ZIFFPAGE TITLEEvery System Must Be
Individually Tailored"> But John Quinn, the chief technology officer for Cap Gemini Ernst & Young Health Consulting, says hospitals misplace patient records "all the time." As Quinn sees it, "Thats an argument for having electronic records." But while HIPAA ultimately will drive the need for such records, neither the medical nor technical standards required to exchange them exist today. Indeed, Quinn says, one fear among his clients is that electronic health records will become mandatory, a prospect raised by President Bush in his State of the Union address in January. One of Quinns clients, a 21-hospital network, spent $300 million on a system for such records. Quinn adds that every system must be individually tailored because "nobody practices medicine in the same way." The Department of Health and Human Services spent several months rewriting the security regulations to try to make them more flexible and more practical, a reflection of the Bush administrations more business-friendly spirit. Healthcare organizations can decide not to meet certain requirements and document their reasons why. Weil, however, warns clients to err on the side of cautionhe says he would never tell a client not to test a disaster-recovery plan, even though the regulations seem to suggest that option. "Even if [thats] only addressable, I would tell the customer, do it," he says.Even some executives feel overwhelmed when they look at the 18 areas for security compliance that they have to address, HealthCIOs Bogen says. How will they find the time to document computer logs so they know if a breach has occurred? If there is a breach, how do they have to respond? At the clinical research center in Washington, an attack by the Blaster worm last summer drained the research budget for several medical-school projects. So the University hired contractors who spent weeks making sure that all systems were clean. "When you see these viruses take over things, theres the impact no ones been talking about," DeVoney says. But information on how to comply with HIPAA is there for those who searchChristiansen, for example, recommends professional liability insurers. And more tools to help with compliance are coming. Bogen is part of one group working with URACa Washington, D.C.-based non-profit focused on healthcare qualitythat is customizing freely available tools so healthcare organizations can get going on their risk assessments. The tools are due later this month, and are expected to precede by a few months tools coming from the Commerce Departments National Institute of Standards and Technology. In the end, though, technology, although critical, is only a small part of complianceWeil estimates as little as 10%. So these consultants warn healthcare organizations not to be fooled by vendors claiming "HIPAA-compliant" products.
Meanwhile, the government is already enforcing the regulations on privacywhich protect patient information in all formats, electronic or notand the regulations on conducting transactions, which HIPAA is trying to standardize and which affect functions such as billing. Christiansen says the latter regulations require technology upgrades and that the government is currently required to enforce them by "holding its nose and muddling through."