Health care industry braces for privacy regs
By Jennifer Jones and Brian Fonseca
infoworld.com
NOW ON NOTICE from the White House, health care and related industries are bracing to meet daunting new privacy regulations and are clinging to the hope that upcoming security rules will help them cope.
Government's quest for all-electronic medical records kicked into high gear this week, thanks to an unexpected decision by the Bush administration to move ahead on Clinton-crafted Health Insurance Portability and Accountability Act (HIPAA) privacy regulations.
The long journey to electronic records was meant to unfold around a package of "interlocking" federal rules, which include standards for transmitting health data, privacy guidelines for data sharing, and standards for ensuring the security of medical data.
But satisfying the cumbersome privacy component -- which requires notifying patients as to how data will be used, kept, and disclosed; offering patients a chance to see and amend records; and asking for patient consent before disclosing data -- has posed the stickiest challenge to health care IT staffs.
"The privacy regulations are the most difficult [aspect of HIPAA] because they are the most gray. You are not really able to identify an enabling technology" to help meet the mandates, said Leslie Kelly Hall, CIO for St. Alphonsus Regional Medical Center, in Boise, Idaho.
But HIPAA's upcoming security guidelines may help IT staffs clear the privacy hurdle, according to observers, by requiring the use of tangible technologies such as encryption, authentication, XML, and various other forms of protection and authorization.
Meanwhile, other industries that may be tackling similar security measures in their e-businesses stand to gain from watching health care implement these technologies, said John Ticer, CEO of Vienna, Va.-based BioNetrix. Health care is viewed by many observers as a test case for all businesses that transmit customer, partner, or financial data electronically.
"[HIPAA] will set up the ROI example that [a range of companies] can actually use security to improve your top-and bottom-line performance," Ticer said.
Hall's facility, for instance, has installed BioNetrix's Authentication Suite 4.0 multichannel browser-based software to serve as a middleware authentication platform to integrate fingerprint and smart-card technology for user identification.
Although HIPAA is aimed squarely at health care entities, including physicians, hospitals, health care clearinghouses, and health plans, the financial industry is grappling with a parallel set of privacy mandates, and the regulations touch other industries as well.
Southfield, Mich.-based Amerisure & Co., for instance, is coping with HIPAA because the company offers workers compensation insurance. The company is also struggling to comply with privacy statutes from landmark legislation passed last year for the financial sector.
"My view is that there is a natural friction, and it is one we feel from our customers who are independent insurance agents who have an insatiable appetite for information," said Frank Petersmark, vice president of IS at Amerisure. "We struggle between satisfying those needs, which are ever present, and doing so in a way that we don't get our toes in a pinch from providing too much information."
Complicating matters further is the fact that the Bush administration has promised guidelines that will amend some of the privacy regulations to "ensure that quality of care does not suffer inadvertently from the rule," according to the Department of Health and Human Services.
But until that guidance comes out, health care entities continue to struggle with how quickly to start compliance projects. "It is imperative that any changes to the rule or implementation guidelines are provided as expeditiously as possible," urged Dr. Donald Palmisano, trustee for the American Medical Association, in a recent statement.
But the "moving target" of precisely when HIPAA will see the light of day and begin its two-to three-year march to full implementation has many health care and medical organizations hesitant to go forward, said Michael Ackermann, a technical consultant at Detroit-based Blue Cross and Blue Shield of Michigan.
"If anybody had to give an answer, they'd say, 'No, we need more time [for HIPAA],' " Ackermann said. "Is it achievable? Yes. But at what cost and at what sacrifice of other hospital duties? You're pulling resources, people, and otherwise off other critical activities; something's got to give."
St. Alphonsus CIO Hall reiterated the industry's concern about adopting the rules prematurely. "The way that HIPAA is written today, it gets in the way of care," she said.
Ackermann said the major IT obstacles involved with supporting HIPAA will affect both networks and applications. The network must have PKI (public key infrastructure), XML, digital certificates, and some form of encryption or strong authentication to meet the challenge of securing Internet or "open-network" usage, he said.
At the application level, Ackermann said integration is a massive undertaking that must be addressed along with standard anti-code sets and application updates and translations.
One of the most difficult hurdles of all will be transforming health care's paper-based systems. "The health care system [still] runs on faxes," Hall noted. |
