HIPAA's Impact on Healthcare

From the Editors of ITSC

With the passing of each Health Insurance Portability and Accountability Act (HIPAA) milestone, the healthcare industry as a whole continues to take great strides. But with the final Security Standard a few short months away (April 21, 2005), there is still much work to be done, and there is no better time than now to begin building a security framework for your healthcare organization.

Initially, the HIPAA guidelines were intended to reduce costs for healthcare payers and providers, as well as reduce Medicare and Medicaid-related fraud. However, many additional benefits have resulted from HIPAA. Patient records are becoming more secure, and the standardized forms of communication present less room for error in transferring and interpreting electronic "protected health information" (PHI). From a security perspective, many organizations have gone above and beyond the HIPAA requirements to build a strong security framework for their organization -- one that, with continuous monitoring and policy management, will provide the protection necessary to combat the threats of today - andtomorrow.

Three components of HIPAA

Most healthcare organizations were slow to embrace technology, so considering their relatively limited resources and limited funding, becoming HIPAA-compliant has been a challenge. Obviously, the two deadlines we have seen so far -- the Privacy Standard and the Transaction Standards and Code Sets -- have made a real impact on the healthcare industry.

• Privacy Standard  This rule governs the privacy requirements for all individually identifiable health information as defined in HIPAA. It specifically defines the authorized and unauthorized disclosures and uses of individually identifiable health information. Patients have likely noticed the effects of this rule in the steps that healthcare organizations now take to keep their information private. For instance, patients are now asked to sign a form advising them of their rights and how their health information will be used -- and under what conditions their health information will be disclosed. In addition, most computers at registration desks are now equipped with blinders so that patient information on the screen is hidden from view, and filled prescriptions at the pharmacy are turned around so patients' names can't be read by someone standing at the counter.
  
  
• Transactions and Code Sets Standard  This rule mandates that healthcare payers, providers, and clearinghouses across the United States use predefined transaction standards and code sets. The simplified communications that result from this standard will likely provide many benefits, including: reduction in paperwork, increased accuracy of PHI, and savings in time, resources, and money.
  
  
• Security Standard  The Security Standard specifically mandates securing the confidentiality, integrity, and availability of electronic PHI, while enabling patients to access their records online upon request. Complying with this rule means an overhaul of the workflow, administrative, and/or financial applications used by many covered entities. Even though the industry doesn't face the Security Standard deadline until April 2005, more and more caregivers such as hospitals, medical centers, and large medical practices are already taking steps to improve the security and privacy of electronic PHI records and to improve patient safety.

Proactive efforts to secure IT infrastructures

IT security measures being taken within the industry are at varying stages. Many healthcare organizations are still trying to get basic security measures, such as antivirus technology, deployed across all the tiers of their infrastructure, not just on PCs. This requires a much different approach from what they have done in the past. Information security now requires a more robustly architected solution - one that allows organizations to manage policy and deploy new signatures at a moment's notice across all tiers of their IT infrastructure. This infrastructure now includes mobile peripheral devices, handheld/wireless devices, gateways, servers, medical devices, and desktops.

HIPAA policy and security rules are very generic when it comes to the subject of protecting email, instant messaging, telephone conversations, verbal discussions, videoconferencing, and similar forms of communications. However, they are very specific in outlining the conditions for disclosure and usage of electronicPHI. Healthcare organizations must have some type of authentication measures in place -- whether it's simple caller ID so doctors can confirm who they're speaking to, or something more complex, such as digital signatures.

The original draft of HIPAA included a digital signature component, which was pulled out before the final security rule was issued. People can spoof email addresses relatively easily, and there is no 100 percent trustworthy form of email authentication, except for digital signatures. So, there is an urgent need in the healthcare industry for digital signature technology that is easy to deploy, use, and maintain.

Effect on outsourcing

An ongoing challenge for the healthcare industry relative to HIPAA isto find - and adequately pay -- security professionals. It takes special skills, knowledge, and experience to monitor and manage your security infrastructure. As a result, the majority of healthcare organizations may choose to outsource when it comes to complying with the 24x7 incident management and response requirements of HIPAA, as their in-house IT staff often are not be equipped to provide the level of proactive measures and security response at an affordable cost. While malicious code protection, such as antivirus software, has typically been operated in-house, host-based and network-based intrusion detection systems are gaining widespread use, and are commonly being deployed and monitored by outside managed security service providers.

Start with a strong foundation

As a rule, security for healthcare should be approached no differently than in other industries. But it is a specialty that does present a a few caveats. A comprehensive information security program addresses 90 to 95 percent of the security issues of all vertical industries, including the healthcare industry.

The unique business risks of healthcare are patient safety, availability of electronic PHI, and privacy. So it is critical for organizations to embrace risk management, and conduct a business risk assessment as well as an IT risk assessment to ensure that they have done their due diligence.

Performing an end-to-end risk assessment allows healthcare organizations to anticipate potential areas of threats and vulnerabilities. By pointing out alterations in audit controls and system configurations, defects in code, insufficient security policies, and other vulnerabilities, a risk assessment arms an organization with the insight and knowledge it needs to mitigate potential threats and protect PHI.

Patients are number one

Dealing with the three parts of HIPAA in sequence has kept the healthcare industry very busy. As each compliance date passes, another one looms ahead. However, throughout it all, maintaining patient safety has remained the number one concern of most healthcare organizations. Every healthcare organization should build a framework that holds all levels of the entity accountable for security and privacy -- whether or not it is specifically regulated by HIPAA. The result will be comprehensive protection that, will coincide with many HIPAA regulations, safeguarding the confidentiality, integrity, and availability of electronic PHI, and ultimately providing higher-quality healthcare for patients.