“We’re deeply concerned about patient privacy and technical security,” said Halamka. “We feel that our patients have entrusted us with protecting their confidential records and we take that responsibility very seriously. One breech of technical security by a hacker could jeopardize the trust of our patients.”
What precisely are privacy and security? Privacy is the right of the individual to control how, to whom and when confidential information is released. Security encompasses the technical tools needed to control this release.
Staying on top of best practices for privacy and security are a key responsibility of the CIO, regardless of the organization’s size. The security and privacy practices at CareGroup appear as a case study in “For the Record – Protecting Electronic Healthcare Information,” published by the National Academy of Sciences. This book covers best practices in authentication, access control, auditing, physical security, and disaster recovery.
In 2001, Halamka budgeted about $250,000 for privacy and security. In 2002, he budgeted about $1 million for privacy training and security enhancements. The $250,000 budgeted for 2003 will go for continued security enhancement efforts.
Privacy initiatives have always been important to CareGroup. Since the early 1980s, CareGroup has been auditing every lookup of clinical data. The PatientSite Web site (https://patientsite.caregroup.org) enables CareGroup patients, with appropriate authentication credentials, to review their security audit online. Patients also can obtain a printout of the security audit.
“We have a strict no-tolerance policy for privacy violations,” said Halamka. “Three to four employees are terminated every year because of these violations.”
“We require a great deal of manpower to train our 12,000 employees,” said Halamka, “and we’ve selected individuals from key departments, such as IT, human resources, and medical records to work together to conduct training sessions.
“You can’t have privacy unless you have security.”
Unfortunately, HIPAA does not yet have a completed security rule, but one is expected by the end of 2003. How do you implement best practices for a rule that is not yet finalized?
“We implemented those security practices needed to protect privacy,” said Halamka.
For many years, CareGroup has had some very good security. For example, every Internet transaction requires 128 bit secure sockets (SSL). For authentication, CareGroup uses strong passwords which must have a minimum of six characters, consist of alpha and numeric characters, and expire every 90 days.
“We created a grid to rank the security provisions of each one of our 400 different IT systems,” said Halamka. “We looked at all of those systems that didn’t meet the spirit of best practices. We’ve begun to remediate systems that do not have appropriately strong passwords or comprehensive audit trails.”
Halamka says that some security technologies, such as public key infrastructure (PKI), are problematic to implement in healthcare.
“We tried PKI about three years ago and it did not work well for us,” said Halamka. “Maintaining certificates for 12,000 employees is an administrative nightmare. We use PKI in only one case – organization-to-organization transaction exchange. Using S/MIME gateways and certificates for each of our trading partners, we exchange secure e-mail among payers and insurance companies. Each transaction remains encrypted as it travels over the public Internet from payer to provider or between two large provider organizations. These are not personal certifications but organizational ones.”
Although CareGroup continues to work on privacy and security HIPAA issues, Halamka says, “We’re largely complete with the administrative simplification portions of HIPAA.”
Back in 1998, even before Y2K, the CIO’s provider organizations used by CareGroup formed a consortium to enable the entire New England payer provider community to create EDI transactions among ourselves without transaction fees. The New England Health EDI Network (NEHEN) went live in 1999 before HIPAA EDI transactions for benefits and eligibility.
Since that time, CareGroup has used a common infrastructure to do peer-to-peer secure transaction exchange between payer and provider. According to Halamka, “It’s Napster for healthcare.”
CareGroup uses a virtual private network to send and middleware to exchange benefits/eligibility, claims status inquiry, referral and claims information among payers and providers in the region. By the end of 2002, CareGroup had completed all the core HIPAA transactions.
HIPAA makes great business sense. Administrative simplification reduces denials and accelerates payment.
“Protecting privacy and security gives our patients peace of mind,” said Halamka, “which is important for retaining existing patients and recruiting new ones. Yes, implementing HIPAA is hard work, but the payoffs are huge.”
Elizabeth M. Ferrarini is a freelance writer from Boston, Mass. Reach her at email@example.com.