This is the final installment of searchSecurity's series of articles on the Health Insurance Portability and Accountability Act (HIPAA).
A staggering number of families, physicians and employers offering health plans rely on organizations like Blue Cross and Blue Shield of Massachusetts to not only oversee their health care needs, but also to maintain patient confidentiality.
To gain some perspective on the people impacted by BCBS, here are some numbers:
- 2.4 million members
- 1.2 million HMO members
- 14,723 participating HMO physicians
- 74 participating acute care HMO hospitals
- 3,402 employees
And that's just from one provider in one state.
The Health Insurance Portability and Accountability Act (HIPAA) is intended to ease those confidentiality concerns by requiring all manner of health care providers that maintain and electronically transmit patient information to comply with a set of security and privacy regulations. The rules will cost the industry an estimated $3.8 billion to comply, with security and privacy rules costing companies the most money because they will be so broad and require constant updates, according to hippa-iq.com.
Blue Cross and Blue Shield began its initial HIPAA-related system and policy assessments in June 2000, said Joe Coughlin, security officer and project lead for BCBS' security and privacy implementation effort. Those assessments led to the implementation phase currently under way.
Though Coughlin would not disclose implementation details, he did indicate that the process confirmed that the company's underlying commitment to patient confidentiality was solid.
"It's ingrained in the company over the years that member information must be safeguarded, starting with our employees who have direct contact with members and/or providers," said Coughlin, a director in the audit and control division for BCBS. "As we went through the assessment process, there were no real big surprises. It goes back to the culture here."
The implementation is running parallel to an in-house e-commerce initiative that will move BCBS' Web site from an informational site to a transactional one.
"That's the only area where there are technological changes coming," Coughlin said. "There will be an active portal for our brokers to get into Blue Cross and Blue Shield. We also have plans in place for our providers and members to move into this transactional area. There are a lot of security implications here."
Right now, Coughlin's team is using the proposed HIPAA security guidelines as a set of best practices. The privacy standard has been approved and companies have until April 2003 to be compliant. Coughlin sees no problems in BCBS meeting that deadline.
"It's much more of an area of fine-tuning to assure the appropriate level of documentation with the practices we have in place," Coughlin said. "With BCBS, confidentiality is a hallmark; it's the way we operate. It's nothing new here to protect patient or member information. HIPAA provides us guidance. We look at it as an evaluation, an opportunity to re-examine what we are doing and make sure we are on the right path."
BCBS certainly is not typical of smaller health care organizations that must be equally compliant, and probably spend more money to do so. Regardless, all must achieve similar levels of confidentiality standards.
The HIPAA privacy regulations empower consumers with more control over how their private health information is used and disclosed between agencies, according to hipaa-iq.com. Healthcare agencies and health plans must create "privacy-conscious business practices where only minimal personal information is disclosed. Internal business practices are also impacted by HIPAA, which requires protection for medical records, employee privacy training and education, the creation of a forum for addressing privacy complaints. Companies will also be required to hire a privacy officer.
The security regulations cover administrative procedures, basically policy that spells out security measures and staff responsibilities for protecting data, said HIPAA-IQ.com. Physical safeguards are also spelled out as are data security mechanisms and services that control access to data, as well as means of guarding data integrity, confidentiality and availability.
"Long term, we see this as an enabler," Coughlin said. "The technical services and mechanisms we have to comply with are broad enough so that we can chart our own course regarding the specific products we use and other details and we'll still be conforming to the rules."
Coughlin said that maintaining a properly trained staff is equally as important, or more important, than technological enhancements.
"People are a key part of any infrastructure -- training and an ongoing awareness program are as important or more important than the technology. I'd say it's a 50-50 proposition or more, not to understate the importance of the technology," Coughlin said. "Overall, our policies have been HIPAA-compliant. We want to assure the appropriate level of documentation all the way down to the department level. Part of our implementation has been to reevaluate policy so that we have a consistent approach to procedures, more less a drilling-down of the organization."