The politics of securing and sharing data are fraught with risk for any business, but nowhere are the stakes higher these days than in health care. With the final deadline for compliance with the Health Insurance Portability and Accountability Act having just passed on April 20, HIPAA continues to have a major impact on health care companies. It's forcing changes that are instructive for many other industries, as well.
"We all use technology. We all know the power of information," says Douglas Torre, director of systems and communications infrastructure at Catholic Health Systems, a $500 million health care provider based in Buffalo, N.Y. "There is a lot of politics around how data is shared and secured. Now we're starting to cut through it."
For starters, HIPAA regulations have galvanized top management behind compliance initiatives. "Like Sarbanes-Oxley, HIPAA brings awareness at the board and executive levels," Torre notes.
HIPAA mandates security but doesn't specify what measures should be taken, other than requiring encrypted transmission when sending patient data outside the organization. Beyond that, most HIPAA security amounts to a policy-and-procedures exercise.
"Pre-HIPAA security was very local. You would have different security even within the same organization. HIPAA set a floor," says Steven Lane, M.D., medical director of clinical informatics at the Palo Alto Medical Foundation in Palo Alto, Calif. Now, "there is a lot of reviewing of policies and the writing of new policies and procedures," he says.
HIPAA Guidelines: Too Broad?
Even where it addresses security specifically, HIPAA does not prescribe a specific IT solution. "HIPAA talks about the need for role-based security, system reliability and data access control," says Lane.
The lack of detail is seen by some as a strength of HIPAA. "You really have to be general. You want technology controls without specifying the technology. If you got specific, HIPAA would quickly get out of date," says Mitchell Rowton, founder of Securitydocs.com, a security information publisher in Cameron, Okla.
Managers in other industries might feel thankful they aren't subjected to HIPAA requirements, although they would likely benefit from the policy, process, documentation and security discipline it requires.
Focus on: health care
Top business challenge: Comply with HIPAA regulations for data security.
Solution: A combination of technical and physical security measures, as well as policy enhancements.
How Information technology can help: Encryption, firewalls and intrusion detection, among other tools -- plus leadership in driving compliance.
"Most of this is common sense best practices that organizations should be following," says Rowton. That includes updating documentation, regularly reviewing policies and putting someone in charge of security and privacy. From a technology standpoint, the use of firewalls, intrusion detection, antivirus protection, encryption of transmitted data and other basic tools are sufficient to demonstrate technical systems compliance. "Large and midsize organizations have already done this," he adds.
Still, protecting medical data and ensuring patient privacy under HIPAA is complicated, given the diverse data involved. Typically, it entails classifying each piece of data, assigning ownership, determining access rights, developing and applying the right policies to the data, and thoroughly documenting every step of the way -- a cumbersome and costly process.
At the University of Texas Health Sciences Center, encryption was the answer to the HIPAA question. "We have a lot of patient data and research data and financial and student data. After looking at all the data and our policies, we decided it was cheaper to encrypt it all than to have to sort through all kinds of data and policies," says Kevin Granhold, director of server and desktop services at the Houston-based health center.
Using storage encryption from Neoscale Systems Inc. in Milpitas, Calif., Granhold's group encrypts everything that lands on its storage area network, avoiding a lot of user hassles by making the whole process transparent. Some hospital administrators were nervous about relying on advanced storage technology, Granhold recalls, but that passed quickly once the two Neoscale appliances were up and running.
"Our users don't have to decide what policies apply to what data," he explains. "It all gets encrypted. Then it is non-identifiable, which simplifies things." Documenting compliance is now a lot easier.
It's this need to document everything, as much as anything else, that managers find frustrating about HIPAA. That frustration is sure to resonate with those struggling with compliance mandates in other industries. "It doesn't matter how good a job we're doing unless we can document it and prove it. HIPAA goes further than best practices so you need extra documentation," says Bob Venable, manager of enterprise systems at BlueCross BlueShield of Tennessee Inc. in Chattanooga. It forced the health insurer "to look into every nook and cranny," he adds. "Maybe that's good."
Compliance also doesn't come cheap. "HIPAA is costly, but nothing like Sarbanes. For a large organization you're talking about millions of dollars, not tens of millions," says Simmi Singh, vice president and practice leader for the health care practice of Cognizant Technology Solutions Corp., an IT services company in Teaneck, N.J. He notes that much of the work defining and documenting processes and standardizing and classifying data is needed anyway. HIPAA made it a non-negotiable, if unpopular, priority.
"We've had to hire people to keep up with the extra paperwork. It is anathema to pay people just for this," complains Venable. At Catholic Health Systems, Torre is more philosophical about the cost: "Yes, it's substantial, but the cost of doing business keeps going up. Much of it is risk mitigation. It may save us money over time."
Driver of E-Health Initiatives
With its standardized data sets, security and privacy requirements, HIPAA is also emerging as a core piece of a larger government-driven e-health IT initiative. It lays the foundation by establishing the data specifications for electronic health care invoicing and payment -- essentially, electronic data interchange (EDI) for health care -- and by mandating security and privacy protections for patients.
The security requirements in particular will be crucial if the federal government's broader vision of accessible e-health records and electronic prescriptions is to be realized.
"Moving from paper to an e-world would not be possible without HIPAA," says Holt Anderson, executive director of the North Carolina Healthcare Information and Communications Alliance Inc., a consortium of health care organizations headquartered in Research Triangle Park, N.C.
"When we talk about privacy issues now, we use a common vocabulary created by HIPAA. When electronic medical records happen, it will be the result of a common vocabulary," says Singh of Cognizant.
Standards compliance, however inexorable, still happens slowly. "Look at how hard it was for the banks when they started electronic funds transfer. Now electronic funds transfer works seamlessly," notes Rizwan Ahmed, CIO for the state of Louisiana's Office of Group Benefits in Baton Rouge. "HIPAA is in a similar place."
Alan Radding is a freelance writer based in Newton, Mass.
HIPAA Compliance: One Organization's Tale
by Rich De Brino
We're done. Our organization, Compass Health, finished ahead of the April 20 HIPAA compliance deadline. Compliance was an agonizing process, but it's secured our patient data, standardized some work practices across our 26 sites and made our IT organization more responsive. For the industry, it's been an important jolt to move health care IT into the 21st century.
Our 26 sites range from tiny offices in rural areas to a 300-person main campus. Our 800+ employees are spread across four counties. That meant we had to grapple with a range of issues.
We began by stuffing all the regulations into a 4-inch-thick binder. We went piece by piece, making a plan to comply with each point, from physical security to server testing. Our operations guy, Will Nelson, is very detail-oriented; he became our HIPAA compliance guy, who would make sure each and every point was addressed.
I started going to forums where I met people from other organizations to share ideas and approaches. These ranged from health care roundtables to IT executive meetings like the Society for Information Management, where I could listen to what my peers were doing.
We brought in a third party to conduct a vulnerability assessment so we'd know what was wrong up front. Some of the issues involved physical security, especially in the clinics, where we found exposed network outlets that were still active, for instance. We also had to install locking cabinets for file servers and switches to ensure they were secure and protected from tampering.
Security Logs Tell All
On the network side, we stepped up logging and monitoring. Previously, we had looked only at critical systems, and only if there was a problem. We discovered some practices that violated HIPAA rules: staff sending e-mail about patients to people outside the agency who used Yahoo email accounts, for example. The e-mail was unencrypted and sent over the public Internet. That led us to set up a secure Web portal for outside users so they could correspond with staff inside the agency without compromising the security of protected health care information.
Some of the other technical enhancements we made included installing additional firewalls and moving key servers into an additional DMZ with a second level of access. Besides passwords, we use application-level security with permissions and encryption.
Staff must use company-issued equipment for all work activity, especially if they want to work from home.
The agency's IT budget this fiscal year was a bit smaller than last year's and didn't have a lot carved out specifically for security spending. Our available compliance spending was low because we had just spent over $1 million on infrastructure upgrades. My staff numbers 16 now, not including myself. We didn't add anyone for compliance, but we did retain a couple of positions that were going to go away. We also had the benefit of some security expertise in one of our engineers, who's very good at looking for potential threats and has done some testing to see if he can get past our new security measures.
Prevention Paves Way for HIPAA Compliance
After our final audit, we started reviewing the logs of network activity every day. It's helped us spot trends and problems before they occur. It also prevents downtime, like when a hard drive fills up and causes a system to crash. We know that now before it happens -- that kind of thing. And of course we see break-in attempts from outside hacking -- 25 so far just this year! We didn't realize just how common it is until we started watching for it. That's one of our big lessons learned: assume nothing. A little paranoia goes a long way.
From a security standpoint, we're not worried as much about outside attacks anymore. We're more concerned about the Web sites our staff visit and the spyware they unwittingly pick up from them. We see spyware as the No. 1 problem in IT right now, in terms of consuming man-hours.
Overall, I have to say HIPAA was a very good thing. The health care industry is, as a whole, 10 to 15 years behind in IT, and the regulations forced us to look at our IT infrastructure. Many organizations had to replace legacy systems, which they had been loathe to do, but with which there was no way to be compliant. It's reminiscent of Y2k. IT is one of the top issues in health care today, and HIPAA got the ball rolling.
Rich De Brino is CIO of Compass Health, an Everett, Wash.-based behavioral health care organization.