Tips for IT Contracting

Contracting is not for everybody. But then, neither are jobs.

Do you find that no matter where you go, you have a knack for finding things that need to be done? Do you often find you can do the, too? In that case, you’re an immediate candidate for working as a contractor or consultant.

But that doesn’t make it easy. Getting through the initial transition can be tough, and living a lifestyle that lets you get through times of sparse work is mandatory. Fortunately, I’ve found that most of the year I’m swamped, and the majority of my colleagues agree. It’s much trickier learning which gigs you should turn down.

Computerworld has a very nice slideshow, “15 Tips for Surviving – and Thriving – as an IT Contractor”:—-and-thriving—-as-an-IT-contractor

* * *

Healthcare Regulations

A. Health Information Portability and Accountability Act (HIPAA) of 1996

1. Titles (there are only two)

Title I: protects workers and their families from loss of coverage when they change or lose their job

Title II: The Administrative Simplification (AS) provisions require establishment of national standards

2. Goals

  • Records portability
  • Reduce waste, fraud and abuse
  • Reduce costs
  • Protect patient privacy

3. Requirements

  • Dictates backup and restore P&P,
  • offsite backup with a provider including an SLA for rates,
  • scope and
  • minimum standards.

4. The Privacy Rule requires accounting of all disclosures of PHI by Covered Entities (CEs):

  • Providers
  • Health plans
  • Clearinghouses like billing operations
  • Business Associates (BA), which require a Business Associate Agreement (BAA)

Individually identifiable health information created by a CE or a BA is Protected Health Information (PHI):

  • Past, present or future
  • Mental and physical
  • Payment information
  • Provision information
  • As long as retained by provider
  • Even after death

Deidentified Information

Must be certified by statistician or expert

May be deidentified by an “encoder” program

18 key identifiers removed

Birth Date ONLY removed if patients are 90 or older!

Practical Requirements

  • Employee training
  • Privacy P&P
  • Privacy Officer
  • Entities must limit use or disclosure of PHI to the minimum necessary number of people.

Parents and family do NOT have an automatic right to patient records.

Birth parents of a foster child do NOT have a right to patient records.

Family members do NOT have a right to records for custody cases.

Privacy Rule is enforced by the Office for Civil Rights (OCR).

5. The Security Rule mandates technical safeguards and logging of all PHI releases.

Specifies Administrative, Technical and Physical safeguards for HIPAA compliance.

Regulates electronically transmitted or stored information (ePHI).

CEs must ensure officers and employees comply with the Security Rule, usually through training requirements.

Logging was first mandated by this rule.

6. The Identifier Rule mandates that CEs have a National Provider Identifier (NPI).

7. The Transaction and Code Sets Rule regulates electronic data interchange (EDI) formats.

Transactions include all documents, insurance claims, encounter records, insurance enrollment and disenrollment, eligibility documents, payment and remittance records, first reports of injury and coordination of benefits.


B. ARRA – the American Recovery and Reinvestment Act of 2009, overseen by the ONC

1. The HITECH Act requires providers and third parties to comply with HIPAA regulations.

  1. Tougher penalties
  2. Express permission of patient required for disclosure
  3. Sale of PHI limited
  4. Patients can audit records
  5. Encryption required
  6. Requires public notice of breach

Requires records of creation, modification, deletion or printing of anything containing PHI, including emails.

*Business Associates (BAs) now have to comply with the Security Rule the same as CEs.*

HHS must be notified of any data breach of more than 500 patients. (Patients must also be notified?)

HITECH Act Enforcement

Unknowing violations, despite due diligence
$1000 – $25,000/yr/violation. {CONFIRMED}

[CHECK NEW] For reasonable cause,
but not willful neglect,
$1000 – $100,000/yr/violation.

[CHECK NEW] For willful neglect (a civil penalty),
if corrected within 30 days from knowledge of violation,
$10,000 – $250,000/yr/violation.

For willful neglect that goes uncorrected,
$50,000 – $1,500,000/yr/violation
+ up to 1 year in prison.

Obtaining PHI through wrongful conduct that involves false pretenses,
+ up to 5 years in prison.


HIT Regional Extension Centers (RECs) promote HIT

Part IV specifies Medicare and Medicaid incentives for:

  • Prospective payment system (PPS) hospitals, paid based on diagnosis, not costs (a Medicare Part A system)
  • Critical access hospitals (CAHs), which get cost-based reimbursement from Medicare

HITECH and Meaningful Use

  • EHRs must be certified
  • Must be used in a meaningful manner, including electronic prescriptions
  • Must collect and submit quality-measure data
  • Must be used to exchange information to improve the quality of healthcare

Financial Incentives for EHR adoption under HITECH have been diminishing by year:

2012: $18,000

2013: $15,000

2014: $12,000

2015: $8,000

2016: $4,000

C. Code of Federal Regulations (CFR)

Title 21 CFR Part 11

Defines the criteria for electronic records and signatures to be considered trustworthy, reliable and equivalent to paper records.

Applies to FDA-regulated entities: drug makers, device manufacturers, biotech firms etc.

Requires controls and audit trails for system validations, electronic signatures and software and system documentation.

Part 20

Covers what info may or may not be shred with the general public.

Part 7

Enforcement policies for food, drugs and cosmetics

D. The Patient Self Determination Act (1990)

“Preserves the patient’s wishes, right, healthcare options and advanced directives even if the decision results in the death of the patient.”


E. The Patient Bill of Rights

Eight rights every patient has

  • To file a complaint


Legal practices

Informed Consent – consent of a patient to treatment or trial after understanding of facts and risks

Legally binding contracts require

  • Payment or consideration between parties
  • No illegal activities
  • Actions of parties must be described
  • Agreement without threat or duress

Memorandum of Understanding (MOU)

Good MOUs include:

  • use plain language
  • identify all parties
  • outline expectations of all parties
  • specify termination process

Rights of Minors

A minor child can request and receive treatment, without parental consent, for:

  • Drug or alcohol abuse
  • STDs

Service Level Agreements – define a provider’s responsibilities when providing a service by performance measures:

  • Downtime: maximum periods allowed
  • Downtime period: how long a service must be non-functional to be considered “down”
  • Monthly uptime percentage
  • Scheduled downtime for service
  • Service credit: compensation for downtime, often in “free time”

Waivers of Liability – signed by patient to indemnify providers (not allowed in some states)



Healthcare Operations

Medical IT System Types

Departmental System – serves only one department or domain

Hospital-wide System – bring together systems of all departments

Enterprise System – brings together multiple providers and locations

External System – shared by multiple organizations to report data to regulatory agencies or for regional health networks


IT Project Management

Project Managers:

  • Do review staff performance
  • Do set schedules
  • Do allocate resources
  • Do NOT set your pay rate


Work Types

Parallel: each worker does several tasks

Serial: each worker does a variety of tasks in a workflow

Unit Assembly: each worker does a single task, but not necessarily in an ordered workflow.

Unilateral: NOT a real work type, but a red herring


Organization Hierarchy



Staffing Coordinator

Billing Coordinator

Office Manager



Methods of Operation

Customs and practices used to achieve the goal of the organization

Scope of Work

The tasks involved in accomplishing goals.

Resource Types

Financial resources, including third-party payers like insurance or the government

Human resources



Provider Type is the service or occupation group of the practitioner.

Customary Charges are the “normal” or reasonable charges usually applied.

Sliding Scale fees, on the other hand, are based on the patient’s ability to pay.

Fee for Service is essentially payment for treatment, rather than payment by diagnosis

Capitulation is the rate charged “per capita” – per individual – in a group plan. Formally, it’s the monthly payment an insurance company sends to a provider as set by an annual capitation contract. The services a patient uses do not determine capitation payments (at least in this year’s contract).

An Indemnity Plan enables the insured to visit any doctor or facility and direct his own care.

A Point of Service plan allows the patient to choose a provider each time healthcare service is required.


The Patient Admission Process

This is Registration or Admitting, but it is NOT Intake!

Name, address, contacts, insurance info, next of kin, allergies, medications, prior conditions, etc.


Order of Operations

Procedure or service

Dictation of record






Operating Budge – forecasts the costs of operations, for instance employees, supplies and leases

Statistical Budget – forecasts future volume of operations by analyzing statistical/historical data

Master Budget – brings together the budgets for all business or operating units

Organizational Budget – perhaps a real thing in other contexts, but a red herring here


Planning Chart Types

Gantt Chart – horizontal lines

Venn Diagram – a red herring – a mathematical diagram representing all possible relations between finite data sets

PERT Diagram – a sequence represented by circles connected by lines

Critical Path –


Bedside Medication Verification

  1. Scan patient wristband,
  2. medication barcode, and
  3. staff ID


Preventive Services

  • Wellness visits
  • Screening diagnostics
  • Routine checkups


Filing Systems

Motorized revolving files: for very limited space in low-volume offices with one file clerk. Expensive to buy and maintain.

Filing cabinets with drawers: for small, low-volume facilities. Lockable/fireproof but big.

Compressible units with open files: for limited-space, medium-volume operations with 2-3 file clerks.

Open shelf files: for high-volume operations in which the presence of multiple filing staff provides (some) security. Less secure and bulky but fast.

Thinning is reducing a patient’s physical file for ease of handling. Excess papers are sent to be archived.


Document Management

Device Capture – transmitting info directly from a medical device such as an echocardiogram

Document Archiving – ensuring documents in a medical record are stored securely and for an appropriate period

Document Imaging – scanning and indexing paper documents into an electronic system

Clinical Imaging – info in photographs or other imaging devices