First federal privacy standard affects all aspects of healthcare

The Health Insurance Portability and Accountability Act (HIPAA, though some may even know it as the Kennedy-Kassebaum Act) seems to keep making things more difficult for those in the healthcare industry. The law is historic because it was essentially the first federal privacy standard to make it on to the books and be uniformly enforced. That makes it quite powerful since it affects all aspects of healthcare, which in turn affects each and every one of us.

HIPAA directly affects hospitals, doctors, medical practices, health insurance companies and even pharmacies since they are considered the “keepers” of the medical information that the law is intended to protect. That translates into heightened security and substantial increases in operations in order to comply. Daily business for such entities has changed, and processes such as content management, storage and security has become more of a necessity rather than a luxury.

The law is intended to allow employees to continue their health insurance should they be fired or change jobs (hence the “portability” in the name) and stresses the extreme importance of ensuring patient privacy by making those who have access to such information guard it with advanced measures (the accountability factor).

On Feb. 20, 2003, the HIPAA Security Final Rule was passed and put into action effective April 21, 2003. This is the part of the comprehensive law that deals specifically with issues related to the safety and security of information, more specifically electronic health information. Actually another acronym has popped up in light of this new ruling—ePHI that stands for Electronic Protected Health Information that is what the law addresses.

This means that all electronically stored information must be protected more than ever before. Many believe that since this ruling affects only electronic information, other forms are not to be protected with such heightened security measures. However, the Privacy Rule declares that all information be protected, so one may as well go ahead and protect all information, regardless of format, right off the bat. The Security Rule is the new creed in information security.

Those that need to comply with this ruling have until April 21, 2005. (Small health plans get an extra year). That may seem like a good amount of time to the outside world, but those businesses that are in the mix know that such a window of time will fly by quickly.

Parts of the ruling outline standards associated with administrative, technical and physical security procedures so that medical information is protected, thus ensuring patient confidentiality. One thing to keep in mind is that this law does not specifically name technologies per se, but rather leaves that door open to interpretation since the federal government knows that technology changes and evolves so fast that any one technology specifically named now may be outdated by next year.

In a nutshell, everything needs to address the protection issue—right down to the buildings themselves (even a secure network that houses the data is vulnerable if the facility itself can be broken into).

Those working on the systems side of this issue need to address it with an open mind. The system or systems are ultimately chosen to be flexible enough to handle whatever may come next.

Just because this ruling took roughly four years to come to fruition, no one knows what may lie ahead. Think back to our pre-Sept. 11 world, and you can see how quickly things can change.

One cannot stress the importance of not only understanding, but also implementing policy to abide by and adhere to the law. In fact, those who fail to comply can face upwards to 10 years in prison (federal prison) and fines that can top off at around $250,000. This is all in addition to the stigma that would most likely be associated with noncompliance, since it would most likely cause a public relations nightmare.

Since the law deals mainly with the management side of the equation, businesses need to deal with the changes first from a management angle, and then back it up with the appropriate systems and technology that would then support the core business processes created to deal with this law.

It all boils down to not only understanding and comprehending the new rules, but also in knowing how to make the new procedures mesh well with business in general. EC