The politics of securing and sharing data are fraught with risk for any business, but nowhere are the stakes higher these days than in health care. With the final deadline for compliance with the Health Insurance Portability and Accountability Act having just passed on April 20, HIPAA continues to have a major impact on health care companies. It's forcing changes that are instructive for many other industries, as well.
"We all use technology. We all know the power of information," says Douglas Torre, director of systems and communications infrastructure at Catholic Health Systems, a $500 million health care provider based in Buffalo, N.Y. "There is a lot of politics around how data is shared and secured. Now we're starting to cut through it."
For starters, HIPAA regulations have galvanized top management behind compliance initiatives. "Like Sarbanes-Oxley, HIPAA brings awareness at the board and executive levels," Torre notes.
HIPAA mandates security but doesn't specify what measures should be taken, other than requiring encrypted transmission when sending patient data outside the organization. Beyond that, most HIPAA security amounts to a policy-and-procedures exercise.
"Pre-HIPAA security was very local. You would have different security even within the same organization. HIPAA set a floor," says Steven Lane, M.D., medical director of clinical informatics at the Palo Alto Medical Foundation in Palo Alto, Calif. Now, "there is a lot of reviewing of policies and the writing of new policies and procedures," he says.
HIPAA Guidelines: Too Broad?
Even where it addresses security specifically, HIPAA does not prescribe a specific IT solution. "HIPAA talks about the need for role-based security, system reliability and data access control," says Lane.
The lack of detail is seen by some as a strength of HIPAA. "You really have to be general. You want technology controls without specifying the technology. If you got specific, HIPAA would quickly get out of date," says Mitchell Rowton, founder of Securitydocs.com, a security information publisher in Cameron, Okla.
Managers in other industries might feel thankful they aren't subjected to HIPAA requirements, although they would likely benefit from the policy, process, documentation and security discipline it requires.
This was first published in April 2005