The rules of the Health Insurance Portability and Accountability Act (HIPAA), set to take effect in the spring of 2003, dramatically raise the stakes for violating medical privacy, proscribing huge fines and prison terms for those who breach information security.
Answer: Not by a long shot.
Gartner is definite about the forecast. “The health care industry is not going to make the current HIPAA transactions deadlines. . .the fact that 85% of [health care] providers have yet to complete transaction assessments indicates that the industry is unlikely to be ready for compliance in one year.”
Health care organizations and their trusted partners”partners” used as a catchall covering almost every conceivable permutation of health care providersaren’t coming to grips with the new rules intended to curtail the massive distribution of personal, private medical information.
At present, any interested individual or industry can pry, copy, analyze and sell medical information without the consent of the individualall for profit.
The University of Washington Medical Center’s computer security was so lax that the names, addresses and Social Security numbers of more than 4,000 patientsalong with the medical procedures each patient underwent, were compromised by a hacker. Hospital officials denied the event occurred until the hacker sent the records to a journalist.
Unauthorized disclosure of personal, private medical information, the direct targeting by namefor example, lists of elderly incontinent women, or middle-aged impotent menthese and other unnerving examples have led to federal constraints.
The federal rules crisscross and govern the entire health care field, including trusted partners. Health care centers will be required to appoint a “privacy officer” to inform patients of their privacy rights. This officer also is responsible for monitoring compliance with the federal privacy regulations. It’s quite a change from the “good old days” when physicians and hospitals would preclude patients from reading their own medical records.
Medical associations, hospitals, physicians, pharmaceutical companies, pharmacies, insurance companies and human resources departments that monitor employees’ health-care expenditures will come under scrutiny. Of all these groups, the insurance industry seems most prepared for HIPAA. The rest seem to be praying for postponement.
Ask the American Medical Association what concrete steps they have taken to protect data that they have on their 800,000 physician-members, information they’ve sold and profited from in the past. The group won’t tell you, and had an in-house attorney, Thomas Healy, remind a journalist that to test their computer security without permission might be a federal offense.
The AMA and 25 other medical associations have written a “beggar’s letter” to Senate Majority Leader Tom Daschle, D-S.D., pleading for more time to meet the HIPAA rules. Contrast this to the California Medical Association, the largest state medical association in the nation. It exceeds the HIPAA standards and is ready to share the techniques with anyone who asks.
Computer security companies claim they can make a health care company “HIPAA compliant.” Many can, but at a price that includes purchasing the company’s expensive, proprietary software. A better approach is to find someone like Kate Borten of the Marblehead Group in Boston with hands-on experience in the computer room and in the hospital boardroom to get the job done on time and on budget.
It’s time to pull all heads out of the sand, unless health care executives are willing to gamble with civil fines and imprisonment. The picture of a hospital CEO, CIO or CTO doing jail time is not pretty.
Lewis Z. Koch is an investigative reporter, writer and columnist based in Chicago. He can be reached at lzkoch@home.com.