This is the second in a series of searchSecurity articles on the Health Insurance Portability and Accountability Act (HIPAA).
Health care providers, from hospitals and doctors' offices to insurance brokers, to the biggest enterprise offering a health care plan, have a massive undertaking in front of them trying to come into compliance with the Health Insurance Portability and Accountability Act (HIPAA). The act is an initiative to develop standards and requirements for a secure transfer of health information that identifies individual patients.
Smart providers, however, are not looking at HIPAA as a headache. Instead, they should take the approach of using compliance requirements to move an organization forward technologically, said Meta Group senior program director, insurance information strategies Lauri Ingram.
"Providers who are going to be most successful are those looking to make HIPAA a strategic move," Ingram said.
Security and privacy are central to HIPAA, yet only privacy regulations exist today. Privacy regulations were finalized in 2001 and compliance is due by April 2003. Security regulations have not been finalized. Companies have between 24 and 36 months, depending on the size of the company, to come into compliance before facing fines once a standard is finalized.
Currently, the health care industry has more than 400 electronic data information (EDI) formats is use by various payers, forcing providers to adjust to the demands of a payer, rather than the industry. Transaction standards and technological changes mandated by HIPAA will cure that ill, Ingram said.
"Payers and providers struggle with the money to devote to HIPAA compliance. It's similar to Y2K expenditures, but companies are looking at it as IT project rather than a transformation project," Ingram said. "They have to look at their architecture once compliant and move toward an Internet-based transaction environment. The goal is more real-time transactions in a secure environment.
"HIPAA requires scrutiny of business processes and business rules. The value proposition is the opportunity for business transformation through compliance efforts. Clients are taking a strategic approach to HIPAA," Ingram said.
All of this must be accomplished with security and privacy squarely in the foreground. And this is one area where privacy comes first.
"Privacy regulations set the floor for securely sharing information," Ingram said.
The privacy regulations empower consumers with more control over how their private health information is used and disclosed between agencies, according to HIPAA IQ.com. Healthcare agencies and health plans must create "privacy-conscious business practices where only minimal personal information is disclosed. Internal business practices are also impacted by HIPAA, which requires protection for medical records, employee privacy training and education, the creation of a forum for addressing privacy complaints. Companies will also be required to hire a privacy officer.
The security regulations cover administrative procedures, basically policy that spells out security measures and staff responsibilities for protecting data, said HIPAA-IQ.com. Physical safeguards are also spelled out as are data security mechanisms and services that control access to data, as well as means of guarding data integrity, confidentiality and availability.
Ingram said that most health care companies need to make their way to the Internet to conduct real-time transactions.
"Companies have to make the right investments in IT architecture. Legacy systems will be replaced by portals or outsourcing. Externalization is the buzzword," she said. "All of this increases the importance of security and privacy. HIPAA requires an agile architecture that streamlines workflow and business processes. HIPAA also Increases the need for data and analytical tools. Companies will need a security and privacy mechanism to use information for what it's intended."
All of this, however, is in the conjecture stage without formally established regulations. Ingram, however, contends that companies should begin now making strategic plans around HIPPA.
"Health care needs to think of HIPAA in the long term as an 'e-enabler,' " Ingram said. "Most companies have started their evaluations and are making initial plans for HIPAA compliance and meeting data and content standards. Now, those are starting to overlay onto the IT architecture and beginning to expose the architecture to flaws.
"Raise HIPAA up to other business initiatives," Ingram said.