Security Regulations Are Not
Always Clear"> Healthcare institutions have been treading the road toward HIPAA compliance for years. The financial costs are not the only reason. One big challenge for CIOs on security is that the regulations are not always clear, according to healthcare consultants, because technology by itself will never make organizations secure. For example, password-protected access to patient records is worthless if a healthcare worker forgets to log out before she walks away from the computer and the screen doesnt go blank. "If everybody had it to do over again and get the rules out in a reasonable fashion, it wouldnt be like this," says John R. Christiansen, a director at accounting firm PricewaterhouseCoopers. Some organizations, such as El Camino Hospital in Mountain View, Calif., are already compliant. But that hospital, a not-for-profit district hospital located in Silicon Valley, has both the money and the technical expertise to handle HIPAA, claims chief technology officer Joe Wagner. The hospital spends 4.7% of its operating budget on information technology compared to an industry average of about 3%, says Wagner, an engineer whose last job was designing transportation systems. Wagner says hospital technology leaders lack corporate experience in areas such as banking or engineering or manufacturingareas that would teach them to improve security, boost productivity and cut costs within the confines of a tight budget, which is what they have to do. As a general rule, hospitals are focused on delivering healthcare, not using technology to improve business processes and turn a profit, Wagner says.One consultant says some of his clients are still looking for their electronic information. According to Steven Weil, a senior security consultant with Seitel Leeds & Associates in Seattle, Wash., technology executives dont necessarily know whats happening to their protected health informationwhether it is being copied onto CD-ROMs, for example, or e-mailed outside the institution. "Hospitals can sometimes have very small technical staffs of caring people rushing around all day," Weil says. And some institutions are still figuring out exactly how they conduct business. John Stewart, an artist in San Jose, Calif., broke his leg recently, but missed his first appointment for surgery at the county hospital, Santa Clara Valley Medical Center, because nobody told him about it. Whether the hospital misplaced his records or the Post Office failed to deliver his notification or the battery ran down on his cell phone, Stewart isnt sure.
Even so, slightly more than half of medical organizations expect to comply with the security regulations by the beginning of 2005, according to a survey conducted by the Healthcare Information and Management Systems Society in winter 2004.