While health care companies have already spent millions of dollars to comply with a new federal law mandating privacy for online medical records, a key decision in January could multiply the total bill by rendering many existing communication networks obsolete.
The deadline to comply with the Health Insurance Portability & Accountability Act of 1996 is next April. Many businesses are spending up to three-quarters of their IT departments time trying to comply, according to a survey released last week by HealthTrans. Health care companies are also spending big bucks: For example, medical chart information provider ChartOne spent $9 million to comply with HIPAA.
One big challenge -- which other industries will face if similar privacy laws are applied to them -- is how to streamline legacy networks in order to encode all patients electronic health, administrative and financial data in a new, federally mandated standard. But thats just half of what HIPAA requires of I-managers: They must also ensure that the data is secure and that patients privacy is honored.
But specific guidelines for what is considered secure and private are not expected until January. Depending on how the regulation is worded, the health care industry might miss its regulatory deadline and have to spend much more money.
"Its unreasonable to believe that if a mandate did come down to secure communications all the way to the last mile -- and it had to be a hardware solution -- that anybody would be compliant," said Jack McClurg, CEO of HealthTrans.
The long-running debate in the security industry centers around the fact that last-mile networks are not secure. Businesses worries about leasing pipes from service providers have been erased by years of reliable use of frame relay and Asynchronous Transfer Mode, but the debate has been re-ignited as these networks link to the open Internet. Executives such as McClurg, and many others in the health care industry, think the federal government may mandate last-mile security.
If end-to-end security becomes a requirement, both old and new networking installations might have to be replaced. For example, the Washington, D.C., Veterans Affairs Medical Centers recent deployment of network-based virtual private networks (VPNs) using Multiprotocol Label Switching (MPLS) drew instant criticism from peers in the health care industry.
The deployment, which gave six doctors in the radiology department a chance to look at X-rays from their home computers, doesnt provide for encryption between home machines and the service providers network.
"I find it a bit disturbing that MPLS VPNs are taking hold, given their known flaws," said Chris Calabrese, an Internet security analyst at a large health care firm.
If regulators decide such encoding is necessary to comply with HIPAA, then every pharmacy might need a new router-based VPN to stay in business -- which would cost the health care industry millions of dollars.
Such a scenario is not outside the realm of possibility. In his previous career, HealthTrans McClurg oversaw the deployment of a health care data standard in British Columbia, Canada. At the last moment, a privacy concern resulted in a major overhaul of the health care networking infrastructure, he said.
A government representative would not confirm that a new rule will be issued in January, but did indicate that more changes are coming.
"Folks are working on the final security standards rule, as described in a guidance issued in July," said a representative of the Department of Health and Human Services. "They are working on a proposal for modifications to a privacy rule."
Major security upgrades at this point would be brutal for most health care companies, since most do not outsource any major networking functions to third parties. According to HealthTrans McClurg, most health care organizations use telecommunications facilities such as leased and phone lines, while providing their own services such as Web hosting, database and e-mail administration.
Magellan Health Services in Columbia, Md., is typical. While the company has more than 700 interfaces with customers and partners, it handles most of them on its own. Magellans only real outsourcing contract is with USinternetworking for a back-office financial application system. Magellan owns its own data center and does its own Web hosting. In preparing to deal with HIPAA, Magellans main objective is to streamline its IT operation to manage fewer legacy systems.
"To deal with HIPAA, many companies have replicated core data from legacy applications to another server, and then have interactions on that server so that it doesnt interfere with the work that is done on the primary," said Raymond Pingle, Magellans chief information officer. "We are doing that same thing."
With this type of retrofitting, industry spending on HIPAA is about two to four times what was spent in preparation for year 2000 (Y2K).
"While Y2K was a one-time event, HIPAA will go on forever and ever," Pingle said. HIPAA also opens up the door for more outsourcing.
"A few companies believe there is so much work and risk involved in retrofitting their legacy systems, that they throw it all out and go to a completely new system," Pingle said. ChartOne is one of those few. The company outsources its Web hosting maintenance to managed service provider Euclid.
The tide of outsourcing offers is rising. Executives of Slam Dunk Networks, a company offering encrypted virtual networking, said they are working with five big consulting firms to provide comprehensive outsourcing packages aimed at delivering HIPAA-friendly solutions.