Privacy Policies Tighten Up

Getting a jump on complying with new regulations

With new federal privacy regulations coming on faster than a bad head cold, officials at WellMed Inc. late last year asked legal advisers for a prognosis: Would the health care education Web site be subject to the new HIPAA privacy requirements?

Probably not. While WellMed, based in Portland, Ore., does collect and store medical records from some 700,000 consumers, it is neither a health maintenance organization nor a hospital, the main targets of the Health Insurance Portability and Accountability Act regulations.

The assurances of HIPAA immunity notwithstanding, however, IT managers at WellMed decided to comply with HIPAA privacy regulations. Why spend the time and money when you dont have to? Officials at the e-business saw compliance as a potential competitive advantage rather than an unnecessary hurdle. Being able to tout their adherence to strict privacy standards, officials said, will make it easier for WellMed to reassure and attract consumers and health care industry partners. Plus, they said, complying now could head off trouble later, should lawsuits or legislation expand the scope of HIPAA.

"The public has become much more educated on the issue of health records privacy now," said John Meek, vice president of development at WellMed. Consumers, Meek said, increasingly expect that companies handling health records will safeguard their personal information from snooping marketers and potential employers who could wrongly use the information to deny them job opportunities.

As privacy regulation takes hold in more industries—not just health care—IT managers would do well to emulate WellMed and get a jump on compliance, experts say. Thats particularly true, they say, for companies that collect and store sensitive consumer data such as home phone numbers, Social Security numbers, financial records or personal data on children. Even if theyre unsure now whether HIPAA or other pending data privacy laws apply to them, such companies may soon be required to get customers consent before gathering or sharing personal information, experts say. (See chart at left for guidelines to determine if your company is already subject to regulations.)

Erecting privacy barriers

In wellmeds case, the cost of complying with HIPAA regulations did not require major budget surgery. The company, which allows users to store and transfer their full medical histories online and offers personalized health tutorials, already had internal processes for separating information that could be used to identify individuals from other medical history information. So the bulk of WellMeds efforts, which began last June, centered on erecting an improved encryption barrier around its patient-records database. The company began by encrypting individual online transmissions among itself, its consumers, and the HMOs, pharmaceutical benefits managers and insurance companies with which it partners, using the PGP E-Business Server from Network Associates Inc.s PGP Security unit. The product, used to secure databases and, at the application level, to secure data as it passes from server to server, works across disparate platforms and provides digital signature capabilities. A perpetual license of the PGP E-Business Server such as the one obtained by WellMed is priced at $10,000, according to PGP Security.

WellMed also instituted a sweeping privacy policy addressing the various uses the company might make of anonymous as well as personally identifiable patient data and allowing users to control any information bearing personal markers. Consumers can authorize or deny authorization of the use of their private information via e-mail, phone or letter. Without the users prior authorization, such patient records wont be shared with third parties. The company does share health statistics in the aggregate, however.

Finally, the company ensured that its servers, on-site at its Web hosting provider in Seattle, were accessible only to authorized personnel.

Buying peace of mind

By doing all this, wellmed is complying with HIPAAs ban on "disclosure by sale, rental or barter" of certain personal health data without prior patient authorization. The law also calls for patients to have access to their health records to correct any errors, and WellMeds privacy policy allows for such access online at any time.

While HIPAA was passed by Congress in 1996, its data privacy provisions were announced by the White House in December of last year.

Besides mandating patient access to records and patient authorization, the new provisions require that doctors and companies providing health care services give patients notice of how their health records are being used. Companies covered by HIPAA have two years to comply.

Fines of up to $250,000 and jail terms of up to 10 years could be imposed on violators.

Although WellMed officials say they arent technically covered by HIPAA, complying with its regulations means peace of mind for WellMeds users and a stronger business model for the company. WellMed aggressively markets its privacy protections on its site.

"Everything we do is consumer- focused," Meek said. "Were not simply trying to cover ourselves by complying with the law. Were complying with the spirit of HIPAA because it makes sense for our business."

According to experts familiar with the lengthy checklist of information within the HIPAA statute about how to determine whether a company must comply with the law, WellMed might discover that the law applies to it after all. Its this uncertainty that argues for a cautious approach by any company to sharing or selling personal consumer information, analysts say.

Any company collecting or storing patient records "must interpret the law to see if theyre required to comply" with HIPAA, said Eric Hemmendinger, a health industry analyst with Aberdeen Group Inc., in Boston.

Even if theres doubt about whether new privacy regulations apply to your company, experts say, expect to be asked by business partners to comply, particularly if they are subject to the privacy laws.

In the case of HIPAA, said Jody Patilla, vice president at MetaSeS Inc., a data security consultancy in Atlanta, "Whoever has custody of the patient data is supposed to be responsible for the privacy of the data. HIPAA requires a chain of trust. If you share health records with an insurance company, you need to have an agreement in place that that partner will maintain the same level of security that you will."

The law specifies compliance by HMOs, hospitals, insurance companies, individual doctors and health information "clearinghouses"—a somewhat murky term that health companies are still trying to define, Patilla said.

That kind of regulatory murkiness may be visited soon on other industries as Congress gets serious about online consumer privacy.

The Gramm-Leach-Bliley Financial Services Modernization Act, for example, which passed late in 1999, will require banks and other financial services companies to let consumers decline to share certain personal information. Even if theyre not covered now by such legislation, enterprises doing business online should begin to examine the way they think about collecting and storing personal consumer data, according to Aberdeens Hemmendinger.

"Cleansing personal data of identifying information is going to become key" for companies that have kept identifying markers on such information up until now, he said. Smart companies will try to find ways to collect consumer data anonymously, thus bypassing much of the effort involved in stripping markers off data, Hemmendinger said.