Security Regulations Are Not

By Deborah Gage Print this article Print

Medical institutions have a lot of work to do to comply with the Health Insurance Portability and Accountability Act's security provisions by next April.

Always Clear"> Healthcare institutions have been treading the road toward HIPAA compliance for years. The financial costs are not the only reason. One big challenge for CIOs on security is that the regulations are not always clear, according to healthcare consultants, because technology by itself will never make organizations secure. For example, password-protected access to patient records is worthless if a healthcare worker forgets to log out before she walks away from the computer and the screen doesn't go blank.

"If everybody had it to do over again and get the rules out in a reasonable fashion, it wouldn't be like this," says John R. Christiansen, a director at accounting firm PricewaterhouseCoopers.

Some organizations, such as El Camino Hospital in Mountain View, Calif., are already compliant. But that hospital, a not-for-profit district hospital located in Silicon Valley, has both the money and the technical expertise to handle HIPAA, claims chief technology officer Joe Wagner. The hospital spends 4.7% of its operating budget on information technology compared to an industry average of about 3%, says Wagner, an engineer whose last job was designing transportation systems. Wagner says hospital technology leaders lack corporate experience in areas such as banking or engineering or manufacturing—areas that would teach them to improve security, boost productivity and cut costs within the confines of a tight budget, which is what they have to do. As a general rule, hospitals are focused on delivering healthcare, not using technology to improve business processes and turn a profit, Wagner says.

Even so, slightly more than half of medical organizations expect to comply with the security regulations by the beginning of 2005, according to a survey conducted by the Healthcare Information and Management Systems Society in winter 2004.

One consultant says some of his clients are still looking for their electronic information. According to Steven Weil, a senior security consultant with Seitel Leeds & Associates in Seattle, Wash., technology executives don't necessarily know what's happening to their protected health information—whether it is being copied onto CD-ROMs, for example, or e-mailed outside the institution. "Hospitals can sometimes have very small technical staffs of caring people rushing around all day," Weil says.

And some institutions are still figuring out exactly how they conduct business. John Stewart, an artist in San Jose, Calif., broke his leg recently, but missed his first appointment for surgery at the county hospital, Santa Clara Valley Medical Center, because nobody told him about it. Whether the hospital misplaced his records or the Post Office failed to deliver his notification or the battery ran down on his cell phone, Stewart isn't sure.

But John Quinn, the chief technology officer for Cap Gemini Ernst & Young Health Consulting, says hospitals misplace patient records "all the time."

As Quinn sees it, "That's an argument for having electronic records." But while HIPAA ultimately will drive the need for such records, neither the medical nor technical standards required to exchange them exist today. Indeed, Quinn says, one fear among his clients is that electronic health records will become mandatory, a prospect raised by President Bush in his State of the Union address in January. One of Quinn's clients, a 21-hospital network, spent $300 million on a system for such records. Quinn adds that every system must be individually tailored because "nobody practices medicine in the same way."

The Department of Health and Human Services spent several months rewriting the security regulations to try to make them more flexible and more practical, a reflection of the Bush administration's more business-friendly spirit. Healthcare organizations can decide not to meet certain requirements and document their reasons why. Weil, however, warns clients to err on the side of caution—he says he would never tell a client not to test a disaster-recovery plan, even though the regulations seem to suggest that option. "Even if [that's] only addressable, I would tell the customer, do it," he says.

Meanwhile, the government is already enforcing the regulations on privacy—which protect patient information in all formats, electronic or not—and the regulations on conducting transactions, which HIPAA is trying to standardize and which affect functions such as billing. Christiansen says the latter regulations require technology upgrades and that the government is currently required to enforce them by "holding its nose and muddling through."

Even some executives feel overwhelmed when they look at the 18 areas for security compliance that they have to address, HealthCIO's Bogen says. How will they find the time to document computer logs so they know if a breach has occurred? If there is a breach, how do they have to respond? At the clinical research center in Washington, an attack by the Blaster worm last summer drained the research budget for several medical-school projects. So the University hired contractors who spent weeks making sure that all systems were clean. "When you see these viruses take over things, there's the impact no one's been talking about," DeVoney says.

But information on how to comply with HIPAA is there for those who search—Christiansen, for example, recommends professional liability insurers. And more tools to help with compliance are coming. Bogen is part of one group working with URAC—a Washington, D.C.-based non-profit focused on healthcare quality—that is customizing freely available tools so healthcare organizations can get going on their risk assessments. The tools are due later this month, and are expected to precede by a few months tools coming from the Commerce Department's National Institute of Standards and Technology.

In the end, though, technology, although critical, is only a small part of compliance—Weil estimates as little as 10%. So these consultants warn healthcare organizations not to be fooled by vendors claiming "HIPAA-compliant" products.

This article was originally published on 2004-04-01
Senior Writer
Based in Silicon Valley, Debbie was a founding member of Ziff Davis Media's Sm@rt Partner, where she developed investigative projects and wrote a column on start-ups. She has covered the high-tech industry since 1994 and has also worked for Minnesota Public Radio, covering state politics. She has written freelance op-ed pieces on public education for the San Jose Mercury News, and has also won several national awards for her work co-producing a documentary. She has a B.A. from Minnesota State University.

eWeek eWeek

Have the latest technology news and resources emailed to you everyday.