Most healthcare organizations have one more month to meet the security requirements of the Health Insurance Portability and Accountability Act (HIPAA). Will they make it? SearchSecurity.com interviewed IT, security and compliance professionals across the United States over a two-month period. What we found is the massive patient privacy law is a bitter pill for some to swallow and the best prescription for others to follow.
There's good reason security and compliance managers at some states' Blue Cross and Blue Shield (BCBS) aren't sweating heavy with HIPAA's approach.
As technology has advanced, he said, the organization has treated network upgrades as a simple business practice. If anything, he said the HIPAA security rules validate their efforts. "In our industry, this stuff is an inherent requirement regardless of the HIPAA regulations," Reynolds said.
It's been a similar experience for Joe Gilfus, IT project manager for BCBS of Florida, which has 6.6 million members and 9,000 employees.
"The biggest change is that we have a more automated process for monitoring network access," he said. "We've had a long effort with role-based access, but as the system has become more automated we've gotten better at giving people just the right amount of access for their jobs -- nothing more, nothing less."
"Insurance companies struggle with which information is private and how much is need-to-know," said Randall Gamby, consultant for Midvale, Utah-based Burton Group. "They're struggling to define the need-to-know information that must be exchanged to process claims and provide coverage."
Drew Williams, co-founder of the Center for Policy and Compliance and principal consultant for Utah-based SummitWatch Consulting Services, said insurance firms may have their technological house in order. But from what he has seen, they're not grasping the open access part.
"Clients will call about seeing someone for a specific problem like HIV," Williams, who's also vice president of corporate development for Colorado-based Configuresoft, said. "That information gets passed along by e-mail. Under HIPAA, the provider can't respond by e-mail and the best they can do is acknowledge they received the inquiry and send them to a customer service representative. But I've seen cases where they'll still answer those messages. What they need is a Web site specifically for these inquiries, where questions can be answered securely."
As other healthcare organizations grapple with need-to-know questions, insurance companies are dealing with increasingly anxious members.
"When we deal with outsiders like the individual doctors' offices, we ask more questions than we used to," Reynolds said. "And among customers there's this enormous angst because they're dealing with different health organizations, all of which have their own HIPAA procedures. We have our rules regarding who we can and can't talk to. But it's the customer's information -- their lives -- and different organizations have different controls."
Jackie Boyden, vice president of corporate ethics and privacy for BCBS of North Carolina, said her organization has gone to great lengths to help employees understand right from wrong.
"Security has always been part of our culture, but with HIPAA we wanted to be sure the rules were understood enterprisewide, from the top down," she said. "As a result, we set up a privacy office and a privacy and security committee. We also chose privacy and security coordinators from every department. It was a smooth adjustment."
BCBS of Michigan has also launched training and awareness programs to meet the challenges, said Kim Winnik, director of corporate compliance for the organization, which has 8,000 employees and 4.8 million members.
"Security is only as good as those who follow the policies," she said. "We have a theme -- 'Security is Everyone's Business' -- and we emphasize that everyone has a role in reporting problems. We've mandated that employees take a refresher course on the privacy rules of HIPAA, and as part of the training program people take a test. If they don't score at least 80%, they have to take it again. When they reach 80%, they receive a certificate. To us, the training has been the most important thing."
On the technical side, BCBS of Michigan's story is similar to the others. Pam Hensley, the organization's security architect, said a big challenge is in finding a more centralized, consistent documentation method. That's no easy task when there are hundreds of servers in the network, each with a different way of documenting activity.
"We had a risk assessment conducted and they gave us a list of items they couldn't find in the documentation," Hensley said. "It's been a big challenge." There's also the challenge of how to secure data on laptops. "We have a limited number of people who must carry information on their laptops," she said. "We're rolling out a laptop encryption tool as we speak, and we now have a consolidated auditing tool. We can pull all the information from a distributed environment to a centralized point and monitor network activity more effectively."
In the end, all agree no organization is perfect when it comes to HIPAA. The key is to take lessons from the law that will ensure more security as technology and threats change in the future.
"People need to see HIPAA as an ongoing process, not as a rush to meet a list of regulation requirements," Boyden said. "This is not a destination, but a journey."