Bad-tasting medicine

Healthcare faces some tough challenges implementing the prescribed HIPAA regulations.

By Ellen Messmer
Network World, 12/03/01

Hospitals, health clinics and insurance providers across the country are feverishly working to meet the U.S. Department of Health and Human Services' rules for protecting patient data, but many won't be ready in time for the deadline.

The Health Insurance Portability and Accountability Act (HIPAA) regulations begin to go into effect next October, when insurance companies must use mandated electronic data interchange standards for patient claims, eligibility and remittance. By April 2003, HIPAA rules for the privacy of patient data kick in for the entire healthcare industry, and rules for security should be finalized by year-end. Violations of HIPAA carry steep penalties, such as $100,000 fines.

Advertisement:
<A href="http://ad.doubleclick.net/jump/idg.us.nwf.careers/careers;abr=!ie;pos=imu;sz=336x280;tile=4;ord=043439?"> <IMG src="http://ad.doubleclick.net/ad/idg.us.nwf.careers/careers;abr=!ie;pos=imu;sz=336x280;tile=4;ord=043439?" border="0" width="336" height="280"></A>

HHS spent four years formulating the HIPAA rules, but healthcare lobbying organizations have told Congress they would like to delay them. That stalling tactic is distracting healthcare from meeting HIPAA's goals, analysts say.

See our related links

"The majority of the healthcare industry just isn't going to be ready for the first deadlines," predicts Matt Duncan, a research director with Gartner. Gartner's latest survey of 225 large health maintenance organizations and hospitals shows that 40% of them haven't even taken the first step to assess gaps in HIPAA compliance.

Some say HIPAA poses an even bigger challenge than Y2K did for the healthcare industry. Gartner estimates the staffing and systems costs to gain compliance at $13.6 million for insurance companies, and $3.1 million for healthcare providers. But whereas Y2K was a straight technical problem, HIPAA is more difficult to implement because of requirements for confidentiality of patient data.

Hospitals funded by the states will also have to adapt to the federal rules, although the Gartner survey indicated that 123 CIOs in state-funded healthcare systems don't know whether their organization would meet the HIPAA deadlines.

But many are motivated. Glenn Palmiere, CIO at the state-funded G. Pierce Wood Memorial Hospital in Arcadia, Fla., submitted his organization's HIPAA plans to the Tallahassee, Fla., health agency a month ago. Florida expects all state-run healthcare organizations to submit HIPAA plans by year-end.

"For the past six months, the state of Florida has been meeting regularly to discuss HIPAA, and they've given us specific rules," Palmiere says. For instance, patient data at all times can only be viewed or accessed through user-based or role-based authentication; and IT must maintain a detailed audit trail of patient-data access.

The technical cure

G. Pierce Wood Hospital a few years ago adopted the InterSystems Cache database for patient records as part of a Y2K upgrade. To prevent unauthorized viewing of patient data, a HIPAA mandate, the hospital custom-programmed the database to display a Web-based "dynamic menu" of patient information for each hospital employee. But there are no plans yet to support HIPAA standards for EDI.

The hospital intends to invest in encryption to meet the HIPAA privacy and security rules, although Florida may ultimately require a specific method, Palmiere says.

According to SAIC HIPAA expert Dr. Dixie Baker, Medicare and Medicaid payment information must be encrypted when it's sent to HHS. HIPAA extends the encryption mandate to the entire healthcare industry, but doesn't specify the technology to use.

HIPAA also requires automatic logoff to systems and message authentication, but is also vague about this requirement, letting the industry choose between passwords or stronger authentication, such as biometrics, tokens or digital certificates.

One large HIPAA implementation originated in the Boston area, where 30 hospital and insurance trading partners, including Massachusetts General and Brigham and Women's hospitals, established a private, frame relay network from Verizon to exchange patient-related transactions.

"It sends 50,000 HIPAA-compliant EDI messages each day," says John Halamka, chairman of the New England Health EDI Network and CIO of CareGroup, whose six hospitals use it.

Yet CareGroup's HIPAA coordination team still has a lot of work to do to meet the deadlines. "Not everyone encrypts patient data or has passwords that expire every six months, which HIPAA requires," Halamka says.

Insurance companies seem to be further along than hospitals in HIPAA preparation, Baker says.

At Horizon Blue Cross/Blue Shield in Newark, N.J., HIPAA policy is coordinated through the e-commerce department. Jeanie Lombardo, the HIPAA management officer, reports to Tom Fitzpatrick, Horizon's director of e-business. "Tom and I defined three teams of more than 100 people here to coordinate HIPAA compliance," Lombardo says.

Horizon already supports the HIPAA EDI standards through its Sterling Gentran gateway translator. Satisfying the privacy rules is the hardest part of HIPAA, Fitzpatrick says, because you must ensure that any patient data you share with business partners is treated confidentially.

"There is no silver bullet for this," Fitzpatrick says. For Horizon, as for many others in the insurance industry, the approach has been to have business associates, including vendors, sign legal "privacy agreements" to keep patient data absolutely confidential.