Disaster Recovery Journal - Spring 2003 Issue-Not Just for HIPAA

Return to the Spring 2003 Index

DISASTER RECOVERY
JOURNAL

P. O. Box 510110
St. Louis, MO 63151
(314) 894-0276
Fax: (314) 894-7474
Internet www.drj.com
E-mail drj@drj.com

PUBLISHER &
EDITOR-IN-CHIEF
Richard L. Arnold, CBCP
richard@drj.com

SENIOR EDITOR
Janette Ballman
janette@drj.com

MANAGING EDITOR
Jon Seals
jon@drj.com

COPY EDITORS
Richard Sandhofer
richards@drj.com
Pamela Clifton
pamelaclifton@hotmail.com

ADVERTISING
Robert Arnold
bob@drj.com

_____________

Corporate

President/CEO
Richard L. Arnold, CBCP
richard@drj.com

Vice President
Robert Arnold
bob@drj.com

CONFERENCE COORDINATOR
Patti Fitzgerald, CBCP
patti@drj.com

CONFERENCE REGISTRAR
Merce Knese
mercedes@drj.com

CIRCULATION
Laura Baugh
laurab@drj.com

EXECUTIVE COUNCIL
Patrick Corcoran, IBM Bus. Cont. & Rec. Services
Jeff Dato, MBCP, KPMG
Edward S. Devlin, E.S. Devlin & Associates
Judith Eckles, SunGard Availability Services
James Hammill, CBCP, JMH Consulting Inc.
John Jackson, Independant

INTERNATIONAL
CONTACTS
England: Thom Hetherington
Business Continuity
Phone: 0161-237-1007
thomh@tempus.demon.co.uk

Australia: Anthony J. Harvey
Journal of Business Continuity
Phone: 0011-613-953-0055-8
fax: 0011-613-953-0528
sector@notability.com.au

Japan: Shinji Hosotsubo
Quake Japan Co., Ltd.
Phone: 03-3215-2880
fax: 03-3215-2881

Brazil: Jose Carlos Ferreira
Disaster Recovery Mercosul
Phone: 55 11 3666-9506
conc2000@uol.com.br
www.drms.com.br

Click Here for a Printable Version

HIPAA

Not Just for HIPAA

Best Practices for Security and Privacy Make Good Business Sense

By ELIZABETH M. FERRARINI

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) sounded a wakeup call throughout the healthcare industry – patient data is an asset and it needs to be protected. IT departments are now facing the challenge of implementing HIPAA’s three provisions – electronic data exchange of transactions (EDI), privacy, and security.
The HIPAA rules are clear for EDI and privacy, but the security rule had not yet been finalized until February. Faced with competing strategic priorities and shrinking budgets, CIOs at healthcare organizations must convince senior management to comply with these evolving rules.
CIOs throughout the country often complain about board members and senior executives who are not taking HIPAA seriously. Healthcare executives argue it will take years of case law to clarify what constitutes a HIPAA violation, how to apply sanctions, and how to provide ongoing enforcement. The federal government has few staff to enforce HIPAA currently and the strategy for auditing compliance is not well defined.
However, adhering to the HIPAA Privacy and Security rules are more than just about compliance, they make sound business sense. That is the view of Dr. John J. Halamka, CIO of CareGroup Health Systems in Boston. A medical doctor by training, Halmaka oversees the IT needs for CareGroup’s three major Boston hospitals and three community hospitals. Together the six CareGroup facilities have about 12,000 employees, including 3,000 doctors who see about one million patients a year.
“We’re deeply concerned about patient privacy and technical security,” said Halamka. “We feel that our patients have entrusted us with protecting their confidential records and we take that responsibility very seriously. One breech of technical security by a hacker could jeopardize the trust of our patients.”
What precisely are privacy and security? Privacy is the right of the individual to control how, to whom and when confidential information is released. Security encompasses the technical tools needed to control this release.
Staying on top of best practices for privacy and security are a key responsibility of the CIO, regardless of the organization’s size. The security and privacy practices at CareGroup appear as a case study in “For the Record – Protecting Electronic Healthcare Information,” published by the National Academy of Sciences. This book covers best practices in authentication, access control, auditing, physical security, and disaster recovery.
In 2001, Halamka budgeted about $250,000 for privacy and security. In 2002, he budgeted about $1 million for privacy training and security enhancements. The $250,000 budgeted for 2003 will go for continued security enhancement efforts.
Privacy initiatives have always been important to CareGroup. Since the early 1980s, CareGroup has been auditing every lookup of clinical data. The PatientSite Web site (https://patientsite.caregroup.org) enables CareGroup patients, with appropriate authentication credentials, to review their security audit online. Patients also can obtain a printout of the security audit.
“We have a strict no-tolerance policy for privacy violations,” said Halamka. “Three to four employees are terminated every year because of these violations.”
In 2002, CareGroup focused on training each employee and volunteer in all aspects of privacy. For example, every inpatient and outpatient needs to be notified about the hospital’s privacy policy and sign an acknowledgement of those policies. A patient needs the opportunity to approve enrollment in fund raising activities.
“We require a great deal of manpower to train our 12,000 employees,” said Halamka, “and we’ve selected individuals from key departments, such as IT, human resources, and medical records to work together to conduct training sessions.
“You can’t have privacy unless you have security.”
Unfortunately, HIPAA does not yet have a completed security rule, but one is expected by the end of 2003. How do you implement best practices for a rule that is not yet finalized?
“We implemented those security practices needed to protect privacy,” said Halamka.
For many years, CareGroup has had some very good security. For example, every Internet transaction requires 128 bit secure sockets (SSL). For authentication, CareGroup uses strong passwords which must have a minimum of six characters, consist of alpha and numeric characters, and expire every 90 days.
“We created a grid to rank the security provisions of each one of our 400 different IT systems,” said Halamka. “We looked at all of those systems that didn’t meet the spirit of best practices. We’ve begun to remediate systems that do not have appropriately strong passwords or comprehensive audit trails.”
Halamka says that some security technologies, such as public key infrastructure (PKI), are problematic to implement in healthcare.
“We tried PKI about three years ago and it did not work well for us,” said Halamka. “Maintaining certificates for 12,000 employees is an administrative nightmare. We use PKI in only one case – organization-to-organization transaction exchange. Using S/MIME gateways and certificates for each of our trading partners, we exchange secure e-mail among payers and insurance companies. Each transaction remains encrypted as it travels over the public Internet from payer to provider or between two large provider organizations. These are not personal certifications but organizational ones.”
Although CareGroup continues to work on privacy and security HIPAA issues, Halamka says, “We’re largely complete with the administrative simplification portions of HIPAA.”
Back in 1998, even before Y2K, the CIO’s provider organizations used by CareGroup formed a consortium to enable the entire New England payer provider community to create EDI transactions among ourselves without transaction fees. The New England Health EDI Network (NEHEN) went live in 1999 before HIPAA EDI transactions for benefits and eligibility.
Since that time, CareGroup has used a common infrastructure to do peer-to-peer secure transaction exchange between payer and provider. According to Halamka, “It’s Napster for healthcare.”
CareGroup uses a virtual private network to send and middleware to exchange benefits/eligibility, claims status inquiry, referral and claims information among payers and providers in the region. By the end of 2002, CareGroup had completed all the core HIPAA transactions.
HIPAA makes great business sense. Administrative simplification reduces denials and accelerates payment.
“Protecting privacy and security gives our patients peace of mind,” said Halamka, “which is important for retaining existing patients and recruiting new ones. Yes, implementing HIPAA is hard work, but the payoffs are huge.”

Elizabeth M. Ferrarini is a freelance writer from Boston, Mass. Reach her at iswive@aol.com.

To comment on this article, go to 1602-04 at www.drj.com/feedback.