Federal net privacy mandate riles healthcare industry

WASHINGTON, D.C. - Virtually the entire healthcare industry rose in opposition to new federal health-care privacy rules last week, saying the regulations - more than 1,700 pages, with more coming - will hinder medical care and require companies to overhaul network and systems infrastructures to meet new security demands.

Thirty-nine healthcare organizations, including the Blue Cross and Blue Shield Association, the American Pharmaceutical Organization, the Association of Medical Colleges - even the U.S. Chamber of Commerce - issued a joint letter asking the Bush administration's Health and Human Services (HHS) Secretary Tommy Thompson to postpone new privacy rules from going into effect Feb. 26 until their complaints are heard. The Clinton administration issued the tough new federal healthcare privacy rules aimed at protecting patient information in December.

This uprising against the Health Insurance Portability and Accountability Act (HIPAA) rules follows a similar plea to HHS two weeks ago from the American Hospital Association (AHA), which represents 5,000 hospitals and doctors. AHA contends it will cost at least $22 billion to satisfy the privacy rules, which require an organization to ensure patient data is kept confidential and seen only by authorized personnel - even after it has been transferred to an outside organization.

HHS has had no official response to what is a last-ditch effort to derail the toughest security demands Washington has ever put on hospitals, physicians and insurance companies to ensure patient data, whether in electronic or paper format - is kept confidential.

The regulations have IT managers and hospital administrators poring over the mammoth HIPAA rules to decipher what is HIPAA compliant for access control, authentication and audit trails.

Take Jeff Sanford, HIPAA compliance director at Eastern Maine Healthcare, a five-hospital system based in Bangor.

Sanford says his hospital system, which already files 80% of its insurance claims electronically, will need to support the new HIPAA electronic data interchange (EDI) formats. So Sanford is waiting on application vendors and the electronic "clearinghouses" that serve the healthcare industry to be ready to support the new formats that he could be required to use in about a year.

Service providers such as SBC and its EDI division, Sterling Commerce, claim they are ready to offer HIPAA document translation services over a proprietary value-added network or the Internet, with encryption.

For Sanford, the tougher issue is addressing the patient privacy piece, especially because the security rules are still only in draft form.

The NT and Unix servers, Oracle databases and other equipment connected to the hospital system's WAN were never designed for the kinds of auditing and access controls envisaged under HIPAA, Sanford points out.

Under his reading of the HIPAA rules, Sanford says passwords are acceptable for user access. But many security vendors are pushing public-key digital certificate, he notes.

HIPAA is a bonanza for security vendors and consultants. Computer Associates is urging hospitals to buy its eTrust Single Sign-on product with fingerprint biometrics.

"HIPAA requires user authentication, so we envision doctors will use their fingerprints to sign on," says Simon Perry, CA's vice president of security solutions. "Biometrics is the only way of tying access to an individual."

There's no consensus about what HIPAA means in terms of technology deployment. Mary Reynolds, CTO for the state of Illinois, thinks HIPAA is better satisfied through use of digital certificates for signing documents electronically.

Throughout this debate, lawyers, consultants and software vendors have hopped on the HIPAA bandwagon, reminding everyone that their CIOs could go to jail for noncompliance.

"Obviously, it's a great market driver to be able to say your CIO could go to prison for 10 years if you don't buy this software," Bob Blakely, Tivoli chief scientist for security, says ironically.

Tivoli, a division of IBM, is selling an access control product called Privacy Manager to hospitals to provide fine-grained controls for accessing online medical records.

However, Blakely candidly points out that what HIPAA is trying to mandate in terms of patient privacy goes far beyond what traditional security policies have ever attempted to do.

"Traditional security technology wasn't designed to protect privacy - it was designed to protect 'my stuff' against outsiders," Blakely says. "Privacy is protecting somebody else's stuff in my possession against custodial abuse by someone else."

Healthcare organizations, at a minimum, are bound under HIPAA to force any business partner that sees patient data - such as Web-hosting firms and IT contractors - to sign a legal agreement to follow HIPAA guidelines, too.

"You need to have a signed agreement with each of your business partners," says Stephen Brown, an attorney with Bogatin Law Firm of Memphis, Tenn., which has been closely following the HIPAA saga. "The agreement should stipulate that business associates won't disclose protected medical information and that they will make appropriate records available to the Department of Health and Human Services, if needed, to prove they took protective measures."

"It's fairly onerous," says Richard Peterson, director in Computer Sciences' global health solutions division. "You have to get consent from the patient in order to share data with business associates as well as other healthcare providers and pharmaceutical organizations."

In addition, each HIPAA-covered healthcare organization will have to document privacy practices and security policies - and this, say lawyers, will aid greatly should an organization have to defend itself against charges of defying HIPAA.

Federal net privacy mandate riles healthcare industry

Related Links