I-managers in health care industries are worried about upcoming security standards for the Health Insurance Portability & Accountability Act (HIPAA), with one privacy officer calling the proposed rules "a logistics nightmare."
Passed by Congress in 1996, HIPAA mandates sweeping changes in how health care providers manage their information. The law -- which will be phased in over the next two years -- sets electronic standards for patient, administrative and financial data, as well as security and confidentiality mandates for patient records.
In the next few weeks, the Department of Health and Human Services (HHS) is expected to release the final version of security standards. Hundreds of millions of dollars are riding on what HHS decides because the rules will determine how much health care I-managers must spend to comply.
The proposed security rules, issued months ago by HHS, require health care providers to be able to "irrefutably identify" a person receiving electronic copies of a patients medical records before those records are transmitted over the Internet. But the agency has not spelled out exactly what "irrefutably" means and some are worried it will require two separate forms of identification before patient records can be accessed.
"Its a logistics nightmare," said Frank Anderson, the chief privacy officer at Scott & White, a Texas-based health care provider that runs a 486-bed hospital and employs more than 500 doctors. "Everybodys holding their breath."
For small providers like Asante Health System, a Medford, Oregon-based company that operates two hospitals with a total of 400 beds, the security and privacy aspects of HIPAA are straining the budget. This year, Asante will spend about $1.2 million -- half of its IT-related capital expenditures -- in an effort to comply with HIPAAs security and privacy rules. "Thats a big hit," said Mark Hetz, Asantes chief information officer.
Hetz said his compliance costs would soar if HHS requires two forms of identification to access records. That could mean Asante would have to issue many of its health care workers, and perhaps many of its patients, two different kinds of identification, such as smart cards and personal identification numbers. He and other health care technology officials are hoping that HHS will only require one form (like a PIN) for security identification, a move that would be far less costly.
Other security measures could also cause HIPAA-related costs to soar, including the possibility that health care providers would have to issue their own digital certificates.
"If you dont have an industrywide certificate authority, this could end up being very complicated," said Dean Harvey, a partner in the Dallas law firm, Vinson & Elkins.
But Matt Duncan, research director of health care at Gartner Group, believes HHS is unlikely to require two factor security systems or digital certificates in the final rules. "The Bush Administration is more pro-business. HHS is going to look for a more reasonable solution."