Meeting a Mandate for Patient Privacy

New software aims to help providers and insurers comply with HIPAA.

A handful of developers are rolling out software to help insurance companies and health care providers meet new privacy and security standards being imposed by the U.S. Department of Health and Human Services.

iPrivacy LLC, OpenNetwork Technologies, Biodata Information Technology AG and Check Point Software Technologies Ltd. will enable companies to protect the privacy of patients personal health records in a way that complies with the latest standards issued under the Health Insurance Portability and Accountability Act, or HIPAA.

Late last month, HHS was due to release the new privacy regulations, which give consumers the right to see a copy of, and request corrections to, their medical records. In addition, they give patients the right to obtain documents on how their health information has been disclosed to others and lays out rules for how health information should be released to protect public health, conduct medical research, improve the quality of care, and deter health care fraud and abuse.

Early this year, HHS will issue the final data security standards that will require health care organizations to establish safeguards to ensure the integrity and confidentiality of this information over voice and data networks.

To meet that need, iPrivacy in the first half of the year will begin testing an e-commerce platform for health care providers that protects individuals personal identity information by removing it from communications and transactions. Officials of the New York company expect the unnamed platform to be available in the third quarter.

Separately, OpenNetwork, of Clearwater, Fla., will upgrade its DirectorySmart software suite in the first quarter to better enable health care organizations to meet HIPAA standards. The upgrade will add connections to front-end Web applications from back-end systems, enhance performance, increase scalability, add international user interfaces and add support for mobile devices, officials said.

DirectorySmart uses Lightweight Directory Access Protocol directories to secure access to and manage users of a companys e-business applications.

For its part, Biodata Information, a provider of network and communications security based in Burg Lichtenfels, Germany, has announced an alliance with telemedicine developer Advanced Acoustical Concepts Inc. to embed Biodatas BabylonMeta encryption software into AACs telemedicine products to ensure the integrity and confidentiality of health information.

BabylonMeta, based on the Triple Data Encryption Standard, secures multipoint audio and video conferencing by encrypting voice, data, fax and video, said officials at the companys San Francisco offices.

Finally, Check Point, of Redwood City, Calif., has expanded its partnership with Nokia Corp. to extend firewall, server and client security products to health organizations satellite offices that have between 10 and 50 users.

Nokias IP110 appliance, which supports IP routing protocols and remote management capabilities, integrates Check Points VPN-1/FireWall-1 software with Nokias IP Network Security platform.

VPN-1/FireWall-1 protects patient information and the internal and external traffic of organizations and provides access control and authentication, Check Point officials said.

Seattle-based Valley Medical Center is using Check Points VPN-1/FireWall-1 SecureServer as its front-end firewall to ensure access control, authentication, traffic control on the enterprise network and encryption as well as implement server load balancing.

Some health care providers and insurance plans dont consider compliance with the HIPAA privacy and security rules to be burdensome because they are based on sound business practices. But the costs to implement the standards will vary according to the size of the organization and state of the legacy systems already in place.

"Weve been plowing the road in anticipation of the emerging standards, and we basically have been taking a financially conservative approach," said Don Lyons, CIO of Valley Medical Center.

Because Lyons believes the potential of breaching patients medical records is high, he estimates Valley Medical will spend $1 million to $2 million to comply with these latest standards.

Ted Cooper, national director for confidentiality and security at health care provider Kaiser Permanente, is now developing a national plan to determine how to meet the HIPAA requirements. The costs to implement them—producing training materials, training teachers and keeping track of who has been trained—will be incremental, said Cooper, in Oakland, Calif. However, the costs to ready back-end systems for the electronic transaction standards will be millions of dollars and require major changes in infrastructure, officials said.

"I anticipate that we would have to change quite a few back-end systems to comply with the employer, health provider and health plan identifiers [under electronic transactions]," Cooper said.