TMC Orthopaedic Logo TMC Header
Home » Media » It's a Slow Cure, But Healthcare Gets A Grip On HIPAA

In The News

June 06, 2005
It's a Slow Cure, But Healthcare Gets A Grip On HIPAA

By Shari Weiss

Joe Sansone, CEO and founder of TMC Orthopedic L.P., has been involved in the orthopedic industry since 1988 and has been recognized nationally as an industry leader. He keeps up to date on regulations through industry publications including the AOPA newsletter, issued monthly by the American Orthotic and Prosthetic Association, but he found the recently published NIST guidelines for HIPAA compliance a big plus.

"The document breaks down how we can obtain compliance," Sansone says. "It gives companies like mine as well as healthcare professionals a better perspective on the breadth of activities that are required to comply with HIPAA, ranging from the entire risk management process that guides the complete security responsibility to some nuances about how you protect information that is being transferred," Sansone said.

TMC Orthopedics is a durable medical equipment company .Founded in 1991, with just 3 employees, TMC now boasts over 100 employees and has become the largest and fastest growing orthopedic distributor in Texas and was named No.424 on the Inc. 500, a list of the fastest growing privately held companies in the country. The company's complete range of products and services, from implants used in the OR to rehabilitation equipment and bracing thereafter, allow hospitals and physicians to make one call to arrange for all of their orthopedic product and equipment needs.

"One thing that makes the healthcare industry different is that our information is technologically a bit behind the rest of the world," according to Sansone. "We are slower to react. For example, our billing was DOS-based, not even Windows-based until just recently. So when something like HIPAA comes out, we have to be reactive, rather than proactive," he said.

"A lot of HIPAA is just good common sense: You don't share a patient's private information that shouldn't be shared," said Sansone, whose company began planning for PHI (Personal Health Information) compliance in July 2002, three months before the October deadline that year. "By October, we were probably 95 percent of the way there, but due to the never-ending changes and updates, like a lot of other organizations, we filed an extension with the Department of Health," he said.

By October of 2003, the organization was fully PHI compliant, but they found they were spending huge sums of money on overtime because their software was not sophisticated enough to communicate with Medicare ("which is ahead of the curve," according to Sansone) and other business entities like their electronic clearing house. TMC Orthopedic began an extensive search for more advanced and extensible technology by talking with other healthcare organizations, hunting on the Internet, and meeting with vendors at trade shows.

The organization decided in 2004 to go with MestaMed, al billing and information management software application offered by Care Centric. The system contained a number of features to assist clients in reaching and maintaining compliance. "From the standpoint of security, individual user logons which provide for controlled access to various functions and data files have been a central feature of the software for many years," said Erick Allen, Director of Corporate Training for Care Centric.

A feature called HIPAA Timeout was added to MestaMed to control system access should the logged user leave his workstation without shutting down the application. Acting as a screensaver, the Timeout module requires the logged user's password before access to the application is restored. Also related to access and security is a feature which permits the administrator to require password changes at a definable interval.

In addition, MestaMed offers the optional HIPAA Audit Module, which allows the user to define the system applications to be tracked, run reports from the HIPAA Audit file which contains the tracking information, archive the HIPAA Audit file and clear the archived HIPAA Audit file.

Sansone feels confident that his organization has reasonable safeguards in place. The organization has an internal compliance committee consisting of managers and other employees from various departments who meet every other month to make certain that TMC Orthopedic is compliant with all legal requirements whether it be HIPAA or Medicare standards. "We take this so seriously that we have on occasion had a Medicare ombudsman sit in on our meetings to make certain that we are compliant," he said.

The organization drew up an organizational policy in 2002. All information is backed up and stored on a tape that is removed from the facility and kept in a safe deposit box. The network server room is double locked. Every outbound e-mail has a HIPAA disclaimer. The company's computers have a 15-minute lockout just in case someone forgets to shut down a computer if he or she leaves a station. Monitors are placed so that no patient or delivery person can see the screen. Surgery schedules are not left in plain view. Sign in sheets contain nothing but a name and a sign-in time.

"For us, all of this makes sense, but smaller organizations like some physicians offices are having a more difficult time because they don't have time to devote to learning all the requirements," Sansone explained. And, for a while when the regulations first came out, normal business activities were held up because people weren't sure what information could be shared, and what couldn't.

"One example was when we would provide cadaver tissue or other equipment to hospitals, and some customers were hesitant to give us the information we needed," said Sansone. "So we had to send some of our staff over to explain to them what they could and couldn't send. HIPAA was a blanket excuse for a time. But now people in the healthcare field are more knowledgeable."

Sansone pointed out that the prevalence of business associates agreements has made most misunderstandings a non-issue since organizations that work together have employees sign contracts that point out the conditions under which information can be exchanged.

"As with many types of unwanted governmental intervention, HIPAA created a great deal of extra manpower and other expenses for small businesses like ours. But what initially seemed nonsensical and overly burdensome now makes sense," Sansone said. "The HIPAA guidelines addressed a definite need in our industry, and it soon became obvious through the availability of extensions and directions like the NIST guidelines that the 'powers that be' are being more than fair and reasonable in their attempts to not only drive compliance but to ease the process for providers." - Shari Weiss

Texas Orthopedic Company
Prosthetic Devices
Orthopedic distributor
TMC Ortho- Our Divisions
Amputee & Prosthetic Center
Amputees in Action
Limbs of Love
Airborne Amputees
Facebook BlogSpot Twitter YouTube
Bookmark and Share
 
© TMC Orthopedic, L.P. Orthopedic distributor in Houston Texas. Home | Disclaimer | Privacy | Sitemap | Feedback | Tell a friend | Contact us
TMC Orthopaedic Amputee & Prosthetic Center TMC Ortho- Our Divisions