Underneath all its legal language, the Health Insurance Portability and Accountability Act (HIPAA) is really a challenge to you to live up to one of the cherished ideals of medicine: patient confidentiality.

Sure, you never breach confidentiality. But do you leave messages about test results on a patient’s answering machine? Does anyone in your practice ever fax confidential information to the wrong fax machine? Is your chart room cleaned regularly by an unsupervised cleaning crew made up of people you don’t know? Do you ever see patient charts lying open on an unattended work station in some public area of your practice? Does your billing clerk keep a sticky note on his computer monitor to remind him of his password? You see what I mean.

As David C. Kibbe, MD, MBA, suggests in this issue’s cover story, it’s easy to overreact to HIPAA and the flood of new regulations it is pouring into the health care system. After all, HIPAA is likely to produce sweeping changes in the way health information is managed. Moreover, the line of consultants and lawyers ready to help you rebuild your practice is already forming outside your door – and some of them are sure to use alarmist warnings as a way of drumming up business.

In the words of the late Douglas Adams, “Don’t panic.” As Kibbe explains in the article, HIPAA requires “reasonable and appropriate” safeguards, not foolproof, airtight, paralyzingly expensive safeguards. This is a time to learn about HIPAA regulations and to begin to respond to them as it makes sense to you. Think about the ways you protect patient confidentiality in your practice as well as the ways you don’t. Make a list of loopholes you see in the protection your practice provides patient information. Mark the ones you feel uncomfortable about – the ones that bother you as a physician – and forget the rest for now. Then start fixing the ones you’ve marked. You’re on your way to HIPAA compliance.

Kibbe’s article lays out a reasonable plan for ensuring that your practice does a good job protecting patient information from unauthorized disclosure and from loss. You won’t go wrong if you start there and work systematically. And you have some time to work. The final HIPAA security regulations aren’t expected until the end of 2001, and you’ll have two years to comply after that. As far as regulatory compliance is concerned, consider the time between now and the end of the year a head start. As far as your patients are concerned, consider it an opportunity to improve the privacy and peace of mind you afford them.