ly/g3alMr #hitpol
    0 pointsBadges:
    report
  • HealthIT Policy
    RT @SearchHealthIT: We finally found a #healthIT exec who actually likes #HIPAA; read this blog to find out why https://bit.ly/g3alMr #hitpol
    0 pointsBadges:
    report
  • Cygnusemr
    Great article Don. Its funny the different opinion we hear about HIPAA. I wish more people embraced it like Mr. Sheldlower. I think HIPAA will be more strictly enforced in the years to come. On another note, I have a project brief for a IP-based security system which can be used to access computer cabinets as well as medications. [A href="http://www.cygnusinc.net/products/sinai_case_study.html"]
    0 pointsBadges:
    report
  • Don Fluckinger
    First person on a hospital IT staff I've interviews who *likes* #HIPAA https://bit.ly/easa3g
    0 pointsBadges:
    report
  • Keith W. Boone
    This guy likes HIPAA - #HealthIT Pulse https://bit.ly/h3cZSS
    0 pointsBadges:
    report
  • Jenny Laurello
    This guy likes #HIPAA -- and you'll be surprised why https://bit.ly/easa3g #HealthIT
    0 pointsBadges:
    report
  • Marty Foltyn
    RT @HITExchange This guy likes #HIPAA -- and you'll be surprised why https://bit.ly/easa3g #HealthIT - even small practioners should like
    0 pointsBadges:
    report
  • Jenny Laurello
    A chief information security officer- who loves HIPAA! "Upstate NY provider that includes three hospitals..." https://bit.ly/easa3g #HIPAA
    0 pointsBadges:
    report
  • jzr
    What's wrong with HIPAA? Nothing. There are many EMR systems that follow the just enough security we think rule. As a result of not doing the architecture before implementation and budgeting, most of these systems find themselves in "Apollo13" mode. I am certain that in the near future there will be a court case that will shower the national media with horror stories about patient information. There was a situation where I had to report to my client's security team (HIPAA) that for over 17 months the project would not comply with HIPAA requirements, enterprise network best practices and was actually sending unencrypted data overseas to India and Mexico that included the patient's financial data! Yes there are gross misfit implementations such as this all around. When developing the architecture for an EMR, security should be part of the foundation of the design and implementation strategy. Lots of data gets extracted onto temporary disk locations for dissemination to entities outside of the EMR's Intranet. The CERT advisories for enterprise networking are quiet explicit about what security rules should be followed - the engineering gotcha's and their solutions are already published! for just about every operating system, application and enterprise networking solutions.
    0 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: