HIPAA deadline ups healthcare anxiety

For John Hennessey, sifting and sorting through Health Insurance Portability and Accountability Act regulations has been a large ordeal.

Hennessey is the CIO for Dallas County, which contracts with the University of Texas Medical division to supply healthcare to Texas prison system inmates. Healthcare organizations across the country face an April 14 deadline to be in compliance with the basic HIPAA requirements, federally mandated privacy regulations to protect patient health information. The U.S. Department of Health and Human Services (HHS) issued those patient-data privacy guidelines, as ordered under the HIPAA passed by Congress in 1996. Subject to interpretation, the HIPAA privacy rules demand that any company providing healthcare services – and any of their business associates handling protected patient data – apply “administrative, physical and technical safeguards” to ensure confidentiality.

“Every time HHS has had a ‘clarification,’ it impacts another area,” Hennessey says.

Echoing the view of several CIOs questioned about HIPAA, Hennessey worries the April 14 deadline will lead to an era of heightened liability if patient data gets into the wrong hands.

“We’re worried about being held liable and the consequent damages,” Hennessey says.

At Glenwood Medical Associates in Colorado, where the HIPAA privacy officer reports to Director of IS Bob Mirabito, HIPAA creates similar anxiety because it seems to “open up lawsuits to individuals” after April 14, Mirabito says.

At Glenwood, HIPAA has spurred an effort to identify gaps in department procedures concerning access to patient electronic records, or even whether proper caution is applied when faxing a document to a doctor outside the hospital. The Glenwood privacy policy is not more than five pages long, but it was developed after polling the hospital staff with 150 questions. To check whether written policies have been carried out, Glenwood has used the PoliVec security audit tool.

Many vendors have sought to tailor their products in some way to meet any of HIPAA’s three separate guidelines for Electronic Data Interchange, Privacy and the recently finalized Security regulation, which will go into effect two years from now. But there is no way to ensure HIPAA compliance in products however many vendors pitch their wares that way, experts say. So healthcare providers tend to take any such statements from vendors with a grain of salt.

Some attorneys say fears about HIPAA triggering lawsuits against hospitals and others are not unfounded.

“This is an industry sector where people have been concerned about privacy already, but the difference with HIPAA is that it is a set of formalized obligations,” says John Christiansen, counsel with law firm Preston, Gates & Ellis of Seattle. As of April 14, HHS will be compelled to investigate any complaints the agency gets.

The goal is for HHS to help remedy any problems it finds – and not file charges. But the HIPAA regulations do allow for fines up to $25,000 per year, per type of violation. However, making a good-faith effort and applying due diligence on HIPAA does a lot to minimize liability, Christiansen says.

Dallas County has outsourced its IT operations to SchlumbergerSema, which has provided HIPAA consulting. Under HIPAA, healthcare organizations must ensure that business associates treat sensitive patient data with the same concern as the healthcare provider. This has led to organizations hammering out HIPAA data-privacy contracts with doctors, vendors and IT service providers, too.

“We’ll be entering into a business agreement with IBM, our IT outsourcer,” says Greg Bard, HIPAA privacy and security project manager for Atlanta’s National Account Services Company (NASCO), which processes more than 80 million claims electronically each year among Blue Cross and Blue Shield health-plan providers, and sometimes supporting their patient claims departments.

Develop policies

“You have to develop policies and procedures around privacy, who has access to information – or it could be e-mail,” says Tommy Gurganus, NASCO’s director of regulatory compliance. “If you e-mail someone with information, that’s covered by privacy.”

Cuna Mutual has decided to encrypt all e-mail about healthcare coverage, including to outside businesses, by using the ZixMail-encryption desktop client and encryption gateway, which can prevent transmission of mail that might violate the patient-data policy.

“Encryption is necessary for privacy, and that’s anything beyond just someone’s name,” says Tim Burke, Cuna Mutual’s information security manager. “With the Zix plug-in for e-mail, instead of pushing the Send button, you’ll be hitting a Send Securely button.”

At North Shore Long Island Jewish Health System in Great Neck, N.Y., which has 18 hospitals and 30,000 employees, the HIPAA privacy regulations have triggered a review of the hospital group’s IT systems, which increasingly rely on wireless LANs, voice-over-IP phones and Lightweight Directory Access Protocol-based directories to gain access to electronic patient data.

HIPAA privacy rules put an emphasis on audit and access control to protect patient data, says Brian Dennis Gaon, North Shore’s manager of information systems security. HIPAA calls for a best effort, and to Gaon, that means “industry best practices.”

Two-factor, or strong authentication by means of handheld tokens to generate a one-time password, is widely considered a better security practice than reusable passwords. North Shore elected to use RSA Security SecureID token coupled with a newer software-based token called RSA Mobile ID in an enterprise trial deployment. North Shore is using the Novell eDirectory product as the metadirectory for patient information, with Microsoft Active Directory as the directory service.

For remote access to the North Shore intranet by physicians or contractors, the healthcare company requires Cisco-based VPN client software. North Shore recently decided to outsource the help desk for the VPN to Aventail.

North Shore also intends to add X.509 digital certificates to its patient bedside-registration system so that a digital signature can be applied to every use of electronic patient record to keep a comprehensive nonreputable audit trail of changes. “We’ll ultimately be encrypting and digitally signing e-mail, too,” Gaon says.

Some of the toughest security challenges appear to reside with wireless, including Cisco Aironet wireless LANs and SpectraLink voice-over-IP phones, which are starting to be used in the hospitals. With some dismay, Gaon is trying to keep up with the myriad and ever-changing wireless LAN security options for authentication and encryption, including 802.11x, Wired Equivalent Privacy, Protected Extensible Authentication Protocol, Cisco’s Lightweight Extensible Authentication Protocol, and Extensible Authentication Protocol-Transport Layer Security.

But Gaon has no misgivings about the HIPAA privacy rules, which set a national baseline for protecting patient privacy. In terms of a patient’s right to privacy, “HIPAA is probably the greatest thing that’s happened in healthcare,” Gaon concludes.

HIPAA has prompted some hospitals to rethink password and access-control policies.

“Audit logs are going to push HIPAA. Every time someone accesses [the patient record,] we’ve got to know what they’ve accessed, when it was accessed and what they did,” says Rick Allen, director of IS operations at Gwinnett Health Systems in Lawrenceville, Ala. The organization is changing from using generic network logons to individual passwords with role-based access. “So if you are a nurse in neurology, there are things you can see that you couldn’t see if you were in OB/GYN,” Allen says.

Some hospitals are even making it harder for hospital staff to peer into another’s PCs. “We’re adding the antiglare barrier to every machine,” Dave McClain, information systems security manager at Community Health Network.

The Indianapolis hospital group also is using the Vericept content-monitoring and analysis appliance to scan data leaving its network, so it can identify patient-health information that might be going to the Internet.

“For us, the senior physician and the CIO are setting the course for HIPAA,” McClain says.