ZIFFPAGE TITLEEvery System Must Be

By Deborah Gage  |  Posted 2004-04-01 Print this article Print

Individually Tailored"> But John Quinn, the chief technology officer for Cap Gemini Ernst & Young Health Consulting, says hospitals misplace patient records "all the time." As Quinn sees it, "Thats an argument for having electronic records." But while HIPAA ultimately will drive the need for such records, neither the medical nor technical standards required to exchange them exist today. Indeed, Quinn says, one fear among his clients is that electronic health records will become mandatory, a prospect raised by President Bush in his State of the Union address in January. One of Quinns clients, a 21-hospital network, spent $300 million on a system for such records. Quinn adds that every system must be individually tailored because "nobody practices medicine in the same way." The Department of Health and Human Services spent several months rewriting the security regulations to try to make them more flexible and more practical, a reflection of the Bush administrations more business-friendly spirit. Healthcare organizations can decide not to meet certain requirements and document their reasons why. Weil, however, warns clients to err on the side of caution—he says he would never tell a client not to test a disaster-recovery plan, even though the regulations seem to suggest that option. "Even if [thats] only addressable, I would tell the customer, do it," he says.
Meanwhile, the government is already enforcing the regulations on privacy—which protect patient information in all formats, electronic or not—and the regulations on conducting transactions, which HIPAA is trying to standardize and which affect functions such as billing. Christiansen says the latter regulations require technology upgrades and that the government is currently required to enforce them by "holding its nose and muddling through."
Even some executives feel overwhelmed when they look at the 18 areas for security compliance that they have to address, HealthCIOs Bogen says. How will they find the time to document computer logs so they know if a breach has occurred? If there is a breach, how do they have to respond? At the clinical research center in Washington, an attack by the Blaster worm last summer drained the research budget for several medical-school projects. So the University hired contractors who spent weeks making sure that all systems were clean. "When you see these viruses take over things, theres the impact no ones been talking about," DeVoney says. But information on how to comply with HIPAA is there for those who search—Christiansen, for example, recommends professional liability insurers. And more tools to help with compliance are coming. Bogen is part of one group working with URAC—a Washington, D.C.-based non-profit focused on healthcare quality—that is customizing freely available tools so healthcare organizations can get going on their risk assessments. The tools are due later this month, and are expected to precede by a few months tools coming from the Commerce Departments National Institute of Standards and Technology. In the end, though, technology, although critical, is only a small part of compliance—Weil estimates as little as 10%. So these consultants warn healthcare organizations not to be fooled by vendors claiming "HIPAA-compliant" products.

Senior Writer
Based in Silicon Valley, Debbie was a founding member of Ziff Davis Media's Sm@rt Partner, where she developed investigative projects and wrote a column on start-ups. She has covered the high-tech industry since 1994 and has also worked for Minnesota Public Radio, covering state politics. She has written freelance op-ed pieces on public education for the San Jose Mercury News, and has also won several national awards for her work co-producing a documentary. She has a B.A. from Minnesota State University.


Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel