If your business isn't healthcare, then HIPAA's security rules don't affect you, right?
According to Ryan Hunter, senior technology consultant and data manager for Washington D.C.-based Watson Wyatt, the rules must be observed by any enterprise that offers its employees a healthcare plan. His job is to help Fortune 500 businesses operate their health plans and benefits enrollment the HIPAA way.
"HIPAA has wide implications from hospitals to insurance companies to outside businesses," Hunter said. "HIPAA security is about protecting healthcare information electronically and companies rely on different vendors that make up components of their health plan."
When an enterprise does business with these vendors, he said, "They need to make sure that when an employee's personal health information is passed among vendors that it's protected." Businesses also have a responsibility to make sure their vendors have all the proper HIPAA procedures in place, Hunter said. That's a tall order for many of them.
"They need to know where their data is coming from and going to, and benefits enrollment data is a part of this," Hunter said. "It's a big challenge, and they need to have their own policies and procedures in place to handle it."
Hunter said his job starts with a data flow analysis that identifies areas where data must be better protected at rest and in transit.
"HIPAA is great at telling you what to do but not how to do it," Hunter said. "It says you need encryption, but doesn't say how to implement and manage it. There's always that interpretation challenge."
Most of the companies Hunter deals with aren't technologically oriented. "The human resources department is not going to understand the technical requirements of encryption and access control," he said. "We come in and try to help the different departments come together and have a process: to triangulate."
Hunter said it's surprising how many companies are turning to outside organizations for help. Despite the challenges, he thinks Watson Wyatt's clients will be on target for April 21. "Every one of them will at least have the pieces in place," he said. "The problem will be that ongoing interpretation challenge."
The good news is that the interpretation issue gives companies leeway to do things in a way they can best afford, he said.