With the April 20 Health Insurance Portability and Accountability Act (HIPAA) deadline looming, a lot of CIOs are wishing they could call in sick. Not Garrett Martin.
"HIPAA has not really been a constraint for us, other than making sure that everybody logs off at night," Martin said.
Martin is IT director at Canyonlands Community Health Care, a nonprofit in remote northern Arizona that provides medical care to an area that includes several Indian reservations.
For Canyonlands' Martin, the road to HIPAA compliance was paved by a brand-new system -- and the risks that a new Internet system posed to patient's privacy rights.
Two years ago, Canyonlands decided that it would upgrade its technology to communicate more efficiently and securely with its four satellite clinics. At the time, the agency needed to get a handle on the skyrocketing costs of treating its patients. And the organization had to be able to protect its patients' information from unauthorized access.
"When we used to do everything across the phone lines, you had a built-in security, unless somebody was able to tap the phone lines. Now that we're using the Internet that's a whole different ballgame," said Martin.
A Houston native, Martin had followed Compaq from its infancy. Prior to joining Canyonlands, he had handled quality assurance Hewlett-Packard in Houston. "My job was to do my best to break their servers," he said.
He knew that HP was involved in writing additional software that obeys the latest security models from not only Windows, but Unix and NetWare. And he was confident that the individual drivers within the HP hardware did not leave "any hidden back doors that people can get into."
He went with HP Proliant servers, HP Compaq Thin Clients, and HP Business Desktop PCs. In launching the software, Martin immediately implemented the latest of the security models from Microsoft that has active directory.
The system, if not employees, was recipe-ready for HIPAA. "We didn't have to make any changes, other than getting the users used to the idea now that they had individual passwords and user IDs."
"So we pretty much follow the HIPPA standards. We're running VPNs between sites, so yes we are using the internet as our highway but the data that moves across is encrypted to the government standards," said Martin.
In the minority
A recent survey found that only 30% of health plans and 18% of health-care providers have achieved HIPAA compliance. Even more worrisome, nearly 26% of payers and 40% of healthcare providers have suffered a security breach in the last six months.
The survey, conducted by Dallas-based Healthcare Information and Management Systems Society (HIMSS) and Phoenix Health Systems, covers large and small companies and focused only on healthcare organizations requesting feedback on the quality of their HIPAA compliance.
The percentage of non-compliers may be even greater for SMBs, says Russell Morgan , president of Information Technology Solution Providers Alliance (ITSPA), a Dallas nonprofit that helps small and medium-sized businesses address business problems through technology.
"When you're dealing with regulatory activity, what you find is there are more people in larger companies better able to understand and figure out who how to comply with these rules," said Morgan.
Once the requirements are understood, however, executing a compliance plan can be easier for smaller businesses than the big guns, he says, provided they can find the right experts.
From his own "painful experience," ITSPA's Morgan knows that is easier said than done.
"I was a CIO at a midsized firm. My frame of reference for where I could go to get the help that was needed when it was beyond the capability of my staff was fairly limited, "he said. "I wish there had been an organization that could help me how to find a solution provider that would be able to come in on a particular task."
Michael Rasmussen, an analyst at Forrester Research Inc., agreed. "Ultimately I find that more small to medium-sized businesses tend to be more technically and tactically on security. They are the ones that can find a technical answer to the problem much easier."
But HIPPA is much more about policy and processes than technology, he said.
"The challenge for SMBs is to be able to understand what is required if you don't have a dedicated compliance person," Rasmussen said, adding that help is available. "Archer Technologies would be one. Another one would be Relational Security. Both of them have portals and management processes that help you document compliance."